<TABLE width=500>
& B0 O/ ?/ I0 b<TBODY>
& _. ?$ A- `; g<TR>& ~* j- {4 a( G4 Z6 Q1 k3 s. w
<TD><PRE>Method 01 }3 ~/ ? U" {. Y
=========0 m( G$ B; Y2 E1 q* B4 \2 r; N- e
X f) C4 o$ Y' T
This method of detection of SoftICE (as well as the following one) is
8 t2 ~, E' y& Xused by the majority of packers/encryptors found on Internet.
! }; z& d" @) u* \2 ~It seeks the signature of BoundsChecker in SoftICE
$ I+ ?9 `" V3 A I
9 c, y1 t( c% q7 |3 s4 O- R2 O mov ebp, 04243484Bh ; 'BCHK'% W, U7 ?* `; H0 D
mov ax, 04h
. e3 P0 `6 m! Q* U" x0 F int 3 ' s, r/ i: x1 T: d8 \- N# x h
cmp al,42 U; K& D. T4 U7 l% ^/ ~0 ~
jnz SoftICE_Detected h. I* R9 N8 r7 q8 K
/ M; M+ m4 }; D2 U5 ?! }: F' J
___________________________________________________________________________$ q: ]+ U6 V0 }$ N* f# @
) I1 `7 _ p- T! _: ZMethod 02: v. D4 ]( C0 W6 k7 M' Y- g
=========( _8 P6 L! J( N1 j* r7 q) p
, Q. |, @ n. S% A2 w% WStill a method very much used (perhaps the most frequent one). It is used
, w; w5 p. e7 V7 u) rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ L6 i l0 y X9 Q m: r0 [0 A) @
or execute SoftICE commands...
' o* U! E/ S8 r9 n. {' mIt is also used to crash SoftICE and to force it to execute any commands t- z6 B+ Y, } ^2 q+ x$ i8 }: k
(HBOOT...) :-((
+ M/ @, b7 t1 P3 C9 z" t) A* e0 k1 J& M* z8 w d* s
Here is a quick description:* f3 I, d: v! q* H* a' A4 L7 i
-AX = 0910h (Display string in SIce windows)
D8 P: o5 n% J7 _3 A-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 }! u8 H0 F0 W) i( ^( ~+ U; B
-AX = 0912h (Get breakpoint infos)
; j9 m4 p4 H$ f; t3 M-AX = 0913h (Set Sice breakpoints)+ i# D e k. y4 _5 ^
-AX = 0914h (Remove SIce breakoints)
; K+ X1 w" e0 }; _6 y; u; ~3 Y9 D& @/ Y: m w. ?
Each time you'll meet this trick, you'll see:
! r5 H/ x6 {# L% s0 u1 Q; }-SI = 4647h5 h# K: g5 z# n2 ^" p2 T. r# K
-DI = 4A4Dh. Y$ D% R0 J: s9 C! }7 n' Z
Which are the 'magic values' used by SoftIce.+ G: m0 P% T# g0 Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ Y5 h* G& d/ s& x/ \- Z) C$ L5 I& |" N. n
Here is one example from the file "Haspinst.exe" which is the dongle HASP; h0 P! } T& w% F8 F5 `
Envelope utility use to protect DOS applications:2 @; l2 y9 w- ^$ g+ K
$ C0 T3 D! X) w+ l2 J b* |4 _5 i# J1 T7 ?! k$ O3 ]8 j
4C19:0095 MOV AX,0911 ; execute command.2 L5 M" {6 d% b
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* m5 `1 a7 B; p
4C19:009A MOV SI,4647 ; 1st magic value.
( ]' P* a& H% `! c' H% I" l. D) m4C19:009D MOV DI,4A4D ; 2nd magic value.
4 g) O' R. j1 U+ P7 A7 [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" P/ J# v0 T5 E8 K# y1 r
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
K7 V. Y& u7 D% m6 U4C19:00A4 INC CX/ ^9 R4 @* s* d2 `& D
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. Z3 z. g3 e w
4C19:00A8 JB 0095 ; 6 different commands.$ t% G% R+ e' r# y$ c) @9 ?
