<TABLE width=500>
5 \+ V: `, Y6 P, ?/ A" Y<TBODY>
/ }2 w' |; \: Y( b; i<TR>
6 b& X: N3 {; u; k8 o4 w, L5 q<TD><PRE>Method 01
% J" g6 V+ R8 w& {% I' \4 a: h=========
. z! t0 t) ]2 `0 C5 ~9 I$ t8 D" r# I- {
This method of detection of SoftICE (as well as the following one) is7 Z$ E6 t! C2 H3 Q; v. X$ v7 `
used by the majority of packers/encryptors found on Internet.$ [# X8 R1 B: {2 _+ M) N
It seeks the signature of BoundsChecker in SoftICE
* W2 F( a# s$ I6 U1 ^
0 Q: M8 ]6 ? K! M/ F: t mov ebp, 04243484Bh ; 'BCHK'
; m! X0 @0 v0 T mov ax, 04h
! e( g9 m: b$ P# Y1 B int 3 ( I% v# k! p3 g& l* T
cmp al,42 P$ S7 p* l7 q1 i( g3 B, g
jnz SoftICE_Detected% c: C5 |" U0 K( v' B4 U
9 q: B3 N* D0 R1 k+ T___________________________________________________________________________
+ T. Q& m; \+ e+ T& u1 a
& B4 Q" e! _" KMethod 02
! ?/ G" e/ Y$ x. G# W=========
" X; t% e% U: J* f- }6 k; R" V# U2 \% u) {/ f4 N4 B7 Y
Still a method very much used (perhaps the most frequent one). It is used
/ I* f! m& O* R/ q- c% M. ?+ kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. a8 j; P4 P8 W/ X6 @3 L
or execute SoftICE commands...; W$ E. k: ]0 S& K! ?$ C& g. _
It is also used to crash SoftICE and to force it to execute any commands" H, {# P3 k: X& g7 A
(HBOOT...) :-(( + y5 F! l7 \; \+ Y, Z! K* n
^3 i; N! f1 P2 m* {1 L% l
Here is a quick description:
( U- i' x+ k }8 i: u- h( u5 {-AX = 0910h (Display string in SIce windows)6 ~7 J9 e0 N8 S5 A9 h/ D, [
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# ?8 U& G: d; \6 x' j: q-AX = 0912h (Get breakpoint infos)
) v" T: g, g5 O- E T1 ^) Y& z-AX = 0913h (Set Sice breakpoints)7 N6 q( M# Q+ b; b4 k7 a4 _: x! P
-AX = 0914h (Remove SIce breakoints)
# [+ \- @2 X }8 J4 C: y# \* C) A" T, G ~4 x
Each time you'll meet this trick, you'll see:
0 r1 y* m% R8 v: i-SI = 4647h
8 P5 g4 u; C# L: V1 y; v-DI = 4A4Dh
; \2 A# f) ~3 P- WWhich are the 'magic values' used by SoftIce.
/ t8 k7 O2 q! p m3 `% I/ bFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& E5 i. b( E* }; n6 F; r( ~1 Y! }/ c! E
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" Z1 v0 u6 y% u3 {# J5 `Envelope utility use to protect DOS applications:/ ]* V: j/ u7 W; p5 \* p' }
4 b, j: R, }5 r8 U
2 t! h4 J, o7 x
4C19:0095 MOV AX,0911 ; execute command.$ \+ |$ u4 C# c7 n! x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ n$ |( y% P) J/ q& V: I& J
4C19:009A MOV SI,4647 ; 1st magic value., r+ z4 K+ }( Q/ A
4C19:009D MOV DI,4A4D ; 2nd magic value.
