<TABLE width=500>
5 ~' W' D- L) d/ w1 Q4 a; c, l<TBODY>$ M& ?6 W: Y; ]+ p1 \0 Q& r
<TR>3 K# k" R* R a a
<TD><PRE>Method 01 7 {% i% i4 }# F3 m' v
=========
' H; }# B+ m; H% O% o
1 \! ?6 w0 f3 D: N9 ~This method of detection of SoftICE (as well as the following one) is
3 _) m! n- Z! E9 x. a# d- @: |used by the majority of packers/encryptors found on Internet.
3 a" T6 ~8 r$ T3 X+ rIt seeks the signature of BoundsChecker in SoftICE
* o; ~- }7 ? k. _: y* [( H7 \+ h! D$ h+ ^
mov ebp, 04243484Bh ; 'BCHK': \2 a2 B2 |* E( Y e/ X
mov ax, 04h4 Y/ `" w* W4 X* a: b
int 3
$ R$ t$ V4 |" l0 o4 O) {& p8 d cmp al,41 c/ }8 ] j! j" p* @3 C0 o2 L- a
jnz SoftICE_Detected* ^ Y" m/ s0 N! F! W: u
+ G t9 z1 O% J___________________________________________________________________________
. x& R( e, K, U2 I. z. ~; P1 z3 x' ^7 v" h& O4 ^
Method 02
2 ?) g) D9 K2 A. ?( n' N=========, m. w; h1 A; {! g4 H
. V5 p, h p4 bStill a method very much used (perhaps the most frequent one). It is used- T }8 s, ?2 l9 `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' o1 E5 }6 ~$ p/ V
or execute SoftICE commands... W0 S y) e+ ~' G& A
It is also used to crash SoftICE and to force it to execute any commands
7 |! Z$ [0 d2 |. k7 o6 L(HBOOT...) :-((
! I& K& L$ l4 d& O5 k3 U
" U. f3 m+ C; S: o' b# rHere is a quick description:
% g6 Z/ K4 b d, w-AX = 0910h (Display string in SIce windows)
. `* @; Q- j$ S7 q! x" |-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 N" k: _5 T; l3 J. E* n
-AX = 0912h (Get breakpoint infos)
/ J8 z m( @3 s% w1 Y. U-AX = 0913h (Set Sice breakpoints)
5 @; b$ P6 P- r-AX = 0914h (Remove SIce breakoints)
4 t0 e# f" ~5 @7 h9 i+ d
1 I+ c3 p7 T3 e8 I! bEach time you'll meet this trick, you'll see:
( `: d* T# I* g- b1 T# _2 E-SI = 4647h
) }8 Q6 F2 }$ p2 F6 h0 ~3 g! i-DI = 4A4Dh
, g: O$ L2 \$ ~. y5 _+ pWhich are the 'magic values' used by SoftIce. ^8 W* |2 w5 z" j( |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 H0 {0 R# k7 m' E7 H! G$ H5 x3 J/ d T# x1 r- m: X3 G
Here is one example from the file "Haspinst.exe" which is the dongle HASP" G' g! v. z( o- r- ?0 B) B' [
Envelope utility use to protect DOS applications:
, B* E9 ?. z( J5 O! @* S2 k
! W$ x! }0 J g7 k' R1 ~
" m1 p: v) d; d3 g0 t- u, Q4C19:0095 MOV AX,0911 ; execute command.
