<TABLE width=500>( N& ]8 a9 S& [) p' l) S
<TBODY>
0 E0 T! ^0 N, o5 w<TR>; t/ J5 v1 Q. ]! @& _* R
<TD><PRE>Method 01
2 T2 O% A3 |- z. R& k! G=========
1 W, o" g4 d A" L" u( l+ V1 v# ~, B6 p4 ~3 J! {* y
This method of detection of SoftICE (as well as the following one) is
& v% t" Z: ^( V4 hused by the majority of packers/encryptors found on Internet.# Y0 [' Y; n; s3 D; j
It seeks the signature of BoundsChecker in SoftICE8 E: M7 ^2 c3 J8 F6 r- {
" R% X4 ~* K) H& { mov ebp, 04243484Bh ; 'BCHK'( o2 T: H! S! r! _
mov ax, 04h
; f* u% W) `' U b4 W: p+ X int 3
, C! J s4 ^$ \$ w$ ^9 `, m3 b) I cmp al,44 d( g4 |! }+ J: Y0 l
jnz SoftICE_Detected
& E Q2 F2 y8 r% G; T4 [1 X
7 ~6 q' B' x4 h8 v" U4 `___________________________________________________________________________
" a* m: S: e4 B2 b# ?/ L# v" V% L# f }/ D& E; G0 p v
Method 02' L4 a9 y' d4 Y3 w
=========% R- }2 P5 V. \; \5 ^* \( t$ b' D7 v
9 V9 F/ n" ~. z) c# O L8 H; hStill a method very much used (perhaps the most frequent one). It is used
. u1 D3 J" C: s4 f. tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 j b4 c) }6 o' r8 C& K
or execute SoftICE commands...
9 F) k/ L& S3 }# `& G: \It is also used to crash SoftICE and to force it to execute any commands$ J$ P5 O9 O3 ?! m2 E
(HBOOT...) :-((
2 y- x* P* B- s) u
X: i- k# B) B8 @) f) I+ t/ u% W( eHere is a quick description:9 }' Z0 E* d8 G
-AX = 0910h (Display string in SIce windows); s" m9 U$ k- m% e" \' w: q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): s$ [# ]2 m' z; J k
-AX = 0912h (Get breakpoint infos)
& `/ d4 c( k7 ^- @2 `, L-AX = 0913h (Set Sice breakpoints)0 J3 V" p. j. N- ~2 l* R5 R& |
-AX = 0914h (Remove SIce breakoints), A6 C/ M4 V$ V! @4 a x9 X
- g4 J# f! j& _( E9 ~Each time you'll meet this trick, you'll see:1 D& h' d& f4 H
-SI = 4647h
, [: d/ L* D+ e) l/ i) L-DI = 4A4Dh. i( ~3 C8 v) w6 J; k# d, C
Which are the 'magic values' used by SoftIce.( U' L( A' ^6 t' v" f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* W$ H' U% f; T% m/ I, S x: Y
; `$ }8 s* M" d9 _* U
Here is one example from the file "Haspinst.exe" which is the dongle HASP
% ? j% y6 y+ e3 w* LEnvelope utility use to protect DOS applications:
7 ], c$ S1 [! P* R/ V- v w1 s
" s6 j5 `$ {" d% w% E T/ X3 I% ~
4C19:0095 MOV AX,0911 ; execute command.
* }' x! J7 {3 m- k4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 j( n2 B& T3 A1 {! d: O4C19:009A MOV SI,4647 ; 1st magic value.2 t |$ g3 F/ F: [2 l
4C19:009D MOV DI,4A4D ; 2nd magic value.