7 J; A4 w2 v6 A- O4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 g- K+ ^" M0 {5 |9 G
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' x. H! f% X9 l# _9 {. L0 C( x+ y4C19:00A4 INC CX) k3 k; n, _/ O! ~+ s, L
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, V6 I' }5 ~/ ^9 D4C19:00A8 JB 0095 ; 6 different commands.* [% ?8 P: e& _
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! T' H4 e+ v. c1 S) A* e, _. h4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& M+ Y2 r. x/ ^ E6 ?/ W# u& q- j7 Z1 \- w. i8 ^
The program will execute 6 different SIce commands located at ds:dx, which
- L2 b1 U2 f3 W* u) j) Q4 w) dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' ~# I+ q- e8 K% S( Q; O, w% b- u% X3 k0 ^* Z7 s8 q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, m; h9 ~$ L0 i) \___________________________________________________________________________" C, t% T8 U5 T( z' r* x# n
1 G" u$ y. n% d J
6 J- r$ b: p" g9 _0 _9 |$ I! zMethod 03
% M0 I* i2 H+ d# E4 o5 g. T=========# z9 Z! g# b# I' \+ P
" \6 M4 l; {7 z% B5 N7 iLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
I) d: g/ f7 V. G7 G(API Get entry point), H$ y+ h9 u* \+ H
, [4 M: V$ _6 [6 j/ e" a1 k
7 J" l# _' E' n$ q7 m xor di,di. e" y; z' s3 e' K7 x/ e5 ~
mov es,di7 ^7 i- z4 L; O$ R4 i" H' g y( F
mov ax, 1684h
, T8 X& C3 n( W6 Q5 [, |1 @; n* { mov bx, 0202h ; VxD ID of winice$ r' f F3 Q% p" D9 v6 i
int 2Fh
' W; ^) }) ~( V mov ax, es ; ES:DI -> VxD API entry point
3 n% V' w8 U, s5 r( R3 L% Y1 q" J add ax, di0 X3 V/ L( P4 B+ v
test ax,ax
- S+ ^2 g4 q+ w3 { jnz SoftICE_Detected# m: G3 P( ]5 g
( s+ Q9 Z( [( \___________________________________________________________________________$ Z) e4 A8 W; `/ [. ?
1 P0 j+ }# W" o( SMethod 04 \+ f5 G8 @1 Z" u( }- i3 ]9 Z
=========
% b8 s; D1 l: V) b" g9 p5 F% ]8 o& @/ _! J g" _- z, m
Method identical to the preceding one except that it seeks the ID of SoftICE L2 b0 F+ `: p- q1 E/ f) w: _
GFX VxD." I: l0 M) l$ Y
; X9 x% | H1 i, S8 T1 \
xor di,di
7 N3 G6 b( x( b0 q* U mov es,di
" Q3 A! o1 i& R$ p. O mov ax, 1684h
! p% l& c2 L( |. g! Q4 K. t3 I mov bx, 7a5Fh ; VxD ID of SIWVID; U! B1 e+ W$ q. e' m% N* i+ G5 b
int 2fh' Z. Q* a( y7 a7 j
mov ax, es ; ES:DI -> VxD API entry point
# S. z: h- C. O7 Q+ i add ax, di4 E1 {% |; N" q9 h8 i" Z5 M# f$ k9 ^
test ax,ax
7 v: V5 _' p+ d; x: h jnz SoftICE_Detected2 N! {: ~% a; e: K/ w& P) ~
+ V% {8 u' P. t2 S# J6 K
__________________________________________________________________________4 Y( [! K: {4 X0 x# ?; _! Z7 k
" S& j a0 Q+ ] ]* i
3 ]- m6 ` C5 [7 ]# ?- OMethod 05' S4 a {3 D# I
=========
7 l X4 y3 Z) P- Z6 X7 m" Q1 @' f6 u% X" i7 b; F0 x3 g3 L4 X
Method seeking the 'magic number' 0F386h returned (in ax) by all system
! y; V+ m) Q9 t$ odebugger. It calls the int 41h, function 4Fh.# b1 {( v2 O" ]
There are several alternatives.