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ A9 G( ~/ a5 i1 L8 ]1 y& K4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
z( Y# Q- d5 q- `
: `- P/ g$ x2 w. y. HThe program will execute 6 different SIce commands located at ds:dx, which! Y$ `$ T) c- o# g+ t( R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 F5 P5 c4 U1 w, j2 E; p' m1 }
. e4 }# q X5 Q9 ~$ o* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# ?: h- Q T7 c! j
___________________________________________________________________________
# Y( A) I% z+ n1 v
6 ?, b( T, _7 Y6 r& |
5 Z- X5 c+ L& w: O6 ~Method 038 [) n& @1 E' o8 e Y' F1 x
=========
* l# n. N/ R9 {/ j9 s( k( j& L9 v+ m# D2 P8 B7 J2 ]# c; r. u
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% p* z' q9 F6 [3 [8 A0 b8 M
(API Get entry point)
" D" L& R( i. ~ 4 l# n- r3 r. @2 t5 W
+ M* @# G4 s; ?4 Q% a7 a( k
xor di,di2 Z/ n @- C) W0 p
mov es,di
0 y/ Q) i8 Y% Y1 e mov ax, 1684h
$ |- \1 l" t$ d2 t5 V mov bx, 0202h ; VxD ID of winice, |6 I% r8 ^+ }! Q4 P7 ?& I
int 2Fh |, y- s: `0 G
mov ax, es ; ES:DI -> VxD API entry point
' N+ F5 n1 w3 F6 V0 W0 E, } add ax, di. \+ {7 o& b9 ^. L5 w- W
test ax,ax
2 F, P/ {! i9 o. |' X5 U jnz SoftICE_Detected1 S+ C/ m/ T6 M& d) ^
* v3 x9 y5 u \# P% ^+ j___________________________________________________________________________2 }$ C7 d; [4 k1 b. g1 K# V
5 }2 @& K4 r/ u) d
Method 041 v8 v4 y7 |0 O7 W- r4 {9 d4 t) y
=========, Q' x$ L# R, ]6 I1 C" \
3 P1 s0 Y7 M3 T8 N/ \Method identical to the preceding one except that it seeks the ID of SoftICE/ `! E$ L0 |, W7 j6 b: x
GFX VxD.
) \3 D: l7 F: t" r# |7 ^3 Z: h4 u2 n1 l6 G0 b% p( a5 ]+ i% f$ }
xor di,di _9 v q# H2 l4 o- g( B" E
mov es,di
8 W8 i' t2 {: T3 t3 c: z% ~6 Z mov ax, 1684h 8 ]4 h# m2 v5 V& j/ F
mov bx, 7a5Fh ; VxD ID of SIWVID
7 A9 f' n$ w8 ]3 \& {; g3 ^ int 2fh5 J* l' ~6 w1 t7 }$ T
mov ax, es ; ES:DI -> VxD API entry point% w- a& E* c. `: f2 q& U! ~0 A
add ax, di
9 v3 B& A( O$ }( A5 ?8 w test ax,ax9 L+ V, t' a' j* i2 @8 F; A
jnz SoftICE_Detected# |7 }5 ^8 Z- P( `, F. A
. q3 D0 m/ W' P" L1 x* n. S1 U( @
__________________________________________________________________________8 o) q4 I X+ w6 q2 ]
; a7 [' T W _. w/ S R k
5 y5 D! n7 l7 d/ Q( yMethod 05! C* b/ J/ @3 n0 g% R& j+ m) a
=========
I) i8 a! g+ B' R# y3 C3 V: M6 i2 v B3 V
Method seeking the 'magic number' 0F386h returned (in ax) by all system: d+ @) O1 X+ y$ r2 @0 |( w
debugger. It calls the int 41h, function 4Fh.- {: d5 o' @% }, D
There are several alternatives. $ x1 P- W/ [8 X5 b- V& b7 A! }* H
] @: X2 H! w
The following one is the simplest:6 h1 i Z. f7 n: I9 H- z
; C, b6 v. V3 I mov ax,4fh# ] s3 l' y% e6 x8 a4 r( Y
int 41h9 C4 b; M$ o* U) I+ P
cmp ax, 0F386
" Y! i& e0 R+ n$ X! k9 g jz SoftICE_detected& x4 ^+ G3 A" }! q5 h" R. V
^) v1 g: N8 T$ A& m4 R9 S' r# q5 Q' S4 b$ L% A
Next method as well as the following one are 2 examples from Stone's
2 A1 ]$ M2 P Q"stn-wid.zip" (www.cracking.net):
7 h0 N5 O- m& @/ J% j' D" i9 g5 u# ^6 _9 _3 h; l. ?