: u9 b6 ^# a: d8 D: {( u+ m' y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( |4 U; ]$ A; s+ Q4 H$ ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' e" w) S0 O, t' b# ^7 E: V% ^3 w4C19:00A4 INC CX# b( a0 Q/ S _* @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( g# I( K) L h) V3 n/ b( d4 j4 U
4C19:00A8 JB 0095 ; 6 different commands.: U+ @6 h$ f6 Y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 ^- A! B: g# b8 K
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( a# C( `1 d, I8 _3 x& D- W
$ s- e5 ?4 U1 @+ W cThe program will execute 6 different SIce commands located at ds:dx, which
0 |$ I2 {2 X- b. N' t7 Tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) ]/ Z6 P: ?; E
$ e7 P3 Y4 j4 v) v9 G# M/ v* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 S+ G) y, W2 x# a3 t: K' \5 A6 U5 f___________________________________________________________________________% Y6 `% l5 i; j, h: c5 g
6 |+ b( S/ J9 Q1 y- Y3 v) J- M* u
e+ v4 n- g/ K/ s# fMethod 03
5 L# T3 b) l4 ^: c' s. e/ Z=========# V& n* b- y. D4 H: m
6 {, X) B( b& n6 vLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 D% G, L# d( c3 d
(API Get entry point)+ Y) G: {5 Y2 Q7 w; I2 l
' u6 `/ N: s! T4 C- B4 ?1 Y6 _0 ~0 P4 b ~: r. V$ C
xor di,di6 I7 r+ ^) F8 _9 q" O
mov es,di# S/ y1 c9 t" q3 k- X5 I6 X
mov ax, 1684h
' R5 g+ f" Z1 n) d" h8 w; g mov bx, 0202h ; VxD ID of winice/ g1 x( u( Q& K- m3 [
int 2Fh
% ?4 |: J% g& Q6 I3 ^ mov ax, es ; ES:DI -> VxD API entry point
# q9 {: [2 ~8 \2 S9 _0 D+ M3 P add ax, di
x2 |! \' y# K test ax,ax' j: d, N" i1 A
jnz SoftICE_Detected K, s+ l1 `& C# o0 C
U! t. i q5 O" O
___________________________________________________________________________
' J: }) H: r# v1 F; M$ i
# J% u, m V1 b$ j' F9 ]8 N! @Method 04
% b# }6 f/ V$ k=========
& u- w+ Q3 e8 @. d8 m
) t: j8 G/ V$ a; }. c( t' R$ N5 aMethod identical to the preceding one except that it seeks the ID of SoftICE
" c5 ^4 n7 v- L/ V3 T$ n* rGFX VxD.; v& g: t; t4 k/ l
4 ]2 a& t' ?) z* ]+ A( ?( G
xor di,di
/ O2 D5 M' B* l9 ?4 K' g5 V" R) z mov es,di
1 N# J" D1 Y- E mov ax, 1684h
5 r- Y* J+ g/ R$ e6 q/ @/ Z! @8 e mov bx, 7a5Fh ; VxD ID of SIWVID
7 m$ L' f- B8 w- J; b; U' X4 A int 2fh% }# B! t1 ?2 Z
mov ax, es ; ES:DI -> VxD API entry point
7 Q, R. ?$ K8 T* o# m2 h( Q add ax, di
9 M0 F8 H# i9 W test ax,ax
: P. p2 w, A/ H% [: r3 \6 P jnz SoftICE_Detected9 M) X. D5 N' Y6 W- ^
j2 ~" k% ~; ?+ \__________________________________________________________________________8 |, ~/ T* [, W
& k( r- b" @9 U8 D* [! F2 S# |* B( q" W
7 v. e& {# P5 i" {4 [Method 05
; P5 y, Z2 O1 z# _( F- p' s, E=========4 u, [) i( @2 u( s" b
+ i2 Y& ^ t6 s& T0 {
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% x& b$ U% }' A% N0 wdebugger. It calls the int 41h, function 4Fh.