4 w. b1 d# Z+ x( Z3 h& f* S/ s- ]4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. ]0 e( R" W% f3 J* Q, k
4C19:009A MOV SI,4647 ; 1st magic value.( F: D- B+ g/ O$ r5 L: v3 l
4C19:009D MOV DI,4A4D ; 2nd magic value.7 z1 \) h2 o& \& |. t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ B# \6 N( G5 ?. \) b" h* Y2 Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& ~6 C1 {8 S& e6 s4C19:00A4 INC CX$ @& K6 X6 p5 ]1 V* V
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute o! d0 P, W3 D3 g9 r
4C19:00A8 JB 0095 ; 6 different commands.2 m7 m( i" s1 G& z k
4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ |% {5 p2 v0 O
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. N; W" W/ L1 d6 I9 s3 d2 Q% u5 V2 @6 `+ F
The program will execute 6 different SIce commands located at ds:dx, which
\/ X" ~) |4 a3 i+ I* @: F9 e1 Hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 }/ V- R. x% |- b7 R% ^' E$ n% G: g2 \1 u3 I8 s) I4 B; F q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. @+ S+ q2 y: A; F0 |: S* o
___________________________________________________________________________
& q! } K& ]. ~5 z1 n' D. h G8 _+ J
, a2 b/ y5 j. H$ ~Method 03& w1 t! J+ y+ {* e4 N) F- Y' l
=========+ N* O. F1 E9 ]4 i( Q2 h" F
% X1 j4 Z \' iLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" r8 w8 n) m; K& e5 r
(API Get entry point)- F/ Z8 R! K4 e! b
% L0 ?# N$ J0 i9 q! F$ _) {# c: s
xor di,di
, I$ \& T! t+ I' f. p6 `6 G7 a mov es,di
3 Q# y5 a6 S1 W mov ax, 1684h 4 f3 A4 w/ v/ [) e9 i$ B3 G" ~
mov bx, 0202h ; VxD ID of winice+ I2 p4 F! O0 H( r. Z1 g
int 2Fh3 @, ^* h- Q" I8 _
mov ax, es ; ES:DI -> VxD API entry point
& s+ k( D# g6 v1 {; B; ?- @8 { add ax, di/ W; ~8 A J6 a' d( w( F
test ax,ax; [3 f# Q' r2 X! m- i( i; m
jnz SoftICE_Detected% X/ A# G8 G* @$ P( ?9 H% T& _5 s# g
# y! w' ?: i5 y! I
___________________________________________________________________________
( c6 |% ]) ^3 F0 k) s- F L) _ ?+ Z, i+ K7 u) l% {! v9 j0 E" T
Method 04
+ M$ x& \+ Q6 g) v" a=========
" S8 @6 |4 {! u$ V: v1 @
% H# U7 H- u& O0 N& Z5 wMethod identical to the preceding one except that it seeks the ID of SoftICE* ]: x; z; v8 U1 Q4 R% ]( @( Y
GFX VxD.
+ x, ]# _' S2 L) B- j
1 Y& o5 P9 X" H# o: O xor di,di6 y/ h! u: a% A0 |2 f9 f
mov es,di
; c% s6 p- d# M4 s4 U# a* m mov ax, 1684h
7 t- P5 V; Z- A/ |! @4 f3 W mov bx, 7a5Fh ; VxD ID of SIWVID
* V7 \7 A& @& Q$ ? Z8 a' R int 2fh9 A9 Z! U2 N. c; B% t) A, t4 `5 E r
mov ax, es ; ES:DI -> VxD API entry point
( N) p% i) q, j add ax, di# h8 k9 e( Q4 k) l% K6 t* r/ k
test ax,ax
3 T1 @9 L# ?* N& O jnz SoftICE_Detected; n2 t; a. v1 ]5 h' C
: {6 A0 ^0 {' a' n
__________________________________________________________________________
- v( x, j4 g; ^3 z) N K A( a2 H. O& ~
/ q5 ^9 Z5 P; v7 r
Method 05
- r8 T" l9 R1 r! E s. \=========+ d7 [7 v+ s5 r& j+ |
) M: e$ z2 l, e" L1 f) [7 I
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 E3 B/ M) k R$ a/ ndebugger. It calls the int 41h, function 4Fh., z+ W! ]8 u2 H. ^+ A
There are several alternatives. & Q Y. d* @- @! a) P! @. ]
