<TABLE width=500>
; {+ {( j* @ s1 _$ Y. ]<TBODY>0 U& z) D) [; {
<TR>7 F5 h0 ^" h% p& [; N- z) ~
<TD><PRE>Method 01
2 J' a, X& d7 w6 O* X/ o=========, `' U6 [; w+ i; [* ~8 Z1 i
4 w9 L( q; ?' I8 r& l, [This method of detection of SoftICE (as well as the following one) is) C4 `4 ?" W! S7 o
used by the majority of packers/encryptors found on Internet.. K: l9 @# M1 h4 O6 v8 Y
It seeks the signature of BoundsChecker in SoftICE" q# a! I4 _# A
. U! K7 v2 [8 k- `/ @8 y mov ebp, 04243484Bh ; 'BCHK'
. q1 t! j+ h0 X5 k3 Y mov ax, 04h
% K% T% |6 z& o9 P' i' O# e, f q3 ~9 e int 3 0 @$ ~3 S6 n( Z! ?/ v
cmp al,4% v- A1 ?; {/ q5 b2 F
jnz SoftICE_Detected
8 z s" |: W2 h* ^+ n7 ]9 _( l) w
. K9 v) ?8 B$ p3 `, f' i___________________________________________________________________________3 F/ N- l% \$ ]1 _' l" e
9 L- {1 W2 ~( O# H1 M, a# T( CMethod 02
& Q: }3 i8 ^9 O7 ~7 v2 c$ T=========
' [; a- U0 H% d, c" B! \& i/ S9 |1 A& i: Y* D8 b* f+ m0 Q
Still a method very much used (perhaps the most frequent one). It is used
, J: q' K! U; S. v! T/ }$ x2 jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 }8 j. V# X# V! g
or execute SoftICE commands...0 R# P- E) _5 p3 X' f/ O6 }+ p: i
It is also used to crash SoftICE and to force it to execute any commands
- p u8 p6 x3 a, R; D2 V(HBOOT...) :-(( 2 W& X+ J5 f* v: u% }
, Q, e/ c m. ]) r! m& Q% R6 B7 d+ aHere is a quick description:; Y+ K5 ~% w" v. F: h
-AX = 0910h (Display string in SIce windows)
: C! g) T+ E) m$ m1 u7 h-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 K9 a {3 L& M' _
-AX = 0912h (Get breakpoint infos). i& T8 r+ e$ r; }; A) y: v
-AX = 0913h (Set Sice breakpoints)
( |! I$ e$ e$ v) S0 c-AX = 0914h (Remove SIce breakoints)- r/ }( N! f4 f: r l6 |
) q- S* Q! h" t; S
Each time you'll meet this trick, you'll see:
' z# l9 ~2 H5 p8 b1 S-SI = 4647h
. ~5 E1 o. J @# _$ n' ]-DI = 4A4Dh3 U! }* [) e3 C. e' v
Which are the 'magic values' used by SoftIce.
" P7 Q* f6 ]5 T" m8 NFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- u2 l. x8 X' S( K7 P R
$ b: A, T* u: c' G% T$ uHere is one example from the file "Haspinst.exe" which is the dongle HASP2 o5 G5 _; d$ \9 i2 l1 N
Envelope utility use to protect DOS applications:
/ h: d' D* s$ F8 i, I: b9 C2 y+ s0 ^- w1 h: {5 h1 G8 [5 D' o
% v r8 m8 `% q% A: a( s
4C19:0095 MOV AX,0911 ; execute command.
! v* b5 g7 l) L a' d" t1 K4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* m0 [8 l" c4 J X( ]' h3 D
4C19:009A MOV SI,4647 ; 1st magic value.; c+ w5 g' ? U, U+ d5 |, f8 k
4C19:009D MOV DI,4A4D ; 2nd magic value.