# H& O6 `# b2 _8 X/ g4 B5 c1 NThere are several alternatives.
& e$ H# h, ]3 Q* h2 e' v0 H
% x2 @+ ?( v6 j. U7 G. RThe following one is the simplest:
' c. M/ H" ~$ f) a6 a0 b# M$ S& r6 ~' `& b; T* k
mov ax,4fh
1 F+ S- b) n& C' `. n1 H2 V1 R int 41h. t0 M9 s& F" l( z6 L
cmp ax, 0F386
# v) E/ [ [ I% [0 s2 J jz SoftICE_detected
* M: G [. T% S5 E- _# {! f
$ N. G b/ h7 ^, O! U. m3 B; L6 n8 Y) {6 A5 `
Next method as well as the following one are 2 examples from Stone's 8 a# j: y2 B( f) d0 F
"stn-wid.zip" (www.cracking.net):: H; I8 C% z q3 q: h7 ^
|4 b8 c& i5 Q; C- Z mov bx, cs
& f" l b* O( d& Q' ^4 Z lea dx, int41handler2
6 c/ y% H9 ~$ E xchg dx, es:[41h*4]. k) H7 [7 f; Q1 H+ x+ D
xchg bx, es:[41h*4+2]
# f7 f- Q$ N4 _( s' x mov ax,4fh; z6 R; M# V$ _9 [6 B9 L# Q
int 41h
4 D$ }- \+ e. B1 `/ y* M xchg dx, es:[41h*4]9 ?% y8 Y0 \" T. w7 G3 {4 r
xchg bx, es:[41h*4+2]
: M: O, ~, ^* n, r cmp ax, 0f386h- C: Y3 z, E' A7 C# m5 p
jz SoftICE_detected
U. n3 p! c. V# m% ~. m/ V$ [. D. u' ]9 ^2 ?
int41handler2 PROC
4 \1 L, v9 q0 J+ V E( w6 W iret
; \1 ~: k8 D( n5 t9 a% V3 Oint41handler2 ENDP
: n P; b L" Q1 y! f# G( \" |2 @! g. p( i- u/ ^
0 ]- M$ X3 \7 M6 Y_________________________________________________________________________) v+ X6 a: [( Y1 W: X" Z
, b1 V3 @6 L( o8 C1 P+ T$ c& {
+ h P) P7 E: h" B- v* L( U4 T. ~Method 06
" p8 ?" D% n$ J( w=========/ x- C- n* O& J. D% @. q6 u
) ~, y% l( k1 p# h6 A5 O8 ?! M* R: Z2 w4 e+ w
2nd method similar to the preceding one but more difficult to detect:
0 T3 z [& j1 B: Q
/ ^; y1 v8 ?6 }4 g0 z
2 ~3 [& d; I; `int41handler PROC
' _- `7 O, K% d E0 }" V mov cl,al2 h3 {5 V* g1 ]7 C) f L
iret
! R& @; ^0 O6 m" Bint41handler ENDP
9 r$ I; p( B3 r& N$ W( K- K w
3 y/ \2 a7 R4 t6 q4 d, p+ c7 @( S
xor ax,ax
* G: S: h2 A* Y7 F J8 E Z' J8 g mov es,ax5 Q$ q" D7 E- Z, H, Q6 [
mov bx, cs q, G& x9 J. r5 h$ F7 h2 ^/ D$ y" x
lea dx, int41handler
, f9 b2 g' c2 Z/ H; P# Z. Z xchg dx, es:[41h*4] W& w+ K' H7 f* J( |$ f" n
xchg bx, es:[41h*4+2]( {0 a, ~; W# { c) i y5 `
in al, 40h) Y* t# q, Y- Z( K9 ~6 C6 i$ f
xor cx,cx8 z+ V2 O; x4 }+ Q: C; U( W. N U
int 41h
: v. v9 a1 y4 V! i+ H# I xchg dx, es:[41h*4]( i0 Y" }8 |* K S, Q# p
xchg bx, es:[41h*4+2]
. m5 Z& G( B# T8 N% X: l; e cmp cl,al
8 j a& k4 a+ J4 R7 G3 T jnz SoftICE_detected
0 ?( a8 P( W! d3 g, |" J