4 w% l) y7 q1 i4 ^. `4 \8 N- C% }: ]" S8 c, H
The following one is the simplest:" ]! w, a8 [9 _( } @4 l- M
) S! e) q- {; n! \ mov ax,4fh: ]- J4 z+ k& f5 m: n
int 41h# G4 j. x2 ~3 e$ ^. w, i8 Z/ L
cmp ax, 0F386; H; q/ a2 M/ z6 d/ F" X" Y2 r
jz SoftICE_detected
5 J" d1 x/ c/ M# }& _! v, S- g/ O u) k5 \: P. B9 }# |
& L( n' H+ r# Q3 q) W; o7 o3 V
Next method as well as the following one are 2 examples from Stone's
/ v0 p$ E2 Y2 A% L1 M"stn-wid.zip" (www.cracking.net):
4 T( M% M6 d* y% h# j
4 b2 I) u2 }8 W/ O8 ~ mov bx, cs$ O. a* g o* @+ R% `, o
lea dx, int41handler2
% \/ k2 z8 k% ~& u! N( [: p xchg dx, es:[41h*4]" u3 u- J, U( ]3 W$ }
xchg bx, es:[41h*4+2]
6 J( J9 D9 h( P8 W mov ax,4fh
7 n w: x' H, D+ P int 41h' |% q3 ?& ~' x, g- d
xchg dx, es:[41h*4]
/ ]9 \3 |- h! i xchg bx, es:[41h*4+2]" [, g8 A {8 m. p4 F. \
cmp ax, 0f386h* c9 _) P7 P4 C5 E0 O# Z4 h6 ~
jz SoftICE_detected. j( Z j' t% W+ U
8 ~' s$ S6 R' o- o+ a* p+ y
int41handler2 PROC
/ Z8 l: R1 q& ^1 e; ^ iret3 Q' w: e5 Y! D
int41handler2 ENDP) M+ {4 J1 @/ N5 z7 X9 q! b
( g# ^$ `( q9 H7 W" P( H0 b- r X& y1 N$ H, u+ |* A0 }2 m! G
_________________________________________________________________________
. L, s1 t) u' M1 J# T2 E4 s) Y- V- l: y# g' Y
$ U4 D" ~. O1 j8 s1 {
Method 06
. c. p! q* }5 c=========
0 Q( [/ @8 ~! C/ d" ]* |5 ?1 A' C9 E+ ~
/ I, j4 `, L, _2nd method similar to the preceding one but more difficult to detect:6 O4 {3 I' _: q, r- d
3 e4 ?% x( o# n/ c. o" e0 P! ?5 m. T7 K0 Y9 e5 x
int41handler PROC# t' R* I: q( H6 z! Q% F0 ^) n
mov cl,al
1 c; Y) |: w5 q' q3 c iret
( Z: V5 t- J" [int41handler ENDP
# W% G1 r' P7 I% e& Y; x4 n9 q# v0 I+ d
" T e2 T' C4 N% v. m9 q$ w, ] xor ax,ax
$ z4 n, u( d5 q3 U+ y' l5 `: x mov es,ax
+ \5 [2 \' s& E/ R6 Q* B& G mov bx, cs6 M2 j- m s5 O4 B1 B7 @
lea dx, int41handler
8 h% z7 w3 a$ M xchg dx, es:[41h*4]
2 A; Q; C) a# e4 b xchg bx, es:[41h*4+2]5 S' l# {! d' P. P$ V# t6 X2 ^
in al, 40h/ R: h. s* L, X+ G
xor cx,cx
3 y* c* ^9 Y2 P! {' ?) U1 G, V int 41h
R% W) U j' S; e5 o" V5 \7 |/ A xchg dx, es:[41h*4]& R0 _, W$ t( `/ z* B
xchg bx, es:[41h*4+2]: A1 r7 ]9 }! h3 z6 X3 O
cmp cl,al
. J* }# h' }" J8 u8 Q jnz SoftICE_detected9 A% e/ d. u2 I B3 A0 r' p. X
& Z* F; V* K T+ A_________________________________________________________________________
* N; n; w: F* ^: @8 ^3 y; ?- Y3 p& [
Method 07/ ?5 O T3 G4 ?, c$ G6 b
=========8 e: k7 z2 Z& {; c3 e) P2 u
& h, ^6 @4 i7 F" \& m" L5 M# ^4 f. Y
Method of detection of the WinICE handler in the int68h (V86) E' M' h: y9 t+ L
* |9 f9 T" A/ e5 @. }5 c mov ah,43h
1 _: \$ N2 ~7 n8 N int 68h' Q! y5 a" }! W
cmp ax,0F386h
5 V( x% t3 r: } jz SoftICE_Detected, [ N" `+ C* W+ {; S! ?7 ?6 i
9 y- p) u; E; M
7 \1 K. F5 J6 K( y1 S6 q* h=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! k8 u: Z( C7 C, F0 ?" m app like this:( f/ d! h+ D S4 e
/ |- f# h% y/ O BPX exec_int if ax==68
3 f2 G4 r1 B: }$ T+ i) i) c (function called is located at byte ptr [ebp+1Dh] and client eip is
8 k7 Q8 d- Q( O( c K located at [ebp+48h] for 32Bit apps)' H2 ~. M4 O8 w
__________________________________________________________________________
8 I$ d4 D" y. \# G
7 a. l$ `- P; `' @
8 C" l }( E1 d5 y2 Z- b5 WMethod 08
/ z% v ]) e6 M& \( [/ Z/ E=========
7 s% i: x. M, v9 W1 X+ R9 s* j: v5 A6 ^7 w! Q
It is not a method of detection of SoftICE but a possibility to crash the
, ?; r$ \' L: y0 T( ?system by intercepting int 01h and int 03h and redirecting them to another
6 e8 V0 k# _2 a A( ?4 l$ hroutine." Q' J. i4 m$ i1 A+ |/ y; I2 V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 N( Z6 Z9 I* z! N1 ?+ {to the new routine to execute (hangs computer...)