- ^* P& M- C1 k1 x3 ]$ N+ f4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 O( ?. U) k0 |1 M2 O/ |' ^. M4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ b1 l7 w" _8 P9 W) w" g4C19:00A4 INC CX3 }+ S9 V8 }' O5 B! E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" R7 u6 ?6 P. h4C19:00A8 JB 0095 ; 6 different commands.
; m0 w- R9 C4 K4C19:00AA JMP 0002 ; Bad_Guy jmp back. z- s# Q9 U' P6 h
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; x, x* M4 S* K+ }
8 p" R! ]+ W/ L( QThe program will execute 6 different SIce commands located at ds:dx, which
! ?$ d+ C. R1 m6 @, _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 E( t d2 Q0 }+ T+ P, Y" B/ c2 a
) B" n: o( T3 B* n$ x
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# b% ?1 ~& O( m+ V+ O
___________________________________________________________________________
; X7 |0 u( u$ \/ c! r& G4 _* j$ B0 D( d/ N
/ A. Y) M6 a8 q
Method 03) w- Q: U$ N( x" m" o4 E( H6 v: C
=========
`9 l$ W! O+ Z
5 X/ [) N# o0 t2 W" |; @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ |5 [+ V; c4 }# d
(API Get entry point)
% ~- g; a" [( a. W ~4 ` 2 }3 }. T, u; M: P$ Q- ?
$ t. h& P' M+ q- f! v2 J9 |% U" C
xor di,di+ u ?2 w6 F L9 N, w' w
mov es,di
* R! B- G( x! ]$ ? mov ax, 1684h 8 {0 N) b/ E9 g& W& H2 g0 y- P
mov bx, 0202h ; VxD ID of winice
$ b2 z8 F: @# h; }+ \2 H int 2Fh' }2 {$ J5 ?# f: t/ `6 Y2 ]
mov ax, es ; ES:DI -> VxD API entry point
3 j- |4 [& Y3 M* T- ~ add ax, di" u2 F6 C. k- b: W+ x/ b
test ax,ax E+ o* m$ D2 E6 C7 r
jnz SoftICE_Detected
0 b4 o' ]% G, N l) G! o+ m: B& s% B7 q( |
___________________________________________________________________________
0 o5 h/ w& [: K
2 t0 z( q5 b) k" D/ SMethod 04' ~' z% j/ U' u0 W& ^
=========5 K; T$ i1 e' E: b- d; [, P X( \
( w/ I9 f1 o8 V0 G: [
Method identical to the preceding one except that it seeks the ID of SoftICE
8 D7 t7 c) }8 I6 V* kGFX VxD.2 L' b. T. O8 R s& w! W- p% D1 _+ X
6 P$ Y& B; e# N( |8 e( |7 k( w
xor di,di
* J' [8 l8 I1 x2 d+ s% N mov es,di
0 G. k, L4 O8 {8 g mov ax, 1684h
: b9 `: t4 _$ @4 C, P8 Q% o mov bx, 7a5Fh ; VxD ID of SIWVID) ]: E" E: A* [% \* C/ ?( e T" Y
int 2fh
' q& x' R9 n2 z7 R1 d. ?# b! P) | mov ax, es ; ES:DI -> VxD API entry point
. U7 Z$ t7 w- Y9 \/ n6 e add ax, di
" I* B4 ` X E/ E/ \ test ax,ax
6 F6 _3 A& i2 b) W$ e5 P$ _9 M: w jnz SoftICE_Detected' T; Q2 d, W4 Y6 z+ ~) ^. R
/ P: j5 A+ D" |+ C
__________________________________________________________________________
0 _1 `) X) c" l7 W: z- U
3 L% D3 g; e+ X7 D1 Y
, ^- \: X: u6 Z) iMethod 057 R$ d- k s# A0 h7 r2 A# J
=========: d9 ~+ b% [/ ^4 I; O1 g
" N9 c, }+ j- h1 n: K3 G. e$ \Method seeking the 'magic number' 0F386h returned (in ax) by all system. c# \% t+ q% Y# @3 N
debugger. It calls the int 41h, function 4Fh.
- W- ?' Y* z5 lThere are several alternatives.