, G. q% b* u, e. V2 i: K, N2 @_________________________________________________________________________# z% d' C0 S1 n
$ @2 f& B& x' w5 a' s& ?) H; i! x
Method 07
, ]4 E( r8 }6 `( H# B( E. B1 z=========$ n7 e: F$ g* q+ U {% u
9 b% K' f ]$ l# `7 gMethod of detection of the WinICE handler in the int68h (V86)* n% N( k) g5 w2 _% F% z; Y
6 J/ ]1 c1 F7 L$ X' g' s ^
mov ah,43h# m1 C1 x @8 g: W5 ^
int 68h/ q8 K" ]' M+ @+ g* r1 H# C
cmp ax,0F386h
0 t8 [; W4 o8 \+ v. N3 p4 u jz SoftICE_Detected
& B' ^9 I' r$ d+ r, ~4 D3 |/ H6 C; I) R" }1 B
7 O$ U) Y$ M! z2 | f8 ~=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 E1 o; G/ E0 {- z% h# i app like this:
# a7 ^1 \& X9 Z! k Z6 `5 K: ^# K4 b2 s5 O' N$ N+ [
BPX exec_int if ax==68) Z% V: j2 Y' S; g
(function called is located at byte ptr [ebp+1Dh] and client eip is' j& a, r) c1 v; w7 y3 k
located at [ebp+48h] for 32Bit apps)
7 V H9 V7 w; s( k, e' W__________________________________________________________________________& ]3 Z( _3 r; T) ?
6 B W- Y. Q0 i* |4 D/ U
4 v9 D8 \5 T+ M; BMethod 08, O# t! {0 L* q! A; a" Y
=========" n* I( h$ v+ `& Z
/ Q5 `3 E& _, W3 Y xIt is not a method of detection of SoftICE but a possibility to crash the" d, Y& B5 C- {# W- y! p
system by intercepting int 01h and int 03h and redirecting them to another
5 O+ v- ]1 K+ \1 Broutine.
+ ^4 o* t$ r0 R, o# V9 i( c+ K! [It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! @; [3 n/ |2 J5 T, M2 H3 cto the new routine to execute (hangs computer...), t$ g: l9 n& ~$ Z; Q" b6 U
9 o8 |$ ?9 k' r; l
mov ah, 25h, E( h% S, B4 W5 i* l- E
mov al, Int_Number (01h or 03h)3 d, q9 g0 G2 z. u/ J' Y
mov dx, offset New_Int_Routine; g) E) t" Z& P1 Y. g- c; R
int 21h3 K: K! _: y( y% s) q( N
1 c! ^7 {5 \/ E1 B! W" r9 @
__________________________________________________________________________
/ [( F6 S; ?5 Z, {) c' n I0 {' g R
Method 091 q2 B5 Z& G, Z* A' z
=========
7 C: v" F3 x' ?! {- l9 b# i& {) \; v+ ~2 w4 ^3 R, o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' H5 W) D. m6 Q8 ^performed in ring0 (VxD or a ring3 app using the VxdCall).
3 X$ t k1 h) R& e% E/ hThe Get_DDB service is used to determine whether or not a VxD is installed/ n" g2 z9 G" H; X! d, I6 q5 W
for the specified device and returns a Device Description Block (in ecx) for
. y( b3 c3 ?0 [" w: [! D* Vthat device if it is installed.