mov bx, cs# ^( ^& x3 E8 {5 B" f
lea dx, int41handler29 W6 t4 f2 }5 A% i- w7 D
xchg dx, es:[41h*4]
3 d/ `$ [* p X0 y xchg bx, es:[41h*4+2]
' }: k; y* D) t3 }- x- i4 E mov ax,4fh
/ k' V# ^) [) a1 p+ J* c int 41h
5 Q7 n7 F& S/ `* p" f \ w- q' f1 y xchg dx, es:[41h*4]6 T4 P7 T( L) w1 G# v
xchg bx, es:[41h*4+2]- c0 s: k ?5 h& u
cmp ax, 0f386h& U2 Z4 D3 Q& T
jz SoftICE_detected, S+ G( v! K9 B y& M& [) ?
: s) D$ z5 c% ?" V5 Y; z
int41handler2 PROC6 G6 x5 n/ r$ ^/ S8 Q7 `6 c' ^ d
iret
w2 m% d9 I; ^) L8 [& Qint41handler2 ENDP
8 a7 {. k/ {+ w( ^3 E6 ]' t" y8 N8 i. ]$ _; o" g2 @! ]: C
9 l8 t" B9 L+ c5 K% R' j7 u, p# g_________________________________________________________________________% Z( q" `, Z5 l8 y9 ]. T
4 A: | R, W) i' }+ Z9 ~) q2 s3 h* I8 D
Method 06. B7 H1 @$ j# R! _$ S. s T* [
=========- u" G& u5 j0 S0 V1 }( s( k7 N
4 p c$ i0 H# t' r; N
8 N7 _4 c' P4 v; f) X2nd method similar to the preceding one but more difficult to detect:
- S3 ?/ R w+ F1 y a* ?1 |! ?& d1 H+ J- h# F. w5 t" c/ w) G
7 [. ^$ [# ^5 o7 _
int41handler PROC7 O5 _' e1 ]) Q. Y; v$ H( s
mov cl,al
6 @! X# Z4 p. z iret1 K( ~1 P% U! H, g" u& o1 k
int41handler ENDP" A$ ^5 U2 A* h
7 z, j* g: P9 t$ H3 P. Z) L, t9 ]
j. f) J7 A1 y xor ax,ax
# Z a$ y) e! F8 i8 I. g% | mov es,ax
2 F, J2 `# g* z' u mov bx, cs
, }7 c4 L* q0 @5 Y8 Q lea dx, int41handler# Q& K6 W/ Q* A1 a ]$ K
xchg dx, es:[41h*4]/ k, f7 ?. C* w2 G- [6 C! b
xchg bx, es:[41h*4+2]- e: g3 G$ S R+ D
in al, 40h
6 `# C3 g; U0 M _5 `# p$ Z" K xor cx,cx
' P/ n4 ` Y, H: m int 41h
" M2 Z0 y+ T& X3 ] xchg dx, es:[41h*4]9 `9 Y1 Y, h7 p' p
xchg bx, es:[41h*4+2]+ d! h& k7 I, h, j W( W$ Q# s
cmp cl,al" b: ^% X# k9 p6 j! A$ X5 D7 J9 D
jnz SoftICE_detected
* z6 s( w8 q9 V$ q6 u( F( l/ y j( d' b4 j' j; {
_________________________________________________________________________
0 j/ {+ V! ]6 r D V( h% I V; B" A$ [
Method 07
: P$ p. ^& A j$ Q9 m, @=========8 C) Y" S6 Z4 A/ q3 ~
5 E5 B+ C1 s; V3 \* K5 yMethod of detection of the WinICE handler in the int68h (V86)5 ]( I+ T ^$ d' p: y; x' J