( I) T6 k) P1 H0 M; x! t
- N1 K) t! t5 u& ]The following one is the simplest:
0 q6 Z9 j' x3 e1 g6 c f/ Z( R; Q! f2 x2 E1 Q9 I* e
mov ax,4fh
9 v. W: ~2 t# C% { `1 V int 41h
0 Z2 z( \5 R' h' d" h, o$ q" j8 ? cmp ax, 0F386
- |+ I2 f% O/ N! r9 l2 B- `, X: ^" P jz SoftICE_detected' Z" w A# U3 i; i. n8 I* K
, D5 H% R( ^& m% U
- V. w% ^" I9 F; P
Next method as well as the following one are 2 examples from Stone's
( q7 W% V( _9 b/ V' \"stn-wid.zip" (www.cracking.net): ]# W( _' A* g5 ]1 g
' A# s+ ?$ D* e7 W8 Z5 N mov bx, cs$ Q/ c, p5 K; a: J8 Z
lea dx, int41handler2
+ |4 K, D2 x4 E5 e. k xchg dx, es:[41h*4]1 z: E0 J! k" Q* z9 S' X
xchg bx, es:[41h*4+2]
5 F8 E0 C. @4 E7 h mov ax,4fh9 k4 Z7 ?9 y. f- \6 p7 x
int 41h
0 k" g4 m+ s- [9 A6 @ xchg dx, es:[41h*4]6 S5 p* |4 m- |5 @* f3 j$ B, t3 U
xchg bx, es:[41h*4+2]
1 K& R1 k- o! i( J4 p4 Y0 q cmp ax, 0f386h
/ U" {/ v- ~+ g. v jz SoftICE_detected
. |. }; ` d, m
" I4 d& I1 P) l- U5 K; sint41handler2 PROC
# m6 ^- ^; h# L' {5 Z iret
3 Y% Z, u! z; M0 K! I9 eint41handler2 ENDP
6 u$ m% I0 T0 F/ H7 P3 ^( q7 F
8 Q7 V. p: H4 G& q# F6 @; q5 R! P- g
_________________________________________________________________________" U: V: \: p6 A& X; n
$ Y: W7 }+ w) ]" _; o/ J3 i7 [# w
7 e# T ]( b) }) Y0 j2 A
Method 06
: u# @7 S4 V1 I. A! E; a' H% v=========
5 n; [& E/ i9 Z1 f$ O' a {/ W' r/ w# W1 K
' ?: ^; f; r0 z% [; E: E
2nd method similar to the preceding one but more difficult to detect:
( M" v, A6 g; d# C+ ?
9 c1 I* y. Z+ J) O5 S9 h/ I/ Z% T4 q- N1 x5 n- F) x7 r
int41handler PROC& u: U8 Y ]% b% P o& T! G
mov cl,al. }1 D* v9 q0 T. P7 f* j
iret* @, H4 H! H1 m* d- }. U
int41handler ENDP
5 Q: ]( Q! z5 Z* v" H
8 T' a* X# ^- W
# j& x( V0 b- z* A/ b& P) M+ f xor ax,ax
9 g1 ?4 t8 }- i# {# h* X f, y mov es,ax" h7 w" t3 |( [3 n: e) |. ?