. F; n9 @0 I) [" p
The following one is the simplest:1 U! v' W+ w) B; L2 Z
2 Q, D( K: P7 k mov ax,4fh) @. N- s( M8 b& H7 Y' N6 ?
int 41h* Y8 ]. Q: U/ Z; X7 k2 X( x
cmp ax, 0F386# N+ z; d; q* r$ d6 Q+ K
jz SoftICE_detected1 s" T& }2 t- Z' C9 _5 Z1 p: l
; o' z9 b" y: z9 q5 a0 R5 c7 V% ] H, F
Next method as well as the following one are 2 examples from Stone's ; V5 G4 b- J9 }. V/ j( V
"stn-wid.zip" (www.cracking.net): l' A0 Q% k1 q7 [ T1 y
' k9 Y* W2 @, H, M8 a0 b" E% k: {8 ~8 O mov bx, cs
5 T/ p3 U: G$ o0 I' w; O/ _0 F lea dx, int41handler2
% g: x8 f0 X5 ~9 D/ w, X' r2 } xchg dx, es:[41h*4]
+ N- c7 J9 j7 w( N2 h$ [4 f xchg bx, es:[41h*4+2]
; {3 f# P- d, e4 k9 {- M% [4 L4 {0 U mov ax,4fh
- J- `/ H5 |6 N$ e# |5 W0 I int 41h Q) s4 l1 V3 T- t$ Z5 W
xchg dx, es:[41h*4], F- e. i2 {/ x; i4 Y. e, H
xchg bx, es:[41h*4+2]( H2 Z% l; x# _2 u5 |0 l1 V
cmp ax, 0f386h
2 M6 q4 }9 j: N. T/ V1 V jz SoftICE_detected5 i/ O2 L8 c: x% `$ O) C- ~
) U5 f9 `- O& O F# k" }9 |0 c( X+ T
int41handler2 PROC# u" g6 \" S$ p2 }3 l
iret% H2 |# K I8 H0 ]) q: e* L: I
int41handler2 ENDP- a0 |" R2 v0 G4 y/ h1 l
/ P% R) n+ ^1 k; r# k7 b
/ A/ i) L" E# n* e/ Q/ \3 G_________________________________________________________________________+ M1 Y; W5 |2 ~) { F6 k7 `' \" m& n
' v; ^1 u: `2 c$ ]8 {$ I$ k3 C4 ?. [) a& x
Method 066 E2 H- R" [0 @; L- U% M' v. }
=========* s7 E5 _- o2 Q: z
" o/ z3 s$ U9 ]/ Y9 A w0 `$ t/ g- \% _# E4 L5 |' J9 Q
2nd method similar to the preceding one but more difficult to detect:
! n& l( Q' a0 u4 W% c/ c7 [0 w/ g8 N* e
& Z& F6 ?* O7 G9 J2 I- K
int41handler PROC4 T4 i+ v9 k+ W& H4 e5 x
mov cl,al
& N* S) n0 M0 Y iret* \$ X, H. l) {. N4 O( [
int41handler ENDP( j8 e ]5 n( s8 o! M Q, k8 ^; Z
! |9 D$ q0 L. P0 B6 ~. e& E" l* n: L- z) T
xor ax,ax: w: R, F M z N; c- `
mov es,ax
~# a* O! {- g! H M M4 _ mov bx, cs% m# L/ K1 N% ^& z- L5 }0 z
lea dx, int41handler
7 y; {1 v/ e$ O- e xchg dx, es:[41h*4]
. `: m+ Z0 g; v3 [$ |) Q; C xchg bx, es:[41h*4+2]; P) t) C2 g* B: C; ~3 h
in al, 40h1 a1 f' }6 R8 V4 ^/ U" S; i
xor cx,cx8 v' p/ {0 L& |0 w; _- c0 O) \9 U
int 41h
7 I+ x% z2 ]6 }5 Z) O3 l* T xchg dx, es:[41h*4]
% C' ^& }6 E& v6 b xchg bx, es:[41h*4+2]/ B: c$ T3 I7 a4 [
cmp cl,al
3 H- Q: O0 {4 J1 [ _' [: ] jnz SoftICE_detected# `* d- |# r5 W" o: [2 p! l* y. `
* c. O- Q5 ^& P% t! Q2 t: u' V2 U