9 \- T& B4 Y- Q; m5 F. E( e6 L mov ah,43h
$ {0 i3 z$ r O& D" M) O8 l t int 68h
& U' v0 D$ C3 c7 | cmp ax,0F386h4 t; \6 |& W4 W# D! W* T; g
jz SoftICE_Detected
3 H2 |' `( i) `! G4 x2 b5 N7 Z) l% h. }, i* V8 i9 t% B4 C8 Q1 p
" P# J& i" U: q! y7 P' g" `2 z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ @8 z) g2 C! x3 h" [* E. C' N- l0 V
app like this:
3 s5 s: x9 P3 K% ~7 ]$ V! R7 ~ Z. v) X
BPX exec_int if ax==68+ m( d) F; {- ~1 b) d! v
(function called is located at byte ptr [ebp+1Dh] and client eip is
0 a8 \! Y* r k5 n located at [ebp+48h] for 32Bit apps)
7 X, z, o: z: V* o: c__________________________________________________________________________ W, p+ X- Y6 y/ W) P
# I- Z0 I' p0 @/ m
( p, _ k+ C: A, CMethod 08- V: I0 e. M J
=========
& I1 G( Q3 {8 F8 \
+ |0 N1 [1 U% x; e- l6 t6 ^) ]It is not a method of detection of SoftICE but a possibility to crash the
% }& G+ x' Z- P% J* y! Z9 Y& asystem by intercepting int 01h and int 03h and redirecting them to another
2 a5 b3 E- k5 B( Uroutine.
- y( \/ g& u2 m5 N3 TIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: \2 A3 j# T$ t4 a- K. M" z3 h# N
to the new routine to execute (hangs computer...)
2 L( e/ [3 w; z& c6 S7 }) _2 w; B' J* Y7 ~5 \7 @( D* t; T
mov ah, 25h
. W; T* a& Q3 z: J) S# T7 | mov al, Int_Number (01h or 03h)
- x: ^+ J" ^; e4 W& C2 C mov dx, offset New_Int_Routine7 z0 m- k4 P7 ^8 N0 u3 o
int 21h
# }- E" e. c( H4 _- Q
7 w0 M: ^) K1 p/ t/ z2 P* E& ?__________________________________________________________________________
* X- X8 L9 J q+ N6 m8 |, m+ Q0 g; ~5 D- }: W
Method 099 n( L9 F& D# T# l
=========4 F+ u+ @+ q1 d P
7 h1 |3 i. F' r! d
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 Q+ W$ X9 I% l: f9 W& Hperformed in ring0 (VxD or a ring3 app using the VxdCall).% e) Y. t9 Z a6 j8 V2 {( ?
The Get_DDB service is used to determine whether or not a VxD is installed
( f8 f9 d h3 p& g/ yfor the specified device and returns a Device Description Block (in ecx) for
/ V: Y/ V: p3 a' r4 hthat device if it is installed.