mov bx, cs
" s4 h# V) q0 [: D0 w" X" v lea dx, int41handler
A: C' a, h* S! q3 H( p" W xchg dx, es:[41h*4]
$ M) z- X1 B/ Y3 y* j5 u4 t* {, D xchg bx, es:[41h*4+2]
) B5 D8 P D; |2 B in al, 40h% x W0 S9 o. B+ g2 R8 M
xor cx,cx
, o1 C' s4 f, K1 o int 41h
4 _& d; h: b; p9 ]/ Y3 ^, S xchg dx, es:[41h*4]
. h8 O3 B. Q+ [' n+ d! a9 g xchg bx, es:[41h*4+2]
5 _- q. L$ u, c% ~( @* b cmp cl,al+ y, o0 b* l( A% _) b" i
jnz SoftICE_detected
4 q/ `3 |5 Z8 t1 N
9 \, [$ V; V; T, }2 O0 ^! p6 d1 C_________________________________________________________________________1 R9 }5 k" [8 U$ H
0 x X) x( D8 X* gMethod 07) O# @1 n5 K& H2 g# q0 v+ b
=========
/ t, q$ e9 v! Y4 D) B- o2 o
# M G9 K/ l- m" k) Z* [7 f7 _# UMethod of detection of the WinICE handler in the int68h (V86)) s3 f9 n6 o7 Y/ m
- ?8 j) @/ }6 O. G mov ah,43h
0 F$ _) `6 S) Z3 f6 n int 68h. S/ M. n* l6 n- j& C
cmp ax,0F386h
! d) ?' S" `, [' U jz SoftICE_Detected5 x. U/ ?) c6 X" k
0 K& c6 d9 m; C# \
& H9 B% p+ r2 X6 w; R* t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# L* J* B) g$ S7 ]9 d2 }3 ~
app like this:
, H# p! _0 D5 R) \# }
/ W. g0 x0 [+ d# V BPX exec_int if ax==68
' w5 T3 s4 L% @8 e: F- \/ w# O2 J (function called is located at byte ptr [ebp+1Dh] and client eip is
* S! C- U# S/ m6 ?& ^" R( H( B located at [ebp+48h] for 32Bit apps)
2 M$ \- s' G( [! q& A__________________________________________________________________________# l' G0 L9 p: H' ^ O! l8 Z* `
, f# s- {# }9 F! p9 s
4 ` R6 H; H9 W/ R' P0 CMethod 083 c( e c# d+ l6 x) K
=========. _5 |7 m. r$ I% C& S4 R
7 A- J0 }) h4 W7 M# b9 Z! DIt is not a method of detection of SoftICE but a possibility to crash the; [% s. {5 |" C$ _4 h
system by intercepting int 01h and int 03h and redirecting them to another6 x S. k& y, _) ~% e& h- I3 I
routine.# ?/ w( @1 b; n6 n5 _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& f' e) F% V. V K) T+ o0 p( Z# O
to the new routine to execute (hangs computer...)
, c. l8 R1 W1 i5 @4 `
0 h; w) x9 M; n/ \+ t. p9 P mov ah, 25h8 }& @" j n3 Z; u& S7 w
mov al, Int_Number (01h or 03h)3 n9 m9 P* n5 d6 @: H3 o8 `
mov dx, offset New_Int_Routine
* @( [# { a% z int 21h3 f% a' X* F0 ^. n$ R) K
1 T7 _# D5 u8 n. Q6 E
__________________________________________________________________________% B- n: A8 [- c& o; y
+ J$ G8 q7 f$ \0 p
Method 09& @, N8 g" \# L, `/ s+ c
=========
) D1 [1 q: W; B) ]% B o$ C0 H6 { v6 X9 ~1 n2 p& c9 ?6 x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) F) ~* }: Y& ~! k! O
performed in ring0 (VxD or a ring3 app using the VxdCall).9 M! \6 a( C0 G! n/ D1 {4 X2 v
The Get_DDB service is used to determine whether or not a VxD is installed
. A; k g( {* X: I7 Wfor the specified device and returns a Device Description Block (in ecx) for0 F4 e6 {9 L o
that device if it is installed.