_________________________________________________________________________
9 r# X' G. G! a) d4 G: f. `- G3 \& `
, R" I J' J. UMethod 073 B1 Q! k" _! k: Y- T& q
========= z' C- Q+ H6 I8 Z) y
4 u6 v4 B# D' k& S2 h
Method of detection of the WinICE handler in the int68h (V86)
+ ]! Z4 B" R6 d9 O
( f( p+ Q) B4 l0 V. F/ e7 v- y mov ah,43h
* Y: K0 W, ^0 Z: t) Q# E int 68h
5 R* P6 w9 c( ^; ?8 S cmp ax,0F386h
+ e& f/ _1 {+ ]6 l, D; f* m* i jz SoftICE_Detected
; D5 J$ W* R- h- Z% R: [1 d/ X' @( s
1 M3 L. K0 G5 {. ^. |=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, k% f, [4 I) c: V1 I3 }* U
app like this:
7 J0 h" M L% k, O
8 ]" X6 b$ y4 o5 \" L1 L2 K: O BPX exec_int if ax==68
! T! F9 k* s9 q! i (function called is located at byte ptr [ebp+1Dh] and client eip is g) Z+ D* y- u5 _6 R! X8 G0 H/ b0 ^- p
located at [ebp+48h] for 32Bit apps): d- Y; U/ } h% P( W& B5 }# A
__________________________________________________________________________) I. Z. e* G, R+ O1 @
- x! A% Q5 @/ H- x: `0 P9 D
, r9 @: j) n! U3 n. N1 KMethod 08
, i3 N7 _) B- _' f' I( Y=========6 u9 k4 u- _( \ `7 X- N
7 S+ q+ L/ H) s0 ^% cIt is not a method of detection of SoftICE but a possibility to crash the6 L3 J" z: a+ m
system by intercepting int 01h and int 03h and redirecting them to another" W. c. ]6 N, B: L' e; t
routine.
; T& h7 k( e qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# l3 a1 r) |# `. B [- v
to the new routine to execute (hangs computer...)4 N- n$ v2 a c
n" i! ]! v8 u5 c2 }: H
mov ah, 25h
, l! y' O" i4 u# n9 Y; x; ^* R mov al, Int_Number (01h or 03h)4 @% s$ I) y( R
mov dx, offset New_Int_Routine, j/ n8 O6 ^) J) o/ W
int 21h
# [& t9 c: e S5 Z0 D8 Y" @1 ?1 ~- I- D7 g7 U
__________________________________________________________________________
w: \4 Z4 S4 d. C" ]/ Y$ |
2 _: j4 i$ e l) w4 cMethod 09
7 m7 f. ?6 I" p=========
- u1 Q+ v8 A9 X0 y5 X
3 P+ X* `& ?3 `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
W4 J1 N( y+ T0 B2 |performed in ring0 (VxD or a ring3 app using the VxdCall).
: h, }3 K6 Z8 r+ V: \2 U, UThe Get_DDB service is used to determine whether or not a VxD is installed
# E8 j+ S9 g% \3 C7 g% c0 v Yfor the specified device and returns a Device Description Block (in ecx) for
% X7 G3 Z. t& {# i) Othat device if it is installed.