8 ~, D# Y8 s7 ~' I9 R5 v& v2 J2 W( |) u% [: P9 W
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, x, A% v8 |2 D9 a& P mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( H- W3 V9 ~. C7 z
VMMCall Get_DDB
. W; v1 {1 o3 S6 R/ j mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# X' H/ o) i _4 _: w3 x
& y/ }" s+ c B* K
Note as well that you can easily detect this method with SoftICE:" U, X: ~# J: Z1 j) G, d* C) K% X
bpx Get_DDB if ax==0202 || ax==7a5fh
; }4 q1 e. M% q$ m- U! z1 m) d, m6 c* e2 J3 B
__________________________________________________________________________
. L5 i' \) d' C! F6 G- @* x' r8 t) [3 p8 p5 f! Z
Method 10
8 w I8 h& y* Y) x=========
" a' [4 b! }& x2 z/ |, w' j1 f& G I2 P! x9 t. c/ q1 I) |- g: ?! o
=>Disable or clear breakpoints before using this feature. DO NOT trace with* Q& h& Q6 ^4 W- x/ Y1 z
SoftICE while the option is enable!!
/ e4 h9 c3 _+ o ]; X; p
Q' U# T: m. hThis trick is very efficient:
/ X2 L8 t+ L; Y) I( R- ?+ D2 Bby checking the Debug Registers, you can detect if SoftICE is loaded9 D- u% E0 ^+ G: T$ n
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ b& p* F9 [0 X, c( q8 T+ I( P
there are some memory breakpoints set (dr0 to dr3) simply by reading their# }* f/ \: ^: m$ v5 Y4 c0 r3 K( {( k
value (in ring0 only). Values can be manipulated and or changed as well
5 h5 e2 n" w; n% ^0 T(clearing BPMs for instance)# q8 N3 [3 y5 G1 Z+ i4 E$ v9 d4 n
& ^ V# o4 p4 ]4 f$ s F
__________________________________________________________________________" L& u& {2 r1 i: s3 x8 U7 g
8 \) A. A" O1 E& X. E
Method 11
* b5 Y. \$ I8 A D$ y% s, I=========
+ r0 G4 a6 Q2 Z$ i3 j3 [' V) R( J0 |. k$ P% ]# e6 N
This method is most known as 'MeltICE' because it has been freely distributed; F' x _. [7 y, N) Q
via www.winfiles.com. However it was first used by NuMega people to allow
" @. j- @ v+ B" P+ QSymbol Loader to check if SoftICE was active or not (the code is located1 A& R2 B7 y7 @4 q
inside nmtrans.dll). q. n- C/ X$ _% Q; V$ v
( q- `* v1 S" [4 p) u
The way it works is very simple:8 F: r/ ^: q+ B& @# h) V1 L% V- u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: F5 l$ V6 G. T( x1 @. bWinNT) with the CreateFileA API.
* W2 M/ X r3 t, ]8 D
% f5 j3 p5 B& fHere is a sample (checking for 'SICE'):
! d* K0 A/ H4 D+ S
# @4 K7 M$ o B& q+ L$ q$ ZBOOL IsSoftIce95Loaded(). Q0 V0 x4 a; G8 K- c: w# Q
{
+ l0 }8 Z: H- r! _ HANDLE hFile; $ x! w+ S. N' |( m& C# K# W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 z, J2 P$ k: }8 N! B
FILE_SHARE_READ | FILE_SHARE_WRITE,
; R; e% q) S6 R \8 g! W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' q3 c$ ^- ~; F, l if( hFile != INVALID_HANDLE_VALUE )' e: C9 ]" p8 Q; p8 c
{
$ @2 }0 c% ~4 X& k6 E CloseHandle(hFile);+ X4 j* _& Z! }% N8 [5 w( [; I
return TRUE;
( A* z" a" z4 V- I7 C9 L }, g. c+ o3 X) a4 n6 u( L# y, ^
return FALSE;
5 o2 e" `$ r, X+ q}
; J3 }5 Z) L; E
) ]; l0 n0 l& M5 U* JAlthough this trick calls the CreateFileA function, don't even expect to be
4 ?* A3 z# p3 Q+ Q" G# xable to intercept it by installing a IFS hook: it will not work, no way!
: Z, G. u% Z1 oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 Y( ?8 N6 Z" ]1 K# ]. ?service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( q5 h5 o B0 ~6 a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! m$ R5 x$ r% O& ~. j% ^
field.