) T% g2 O# v* \; F6 {% d! [7 v$ B" c+ Q. t% ~: u9 r) Z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. }# R' \, {3 J, j
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 `. h1 W+ _- H VMMCall Get_DDB
8 R- }# m/ ^- U0 Y: A: f mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 I( @) p+ r4 n7 n; u8 j
. g( H% [/ i8 N9 u6 V8 E! n+ ^Note as well that you can easily detect this method with SoftICE:
2 g0 S& B: c" I7 L* t/ d- s bpx Get_DDB if ax==0202 || ax==7a5fh* M9 V( @7 r' z9 d0 [
5 B+ [7 I4 J2 a- C
__________________________________________________________________________
6 }: z/ b, z. I1 q" M8 v1 C; V! v. U, o0 Z
Method 10
0 Y5 d5 `6 @5 V1 L x/ E6 ~8 M=========
( f& N' n5 O. t |) j% ^- @6 Y& A3 ^5 I+ _
=>Disable or clear breakpoints before using this feature. DO NOT trace with1 W2 n, M. e% m* m6 w
SoftICE while the option is enable!!# W0 B" r7 D0 b$ A) a' Y
2 S: `2 f$ V V( D/ t2 vThis trick is very efficient:
8 e0 V$ z/ S4 P6 S# lby checking the Debug Registers, you can detect if SoftICE is loaded
5 z& R. o# Z' T% P" @ p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; F% S" c4 P3 v1 [3 \3 w
there are some memory breakpoints set (dr0 to dr3) simply by reading their+ v6 [' ~+ j0 T
value (in ring0 only). Values can be manipulated and or changed as well3 W4 ], P/ \3 z) [
(clearing BPMs for instance)% y- m6 z0 l* j
Y* D7 {9 I0 r1 T7 N__________________________________________________________________________
7 L/ h) E8 a Q6 q3 i1 n2 m' o1 ]$ M! k
Method 11" N$ w9 I& `4 `5 g' V6 _
=========' g& [; Y0 O6 x; v( f8 r0 c% T
# u( J0 d6 y/ J( a/ y7 e iThis method is most known as 'MeltICE' because it has been freely distributed( ~; X0 r7 A' Q" f: p+ n
via www.winfiles.com. However it was first used by NuMega people to allow1 ?3 Q3 a/ n" i: Q) g! ~: i
Symbol Loader to check if SoftICE was active or not (the code is located0 N, j: `# `/ k) d. Z9 c% z* F
inside nmtrans.dll).6 k1 f" | y6 D5 H
* r2 O$ T- K2 {; k4 c
The way it works is very simple:
0 h4 Y8 u8 D K/ A1 eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 k4 M/ q! v9 r0 `) k: w( q6 L/ x, s
WinNT) with the CreateFileA API.
7 M K$ h5 S$ G+ S$ e' i# ]) D5 T& r
Here is a sample (checking for 'SICE'):
# V/ Q" Q, s0 n/ c) I! |
! J: ]. V% }9 N) S% ?3 G3 p2 xBOOL IsSoftIce95Loaded()
% w9 o' Z. w% i1 h{
( `8 {1 d9 S0 k% f# f% X4 J HANDLE hFile; # v3 N3 h D- g% K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- n3 N" L2 y7 L* v FILE_SHARE_READ | FILE_SHARE_WRITE,
6 D' Y( b/ n" j, D+ ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; f* e# U' l1 i
if( hFile != INVALID_HANDLE_VALUE )
# t5 q! J; ]' l! A+ L1 R {9 T8 r+ V& U, I9 [& @- b, f& z
CloseHandle(hFile);
3 P6 p1 t! Z, o0 g: T6 u/ C return TRUE;+ ^% m# p7 d& G1 z/ ~+ C* z
}# W/ a B! b" P
return FALSE;
, D" h$ F3 F- I; _" ~ Z3 i}
. Q+ a' a+ A# ~$ s8 G; l& d1 o5 n$ e1 _3 K& r& Y
Although this trick calls the CreateFileA function, don't even expect to be
5 ^; X) C: j6 ]2 g7 u0 b/ I& Rable to intercept it by installing a IFS hook: it will not work, no way!2 z% {* _7 B2 i; U+ m& g
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% p! ]6 [/ T+ B& @service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) _# y& B0 l# B" B8 K6 z, v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc/ f0 e" q. t' b( A) C& ~
field.