# ~2 p9 E5 h* g( c' Q) Z5 z% r5 l8 f# r/ ?, b. H7 v1 A$ S1 g$ @
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID Y9 y, a0 {7 J& z( i, P
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 s" m3 R6 j, y2 I9 E) p
VMMCall Get_DDB
3 B5 S/ V$ B3 W- \( ]& P mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- |: |% e! Q; |" l/ [* p' r* u# t
- r# L8 F$ t: L1 B
Note as well that you can easily detect this method with SoftICE:
5 h; F7 u1 v! x8 ~$ h/ B6 v bpx Get_DDB if ax==0202 || ax==7a5fh0 V* [& u" y6 x1 L1 X
0 n ?9 L S# ] q# G7 L( }__________________________________________________________________________, |8 b# ]* P6 N8 ?6 S4 o* S7 n
3 O- R* e4 q G5 s+ _Method 10. e$ D; {$ A) g" j6 ~9 I9 ^
=========
, x! x1 u! P/ T$ R2 T; H
6 k: p% w# ` t) T/ ]' M1 B=>Disable or clear breakpoints before using this feature. DO NOT trace with
# F" g3 O/ n" C+ [* }/ f* m SoftICE while the option is enable!!3 \9 x5 O- i; x# w1 f4 ?& Y
" ~* J; J( `" O% W/ ?) [9 f% j
This trick is very efficient:
" F, e9 g6 p; d7 b0 X* wby checking the Debug Registers, you can detect if SoftICE is loaded9 V' h0 u7 J, G6 S+ m% u/ B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) y/ U$ i* s( ?/ F# W; `there are some memory breakpoints set (dr0 to dr3) simply by reading their
" E2 J; z! O0 ?; |! o! F8 B% nvalue (in ring0 only). Values can be manipulated and or changed as well8 B9 g0 V' q' w- e3 a
(clearing BPMs for instance)* D2 E& v! u2 a( a
, |9 y/ G. i5 S8 l9 q' j
__________________________________________________________________________
: F6 n3 H* Q# R
; `$ e s5 ]* p+ yMethod 11
4 n6 Y, s2 [4 @9 @5 s/ [/ Z, E5 L=========
& A! Y7 P. J3 E0 `: N' d N# C0 a( X5 ~! e6 c0 [ P; w; t: ~5 T* y
This method is most known as 'MeltICE' because it has been freely distributed
: E+ V1 H; o" Z' c9 Q' ?! h2 lvia www.winfiles.com. However it was first used by NuMega people to allow
! `# |" ]: i, G3 ySymbol Loader to check if SoftICE was active or not (the code is located0 T5 W* P2 j8 U
inside nmtrans.dll).- M6 _5 l( F1 R9 V/ I% Z+ u- z y
" t6 _; }( D3 l. ]3 F2 i: T( g, nThe way it works is very simple:- c7 c6 w( y3 V1 A) u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: e \- M' k( m: IWinNT) with the CreateFileA API.* ^ v" ]5 {) f7 G5 q0 i$ k7 J' g
! m9 {; m0 x& _! @# f
Here is a sample (checking for 'SICE'):
n6 t$ h& W( o( k3 ]: F# x
* A7 W( u0 N5 S& T# @" x5 r+ Q& ^7 N2 kBOOL IsSoftIce95Loaded()
+ A- _. y% e8 P( ^% j d" d' j{
, f( I E, q p HANDLE hFile; [3 a! j) \$ d/ ]$ y2 f# N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 [, V! ~7 w# P) }" y- u
FILE_SHARE_READ | FILE_SHARE_WRITE,7 b" C) j% p. { a, ]* k
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! ]0 X4 N. i! x- T) T: ^9 O
if( hFile != INVALID_HANDLE_VALUE )
7 s) S" P; C* W$ H! M$ Y$ U$ k { y [, U" Q) l
CloseHandle(hFile);9 `6 I9 G, z' I4 j" t( y
return TRUE;! r; s2 Y9 b5 c' f
}9 P+ t8 u3 I, |# C9 u9 b# g1 p4 o
return FALSE;6 Q. t% D) J7 t$ R5 k
}: q4 S8 \! ~" Q; d- q2 Y" u
5 U5 E9 J# e' |" K$ s: R& O
Although this trick calls the CreateFileA function, don't even expect to be
; r; x; @. G' W, |, G- E- Kable to intercept it by installing a IFS hook: it will not work, no way!