3 I' k1 P( r- e0 B6 AIn fact, its purpose is not to load/unload VxDs but only to send a 6 ?) T- [" J* z7 G$ c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# p9 n. c# n% `) ?( b) a; Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
* D- U N3 `) Q! P% Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).9 N: _7 }9 e* c+ g
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- U, V M; n: e$ w# Gits handle to be opened and then, will be detected.. z( u# Y, M8 D$ {: P: u* p
You can check that simply by hooking Winice.exe control proc entry point
+ W3 a+ e: b# m6 j2 X2 b& Y; nwhile running MeltICE.
/ b7 [5 h+ f& B# v4 u2 f& ]/ K0 o+ H* X1 c
/ C* ^! J; o& S7 `+ Y
00401067: push 00402025 ; \\.\SICE- v8 V# g9 o2 F- _) ]
0040106C: call CreateFileA& W1 X0 ~1 g. M6 R
00401071: cmp eax,-001
0 A m, s( _0 W3 v: V) m 00401074: je 00401091 G# w6 Y! e& e
! O- n: q, ]1 W' @; j. d3 I2 }. e) }& k2 @! h# j
There could be hundreds of BPX you could use to detect this trick.+ _7 X, q- M2 ~, R+ I+ Y+ @
-The most classical one is:+ W5 ` e0 Z1 O7 u$ c2 h# F
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! K/ }% a9 ^0 ?" { D *(esp->4+4)=='NTIC'9 |$ E- U6 g: v* W
: q& g7 E. i6 d' f6 h-The most exotic ones (could be very slooooow :-(( R& {1 p+ g- K0 \/ T1 A* \* L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% F( l& v( K; y ;will break 3 times :-(- H+ t3 x+ O) G G! W) u5 x
4 S( s+ \+ m" l
-or (a bit) faster:
# b: k* d( d0 U: T, \- v BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): C; Y( Q- K- V- U, i' ?( y3 G
! d( F: @ ^+ Z/ _ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ Y3 p6 a' a* b0 c3 ~1 n
;will break 3 times :-(
1 E' m5 R& n5 V; _0 y) o8 V; S! d# {4 H7 \ ]2 W
-Much faster:9 q' D& w) q3 m# w* Q# {
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. l# P: v# t: O: Z* |! H" H# j9 V% l$ u: O; g1 K
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& U4 [* B8 a8 t; ^: {9 Y4 t
function to do the same job:. H! m, Z" g- T8 w5 ~. O
; c* ?' D# [# j; S! {: Y$ F7 _/ I% L push 00 ; OF_READ
3 g4 h) Z; }4 j$ _: [# N mov eax,[00656634] ; '\\.\SICE',09 Z( T t5 Z" r
push eax
0 N, J7 {. T5 Z8 x) D1 j call KERNEL32!_lopen- R1 h6 F V# U
inc eax
8 `$ e r/ A1 D: d# u jnz 00650589 ; detected
& G% K! E' J# @ push 00 ; OF_READ3 w. B* G- |$ }% z4 e8 B* J8 s$ K
mov eax,[00656638] ; '\\.\SICE'
+ l7 E7 J' E9 [1 R1 O push eax, R3 _: n5 K8 m1 G
call KERNEL32!_lopen0 w4 A) Y, z7 ]1 A
inc eax
R6 e# ~/ M. { x* V1 Q jz 006505ae ; not detected/ e/ }# V. }; D; C- w1 O0 G
/ h) X ?" B8 d6 X, [- @& f0 c$ ?9 H. _0 v& U& r7 b3 A) r* L9 ~
__________________________________________________________________________5 ~. H. b- F2 [( u
9 w) s. b. o3 n& N) @0 K/ |5 _
Method 12/ x/ y- s; q( _1 N- [: A$ t
=========* F- t8 x7 ^; }2 B; } d; Y! T
; N7 \9 }3 l& A- }! _This trick is similar to int41h/4fh Debugger installation check (code 05