' g! ]1 C! W! U6 R' F5 MIn fact, its purpose is not to load/unload VxDs but only to send a
" w( u2 N9 U1 @9 Z+ JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ c3 E" P6 G$ c0 Eto the VxD Control_Dispatch proc (how the hell a shareware soft could try
- F9 d w; H% d, u& U6 Dto load/unload a non-dynamically loadable driver such as SoftICE ;-)., C4 @+ g' n7 ^+ T- p9 a: B
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 |. E6 _# @: [: l
its handle to be opened and then, will be detected.: B. T2 v1 l% t+ u" T) q
You can check that simply by hooking Winice.exe control proc entry point7 {8 E; X5 N# h1 h/ N$ j( {
while running MeltICE.
8 C( I( n$ ?3 e) Z2 o) I4 R2 C, |# [8 ?. C% l& t* Z% c
% g$ k- Q6 g1 H9 J4 h* H
00401067: push 00402025 ; \\.\SICE, t0 _: S, r9 s! q( u) p
0040106C: call CreateFileA- j, g; @( E2 O7 e
00401071: cmp eax,-0016 b% T" g/ n/ W. M; p+ e
00401074: je 00401091 R! W ^: `2 p5 g! Y! B. M5 {; I
4 M+ @0 B1 D6 t0 Y* ]1 j
+ u. L* Z9 U4 F# R) F0 j sThere could be hundreds of BPX you could use to detect this trick./ g% B! y7 ?* |$ }0 C- e$ F
-The most classical one is:% |( ^7 R; F+ C1 c' V' O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( g6 W$ T% ]; X* _4 r *(esp->4+4)=='NTIC'/ \3 ?* K5 b3 L, W$ b9 m4 T
3 `" ?- n0 [% d P& i5 Z$ w; s
-The most exotic ones (could be very slooooow :-(
7 b( ?0 W6 t. I0 e( X# F2 a# M$ N BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) L$ d% [3 k( y; i- p5 w o5 J% c ;will break 3 times :-(2 }0 v* p. ]" ^8 r
! `$ h) |& s X+ E+ z" i
-or (a bit) faster:
# ^6 c2 D# }) P% ?9 | BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. u- Z0 X: `3 c5 S* J) e# W" J, z* _. y8 ^3 F0 l* m0 M Y) d0 H
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& _" Y3 `- m* `* ~. e$ @1 W5 E: @ ;will break 3 times :-(4 W N1 i0 }& t4 g! n2 C9 V+ ?
% d) {6 M. N6 R4 g( q
-Much faster:
6 P8 |6 G) E% X1 S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, b8 w) l; q' f q2 z9 i3 u2 o- `' i4 q( A& _ |+ W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ z' l& W& m" P/ i& v6 M: Nfunction to do the same job:
9 J& P7 c$ X2 E( u
& u; [: ?, G2 J3 q/ @8 N' o' b6 S0 h push 00 ; OF_READ2 P$ |: e& i3 c& o# R' H+ U
mov eax,[00656634] ; '\\.\SICE',0# h4 |& b# R) F3 v: H6 w
push eax
8 O" Z! g+ U$ D) O, C- _ call KERNEL32!_lopen! o7 w3 _4 U+ G( M
inc eax d. O2 r; N% S) P
jnz 00650589 ; detected9 j2 o( R3 B& L
push 00 ; OF_READ
2 N1 \" m1 W3 `8 o6 d4 f mov eax,[00656638] ; '\\.\SICE'
z+ K5 {1 \, _ push eax# k& |0 X3 X: B3 ]7 d5 ?% |' C
call KERNEL32!_lopen- r- Z5 r: H4 U& n
inc eax
/ x0 ^2 z/ n! m jz 006505ae ; not detected& e; P% d. P z; D# O
2 `! B$ y3 L2 X# a4 g
1 C7 ~0 a0 e' s__________________________________________________________________________ n! l% @" L3 w6 B6 x
+ j8 `1 `1 P7 L3 X" V" f. I; WMethod 12
0 f/ |: i/ D( H4 O" D/ r6 u1 E=========6 X/ l, r" s# b) a3 j
) F$ ?- x* a6 k0 a) [* M
This trick is similar to int41h/4fh Debugger installation check (code 050 H' g! f: [+ X% f5 {- e9 P