9 X8 o6 X& R/ `/ y- i4 c* T8 {, c" M0 |0 v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. a/ V; ^9 h$ y! V mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 ?: L, [5 p$ @ VMMCall Get_DDB1 L, Q" R1 Z- y [
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( F. q3 V1 D' X' A# \# }( D( ?6 q6 R& m3 Z9 o; f
Note as well that you can easily detect this method with SoftICE:- n% o2 M. d9 ?: z% ?. y
bpx Get_DDB if ax==0202 || ax==7a5fh
# n3 {4 l, F. I7 e) E. `& K5 X0 E3 @# l7 P! @9 ~( `
__________________________________________________________________________9 L6 u& ~! L9 u$ Q: ~ ^' i
: i, e s0 D* AMethod 10
! ^" Z4 @$ T9 [4 }$ M$ O# @=========* i4 X/ D* f9 v$ a- r
: F. L Z6 [7 m
=>Disable or clear breakpoints before using this feature. DO NOT trace with2 e2 I+ l* Y3 R2 h" s; @6 r( g
SoftICE while the option is enable!!) ] k: q6 ~) f1 b) ]) ^
* b1 a! m2 B1 ^3 R b/ Z$ S
This trick is very efficient:8 s. p; g) b& @" F6 c
by checking the Debug Registers, you can detect if SoftICE is loaded
1 r5 J7 X* I4 x5 Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, P O& E1 A4 g
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: v0 p n: H) R/ R4 }/ S% r( \value (in ring0 only). Values can be manipulated and or changed as well
c3 R4 L$ d/ i2 N(clearing BPMs for instance) x( A. B# O7 T6 [
1 Y B# W. }$ k* Z! x g7 M
__________________________________________________________________________
, s" g5 [6 W. q( i4 `
- t3 u3 C! B0 |1 g5 }( AMethod 11
) G" u; C, M* y4 ~========= E) u/ y% A, B2 Y G$ L
( D$ ^6 A. Q& j# b$ \This method is most known as 'MeltICE' because it has been freely distributed
" s! E Q! \- Vvia www.winfiles.com. However it was first used by NuMega people to allow* R3 R6 L5 B8 z& U" g' s6 b
Symbol Loader to check if SoftICE was active or not (the code is located
; f/ c3 _6 K9 n# o4 `( f, xinside nmtrans.dll).4 E; ?, C8 }! S% t- |4 A8 n7 C
# R( u$ A0 R) X% c6 g" s! qThe way it works is very simple:
- d9 }/ i* V% GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 d7 w, F, ]) T! w+ s" FWinNT) with the CreateFileA API.
$ U1 k4 l: h9 {9 L
3 S5 w9 i) g' e+ U9 J. H6 kHere is a sample (checking for 'SICE'):8 k! V9 V% z( y! r( Z( z( c1 S; j( y
! G) I1 y2 I! J0 u% k
BOOL IsSoftIce95Loaded()
. I7 C1 ]& o! v6 A, p9 N{/ J+ P! \' g5 E4 I
HANDLE hFile; " L6 [( b; p3 Z( d g
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ K: b) o* O5 q+ w3 X; H: Q0 U) P FILE_SHARE_READ | FILE_SHARE_WRITE,; }# m% ]% L* r7 x
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; G+ u9 C/ t8 r' [) q3 [ if( hFile != INVALID_HANDLE_VALUE )
+ C1 s! X# w8 K- r; g6 x+ @ {
( |6 \, P4 Z7 I1 S CloseHandle(hFile);% R& G( g: H5 o
return TRUE;
3 Y# C4 [* h0 |$ A: G }5 y3 I9 K- w: _% q) Q4 g
return FALSE;
* ?) G, b% }. ^3 X; b& l: |. t, p}
1 d: t% S" Y7 _, j/ W
' @* i4 w0 ~& U1 LAlthough this trick calls the CreateFileA function, don't even expect to be
$ s7 B4 p" D. f V' `( Jable to intercept it by installing a IFS hook: it will not work, no way!. C% ^- N+ ~4 M9 y+ b6 u4 V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: o, j& Z. l% u" Z+ c. w/ Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 [* `1 W! v7 R- F: y4 o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 m: C; A- y* N: r
field.0 w2 k' A" p" E' ~9 Q5 C( r
In fact, its purpose is not to load/unload VxDs but only to send a
) B, U ^8 P" k" B$ FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& V$ ]" {# y2 }- }7 Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
# t( T3 V6 C( w3 B x4 Q% Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).7 c& n# o# |2 \) C1 @
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& {+ L2 e5 G0 S5 l3 r7 \its handle to be opened and then, will be detected.