C/ P$ a$ w7 S5 M% B: M# k& 06) but very limited because it's only available for Win95/98 (not NT)' J6 I; f' E4 k% c& m M/ O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! j/ \* n5 M I9 O
' j5 N$ N) s% \5 t
push 0000004fh ; function 4fh
3 U+ z7 K- n$ Y. J push 002a002ah ; high word specifies which VxD (VWIN32)
/ ^7 c) f& ^6 F! C$ s! F ; low word specifies which service
& F0 f" n) U) q/ G (VWIN32_Int41Dispatch)
$ Y% N1 D$ b! J, p7 p call Kernel32!ORD_001 ; VxdCall9 |0 N) C( j% B; Q+ r8 L$ t
cmp ax, 0f386h ; magic number returned by system debuggers% L* s& y) ?* `9 Z" n
jz SoftICE_detected; }. \! o8 P( g3 l* L8 i0 x* m3 C
6 G3 ?, Q+ s$ Q# J: n6 ~" H2 kHere again, several ways to detect it:
/ R& o0 o7 Q" S* y( t9 F, i5 [( m+ ~
BPINT 41 if ax==4f) b8 Q: P( T4 [' g& A V0 I: O& [' i
: x2 |/ s- I6 _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. }4 b+ s E) A$ b) n; B- R$ i$ T# y! t7 U
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- L" i1 @, {( s2 ^& H* P, h$ @ y- V- }, S5 H
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! z" B. ?6 s; r; R3 S+ i. X
! l K7 q$ c; C' {7 z( }+ V1 q8 z__________________________________________________________________________
8 C. }- P3 C( f& }/ P+ `8 @
3 i; p$ B! t$ g [4 o* a9 UMethod 13( T, p. E$ w* ], _9 M0 G
=========
/ O3 s4 Y( u/ J+ X/ }
, t/ l6 a$ @# E2 P1 l4 V( aNot a real method of detection, but a good way to know if SoftICE is
: |1 H% V0 Q# [! ^ ~installed on a computer and to locate its installation directory.
5 K: M d. ^ S4 \It is used by few softs which access the following registry keys (usually #2) :
8 d% ^1 @. R* Q9 e) e( ]9 D' E0 y2 U2 ^& j" \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% P+ }+ k; s1 }* E) Z\Uninstall\SoftICE6 r7 @( h, G( V' z/ U7 H1 K( o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ `8 P$ l: u+ @3 ~/ u4 J* T1 z* t: n
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: V1 c U4 g1 R3 w9 ?\App Paths\Loader32.Exe8 A$ ?( R, U2 ?) T7 k
: N1 M c3 ~6 G3 G
5 E& L3 c6 }# Q& d5 p3 sNote that some nasty apps could then erase all files from SoftICE directory
3 T7 i' x# c! Q2 G(I faced that once :-(
* Y9 d* p% H: E( z3 N' G4 C) F7 J% g# t# q
Useful breakpoint to detect it:0 q w, |7 s' ^& S3 t* [
P& M3 }9 s% H+ x$ Y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ g6 K- N% Q4 _
8 o) n6 w9 H! H__________________________________________________________________________) x* `- h& C/ D7 @" Q N
4 p& n6 {+ t/ O
' d6 V5 O M" c0 u2 A# V( V- q0 q
Method 14 ! ?7 w" a( R& c8 p1 P
=========3 G; J. e# c2 i* h& }# y( \
9 |$ j9 [: L1 t8 n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ a1 [1 f/ x8 R/ Uis to determines whether a debugger is running on your system (ring0 only).1 l$ R/ x8 f4 f+ f1 {
1 I6 e( z2 |# y2 l7 w& q! o VMMCall Test_Debug_Installed
( f$ Q7 }* M6 S Q6 n$ g- ~ je not_installed
1 P7 p, b; `* }3 r' b" J& N2 M$ B
This service just checks a flag.6 j9 `0 E! L# t( n' g6 h8 o( A
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