$ `& t% v- `* bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- t9 {- E5 h; s, d& K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) A' x! K: _8 C, Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 |% X5 R$ X4 ~field." j; }( N' x+ c4 Z2 K
In fact, its purpose is not to load/unload VxDs but only to send a
& f1 A6 H& w; ~ `! uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 i, \# z# C8 n: v! X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ C; i" a/ y' h- m1 A' F. \# m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, w% y8 J* I5 ]! @! BIf the VxD is loaded, it will always clear eax and the Carry flag to allow) u$ ~6 A/ I( R2 G6 u
its handle to be opened and then, will be detected.+ b* G6 S2 }# Z5 U' V4 }
You can check that simply by hooking Winice.exe control proc entry point$ C. l$ ? E. f! n1 t- n
while running MeltICE.
+ b0 y5 E0 l; o( I
b* [1 H" a1 J$ y, [
$ Q1 f7 e) r: d4 R* i) ]/ B7 h 00401067: push 00402025 ; \\.\SICE
+ k8 F! }" G1 j 0040106C: call CreateFileA
, e, a* Q& I& Z" k 00401071: cmp eax,-001
9 M% K' h4 P- N5 [$ e$ r4 t$ K 00401074: je 00401091( {+ U4 ~+ b9 P, m6 W o
9 h; d+ E- K7 `7 C1 [7 F; [" w5 m P* P a& ]1 `8 g
There could be hundreds of BPX you could use to detect this trick.
$ ~' J G) i9 Y* W& p( T-The most classical one is:
6 T3 |4 @: H4 s4 |/ d4 N; i+ f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 ^! F9 L- q8 \6 @6 g *(esp->4+4)=='NTIC'
% R7 g( A' y" [( K8 m9 ~- F
, d n3 K- W0 c {2 S. o1 [-The most exotic ones (could be very slooooow :-(
# @/ d" |' ^% M BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , I; j2 d; H7 v
;will break 3 times :-(
) O1 e5 @2 d7 w$ ^8 W( }
1 g5 S. B# J& U2 J% S9 o4 l5 W5 F8 l9 V; E-or (a bit) faster:
0 x* C( h" X5 S6 I0 S BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): e- Q+ x! Z, u3 ~! b9 Z
9 E% T6 U/ o, _$ z; r6 F2 Z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) g& b2 U2 {/ M; Z
;will break 3 times :-(! Q( J1 X3 {- b9 X0 x) t
+ b2 x( q2 k% Y; Y( R" c% X+ ]-Much faster:1 n) H' i: p- m
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 W- W% B0 H; v0 y- V+ D3 ~0 Z2 d6 x4 n) B
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; Z% I/ a4 r& ^% ~* B( lfunction to do the same job:
% Z" f- b, d3 t C! T5 x' D
7 a# z! K( n7 ^) z- X+ s1 a3 B push 00 ; OF_READ
r6 `# h, K/ s$ ^ mov eax,[00656634] ; '\\.\SICE',0* ~5 A5 l; j o( K2 Z9 z
push eax7 U& |+ H, Q: D5 |( j
call KERNEL32!_lopen
( A* w8 g$ c2 t% ^: v inc eax- }! H& E; @) X) s
jnz 00650589 ; detected+ o" s9 [$ h" L" [ Y
push 00 ; OF_READ
- U; `5 f4 e" H; s0 E mov eax,[00656638] ; '\\.\SICE'
$ c" }# I" i Q( q. t) ? push eax
- t9 e/ \& a8 Q- s4 W* G call KERNEL32!_lopen. ^1 v& _3 s9 G4 o4 M
inc eax
3 W6 W" c9 P8 i. [' T jz 006505ae ; not detected
0 @' c) O( R! E, j
# ~: ~2 z$ n3 W! j- m! }
& l, T* z# \% U3 k/ j__________________________________________________________________________! V! \2 b+ n6 t
% z; T# _; [$ }+ tMethod 12" h; y' p2 N4 X& k+ k, ]
=========
4 l8 k" x) ~' {; ^$ ^5 B! e/ _0 k9 D$ ~$ k