& 06) but very limited because it's only available for Win95/98 (not NT)5 E3 @: q' I5 e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: ?8 ^: ?/ M( _
, o& C Q5 U9 O$ x% x push 0000004fh ; function 4fh q- i. I0 j' F$ C
push 002a002ah ; high word specifies which VxD (VWIN32), Y: f1 X& k8 U' Q' T
; low word specifies which service( w/ b$ _! F/ j
(VWIN32_Int41Dispatch)+ l! D. t' s7 B% p( L: L: J9 W6 o
call Kernel32!ORD_001 ; VxdCall1 ^# ?8 ^% U* y) q' \3 U
cmp ax, 0f386h ; magic number returned by system debuggers. i4 ^6 t# A( d) O: H
jz SoftICE_detected
0 t- l9 n7 p, S( N
6 Q+ B c7 @. }/ D2 N! c) ^ P! k' JHere again, several ways to detect it:: r/ N+ D k" m
; D5 d( j) z: k( a
BPINT 41 if ax==4f3 H e- H0 G' w h& O6 e$ B
# O0 N( w) T# c4 f BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' ]9 B8 v( [( k( k; a
1 A, C: ^! \, Z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 L2 R7 @; G6 |: l7 |" W
4 \( a( R& e$ Y) _' f% E: p* R& H
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 \9 ?5 K, T. y; S: z9 s2 ~* S* Y3 y; h1 `; s9 o, V
__________________________________________________________________________
) u8 v7 F$ M' E. ^# @
; l/ e# e ?+ _5 u$ n; AMethod 13
v8 f7 z5 m+ ~' F=========7 U; t+ {0 x# M0 S
5 m0 |3 x* d% L: x7 J
Not a real method of detection, but a good way to know if SoftICE is
6 T% r, V' d H& c( zinstalled on a computer and to locate its installation directory.$ U3 \+ T( |; W% R% K: B6 \0 K
It is used by few softs which access the following registry keys (usually #2) :0 }9 g& X& [4 A* S9 N2 a
0 l. x, m* ~2 z3 h1 [+ P% W, Y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 a3 y6 S; S8 B5 e! ]
\Uninstall\SoftICE
" t$ ~' x8 u- S& |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* H1 v' ^6 z2 B-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# |7 ~6 ^6 i" c& i5 Y4 N x. f\App Paths\Loader32.Exe% K" l$ s9 z/ p
; _5 E6 l$ V5 a: s' ]3 w, q5 _
0 Q; f3 Y6 I3 b- l$ L8 d" j h( ] aNote that some nasty apps could then erase all files from SoftICE directory. x' e9 U( u+ e( u) v
(I faced that once :-(
: ^8 v' f1 [& G* i: O% T/ {6 t$ z
Useful breakpoint to detect it:
* R% ^8 i% b: Q- Q1 [8 a, m% K( `9 Q; ? E4 v1 d( L
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' o# K+ ?0 |5 f' p
' F/ J+ t0 {; l* J& P7 f5 p
__________________________________________________________________________% O2 l' S5 w4 _2 o* s, U+ v
5 i7 [) y. a4 |( |) I
( {0 V% p8 B* N5 [Method 14 . d+ N% E, p, h2 r0 J5 x# q3 ^
=========
: m# Z% o) @- A t1 ^& K1 d; v' B. f3 {# M8 B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 Q2 w# K( i7 V' D; k
is to determines whether a debugger is running on your system (ring0 only).
( g& Y/ l: o! w x7 z1 \0 ~8 H: `9 Z" l1 @
VMMCall Test_Debug_Installed
0 ^- O( Y. a c) ~, O+ v2 k" f je not_installed1 J% g3 p4 y- f' }" B5 G
( b3 Q2 Q3 S$ c5 g+ O
This service just checks a flag.$ p, w6 b2 `& R: O
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