. C! T* |! r# g" B& H$ }5 ^You can check that simply by hooking Winice.exe control proc entry point3 ]1 g8 [. x: _' u W, b
while running MeltICE.6 Q Y, j5 a. ]. ~& r( l
& [4 O9 F" Q; z4 C7 r
8 o# [! n" m1 O( b- ?& v
00401067: push 00402025 ; \\.\SICE
! A1 S0 S. C7 E, \$ X 0040106C: call CreateFileA5 q. H8 c6 T4 C7 Z7 Z$ s2 H
00401071: cmp eax,-001
' u/ J, O6 G* l! r4 G 00401074: je 00401091
+ i# t4 M4 v, x9 M1 A
; k( I5 r$ n* C& g
- y; p% I" j, W5 U+ r) ^ O- Q$ CThere could be hundreds of BPX you could use to detect this trick.
1 b2 i' N S" E, [-The most classical one is:
% o# d* \8 l: U# E7 D# G u, }2 c, M BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ W4 {5 j. \9 F& Z8 z *(esp->4+4)=='NTIC'2 [9 {' p( k# ]% `' s1 R
1 }: R8 u5 t S5 N+ B' ]
-The most exotic ones (could be very slooooow :-(
, T) K' q* R0 P/ ~( F5 g! Y# j$ M BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 q% v1 K$ k7 K; o( O' r
;will break 3 times :-(
0 s+ B/ w+ N) `) Q- A- x% U& z" R% H0 Q9 l# U% v% O% H7 c
-or (a bit) faster: $ H- Z/ S* v* L% X: F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ x! i8 g0 x0 U" W- P, ]3 I0 f% @% o- x) v6 \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . V+ k! p% ]: `5 |
;will break 3 times :-(- V! c0 s6 m7 ]& l! x3 v3 ~
6 ~* T2 V/ k4 y' a-Much faster:
2 @0 B4 M; H/ {6 m* | BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! f3 ~/ m+ i* Q$ O2 A
- C- v9 T, w$ @: Q& A3 j& [# eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen0 \) n9 C% [' t3 l, m1 r
function to do the same job:6 z/ L' q; ?% O" ]" ^8 ?8 E
* n. Q3 h3 ^8 v0 Q+ ^/ E
push 00 ; OF_READ% w+ N0 l4 L) Y
mov eax,[00656634] ; '\\.\SICE',0; m- U S& C+ Y) a
push eax/ g" b) z+ `* P; H8 Y6 |% J* n
call KERNEL32!_lopen
- G! z- Q/ m; I2 U inc eax5 v+ {0 w) P7 ^1 C8 q! O$ k( g! y
jnz 00650589 ; detected
' J) ]4 Q* {, f push 00 ; OF_READ; h0 D2 b: g; _3 E) O2 [! u% g
mov eax,[00656638] ; '\\.\SICE'
' ]" G8 R/ o: H/ q1 n push eax7 k$ G3 _6 Y' D& j) l
call KERNEL32!_lopen7 a; o' n1 D- t* g& [( M
inc eax
; H7 ` [$ [4 D& f; p jz 006505ae ; not detected1 y# @ F! c* W# `% H; U$ v
" W2 n" C9 R4 Y! |9 X. ]
( [3 [8 O |/ J; k0 l
__________________________________________________________________________
, x: G2 q m4 Z% c$ B9 p3 S! I5 i
; }' N; e5 o4 j1 \' Q6 j/ ^Method 12, _4 s5 ~7 c; Z" b
=========
" o+ Q+ P& g% {6 G: c& X; ^6 _" e) p% d
This trick is similar to int41h/4fh Debugger installation check (code 053 ?" H2 B7 c4 @9 A8 h* B3 @& n
& 06) but very limited because it's only available for Win95/98 (not NT)
' F+ I6 W% [! H! Z2 B. u7 s6 Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 e' p6 l8 O4 P+ D
- ]9 A! j$ j4 Z0 x push 0000004fh ; function 4fh# J7 v0 F9 v7 w+ ]5 o2 P