This trick is similar to int41h/4fh Debugger installation check (code 05: d/ H; e# o. g, S1 o
& 06) but very limited because it's only available for Win95/98 (not NT)
6 n- _) O6 I1 A6 W; oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 ]( b! Z w3 [8 {
7 ]. A$ F" U( ~' R2 w3 N8 r push 0000004fh ; function 4fh: d. N1 x1 y0 z
push 002a002ah ; high word specifies which VxD (VWIN32)
- F; }0 ^' v; p$ [0 X( T ; low word specifies which service/ \6 T" t5 Y# W8 C
(VWIN32_Int41Dispatch)
! k0 w( e- R" C0 E# t2 N3 ?6 } call Kernel32!ORD_001 ; VxdCall ?& _% E' C# ]4 X$ f( Q. `% G
cmp ax, 0f386h ; magic number returned by system debuggers
4 x. U+ }( D; E1 R$ @* r# z& { jz SoftICE_detected% i+ b) p# K, T* Z* R8 ~6 M2 \
2 d. L% D" F, b8 e- U5 X) P8 MHere again, several ways to detect it:
4 V3 K( n7 l% ]" {
' B/ d5 k8 \. x/ l0 L. t! x BPINT 41 if ax==4f
& R6 G# z6 g. y' y9 V
% ~& J' p0 a3 g- S0 A/ t# N6 Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- T5 F3 x- W* ~) r+ v
8 O2 J1 y+ d s+ E" L. A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 n/ u) ]- a* L: ^0 A) ^
- Q! E' q0 S" P4 a) Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 M: l3 M8 E, @# L
4 ~8 q' I" \$ q5 | I- @, o
__________________________________________________________________________
& b* X6 T. G! K! X( W0 M
' k6 q( G; t6 E, x5 l1 E4 r* Q' mMethod 13- Z2 k9 s7 V9 F" m$ Q k6 t" j
=========* n0 X, D& ]- s% }$ f1 C" p
+ P; s2 w* S: U: b
Not a real method of detection, but a good way to know if SoftICE is/ P5 h# E" O- X4 V! ^( z. s5 u2 r6 }
installed on a computer and to locate its installation directory.- H% J5 [9 V9 X2 C s+ g! A
It is used by few softs which access the following registry keys (usually #2) :0 ~, E- F1 k7 R A: g
o0 `8 s7 P( x1 [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 U4 l' i6 M* w q) u
\Uninstall\SoftICE( W1 s3 {8 i9 ^, C) c5 x" A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; E" u. N4 D7 ^, P% F2 H-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ C9 e/ K) h4 x9 R2 l
\App Paths\Loader32.Exe( O% \: C w E# j
& z8 S6 A4 i. `
0 ?/ E4 q7 Y8 V
Note that some nasty apps could then erase all files from SoftICE directory w* m3 s( x2 D# N# O
(I faced that once :-(& M6 L* q' z% F0 R% l3 H
; E# `2 N# H, x+ p+ E$ a% n/ u: sUseful breakpoint to detect it:* P0 r& O' k: `
6 R3 |0 l5 N6 P+ Y f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" w- ?9 o. x0 m- A
) X5 f6 `) @3 T. v1 E; Y7 j- C__________________________________________________________________________! b8 Q9 m/ E& _. y/ V
B; R5 D0 {; K. s5 }
* a. O! e1 d( W" ]6 K$ IMethod 14
5 n" |' u5 }) u1 D; R) c=========
+ p5 b" p; ~5 e9 X+ w1 e' ~: ]; P; ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 `* q: r* T, x0 Z
is to determines whether a debugger is running on your system (ring0 only).
; `- W$ p: f+ k# ]5 F
6 j$ }- O) E$ v+ S% @4 p VMMCall Test_Debug_Installed
+ l& g# K" t5 f! f/ H2 W je not_installed
9 l& _: R. H6 r) w) d0 {- \; D h- d* y$ j2 K' y3 v P- s
This service just checks a flag.
, j! x5 i# N6 |' ~</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