push 002a002ah ; high word specifies which VxD (VWIN32)2 N, v0 u* q1 `. V7 \, L
; low word specifies which service8 }7 _; z, a+ d, O& s4 u
(VWIN32_Int41Dispatch)# L* K. B$ Y+ P# `
call Kernel32!ORD_001 ; VxdCall
* l) X7 U. Y5 {; |7 O& q cmp ax, 0f386h ; magic number returned by system debuggers. ~; M8 Z% p, f N' h, t
jz SoftICE_detected9 p- s# p6 p" V
+ w) R- `$ N( f7 T1 ~# MHere again, several ways to detect it:
" v0 O+ B3 w* ?7 L2 f
4 G5 c) m5 Y) i0 O3 } BPINT 41 if ax==4f
) K6 L4 G5 {2 b- A# H, C# I& G& x6 ^ q7 Y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
a6 ]/ O# O" M, B* r8 c+ l5 |+ P5 Y$ q- M8 ?+ ] y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% D" I+ u7 r0 {) `1 l( B' Y
3 j2 @3 p6 \- v) X# [- t$ D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' f5 V+ I" ]) ~. N: g2 b
. a5 l: y e a9 x: b; w W$ D9 u# ~__________________________________________________________________________
8 w/ B( O$ ?0 @" v* ]
* \% n% e5 H, n6 g) v6 hMethod 13% L+ ?1 x6 x# g5 Y' P# D
=========) v( B, ?4 b: u5 z1 F
* d/ w! Z: |" B6 G) B8 F/ g8 h r
Not a real method of detection, but a good way to know if SoftICE is
9 t; ~5 |+ k2 t; |0 r3 H4 h4 jinstalled on a computer and to locate its installation directory.
0 P s$ Z0 Y4 PIt is used by few softs which access the following registry keys (usually #2) :* [# H8 f6 n8 e4 v2 v
7 _$ O/ S4 f- I& ~# V/ {
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 p! b' Y" \6 b9 Y$ A\Uninstall\SoftICE
7 C4 e# [9 D' y" W5 ?. t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 P$ [6 b8 O& Q( `9 P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 Z! ` {+ X5 _; d& y. C\App Paths\Loader32.Exe( ]! B4 F. b. V$ K. |
- {0 T7 ^# r6 I% J
w% J2 l2 W' R: XNote that some nasty apps could then erase all files from SoftICE directory- d9 U$ U# y" A
(I faced that once :-(
* G$ C2 Q$ u4 ]# S4 S# J d# V6 k
Useful breakpoint to detect it:
) h; [; J+ w( J* Z% |' A/ g2 \4 ^+ l9 M+ M2 G5 g# d0 O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! J1 k" t4 K+ X, i3 j5 B- ?- I1 j& R
__________________________________________________________________________
$ I, P" A! |+ h0 \- B
- D: a( @8 s: K: e' k3 n0 d& B6 N* c
Method 14 3 I/ b; M9 H$ f3 `: v
=========9 Q- w! E% w* |3 j" k+ Z( R+ |& t
4 h" m5 |! G$ u2 w' o0 tA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose s$ V/ K( I! I
is to determines whether a debugger is running on your system (ring0 only).
- j2 h, j/ R& ?2 b# F$ w* {! W+ \0 `6 g
VMMCall Test_Debug_Installed
; q( n& M. c" j5 @ je not_installed
2 Z( K6 P& c' o7 l; C7 m5 c/ y# p. S
This service just checks a flag.
; m% W$ |# v: y1 \6 D, A/ z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