^% u- @. O M3 ^. @ E' e- p0 K. O) a1 ]* ?
mov ah, 25h
7 w$ ]9 ?% R. v) m7 D9 f/ B4 u5 X mov al, Int_Number (01h or 03h)% S1 N1 g" _. x* i- x
mov dx, offset New_Int_Routine/ B) V, b% m4 ~: B7 C
int 21h
+ s% M( Z1 O* c* I
k' W" V/ u. {* O9 U__________________________________________________________________________
$ N+ m, F' [. ]# ]; W1 c1 D: }* v7 |) o4 k$ q' K" t2 \
Method 09* P4 g$ G: C. r+ b# t& J" B. t
=========" M; Z- T2 ]/ l N8 U) V9 l" |
. r( Q3 X- d* Q8 [. t" f, y3 ]/ g0 CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! x9 T5 a* _ Z) A0 K$ Hperformed in ring0 (VxD or a ring3 app using the VxdCall)." P4 A- i/ |% m9 t& b
The Get_DDB service is used to determine whether or not a VxD is installed- R4 ?- |6 z) Z; R7 c
for the specified device and returns a Device Description Block (in ecx) for
8 K- D% S& O3 V, n1 [that device if it is installed.
- f" H+ p) O7 Q
3 g: [4 ?0 {8 N mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' N9 z+ r) w- \
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! n- M, n6 U3 y- k VMMCall Get_DDB
% M. \/ T5 `; n f" C( g mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 M! ~: J9 f; Q5 Z) j( J
! [" Z2 N$ [0 d7 F$ z) ]# LNote as well that you can easily detect this method with SoftICE:
8 s/ K* i7 g. x n/ E0 m- V8 e bpx Get_DDB if ax==0202 || ax==7a5fh
+ X/ ]8 r4 u1 L- _6 o: L- c9 X5 I1 U! N0 t% u _6 L* {7 A6 E
__________________________________________________________________________
3 W) w7 @! ~6 Z2 s4 D! a1 x$ _: l1 |: i2 X1 u/ g! ]
Method 10- Y0 y. H( w0 t' H2 b
=========
4 k/ S5 r8 D6 `) ]
, [: B, e- G2 `. }& Z- p=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 d5 c5 M# h- v3 Y" d& x7 B+ o SoftICE while the option is enable!!
+ U; p$ w: [# O" _. Q) F
. ~3 @$ q0 ?2 Y" iThis trick is very efficient:
& A4 p( f' W4 I! b* J# C8 L% M r Xby checking the Debug Registers, you can detect if SoftICE is loaded; Q. v, e, A2 ?2 \" J; V3 T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% T. z; s! O) [) B* [" c
there are some memory breakpoints set (dr0 to dr3) simply by reading their5 V) E: v2 k6 H7 E
value (in ring0 only). Values can be manipulated and or changed as well9 t7 X( {! \3 e# K0 _
(clearing BPMs for instance)
' n7 ?" M* U, }3 f4 x% d4 y+ _3 b# y! j/ p
__________________________________________________________________________
3 f7 k8 L3 E+ a% q x% H+ U- j/ V6 k9 B1 C% h
Method 11; Y4 K1 ~6 m, `" [& h e
=========& e' \7 Y6 s1 q6 H
0 J$ y% w: k7 ~& u' {3 x8 e
This method is most known as 'MeltICE' because it has been freely distributed8 E7 n [ {5 b4 V+ v1 x3 B" b
via www.winfiles.com. However it was first used by NuMega people to allow# N' [/ Q+ x5 a0 T
Symbol Loader to check if SoftICE was active or not (the code is located3 q5 c; Z e: G2 }% {
inside nmtrans.dll).$ G7 u5 r- K2 y, T( E
. l4 j9 k9 j' @8 C
The way it works is very simple:3 m" R$ ^3 f% o+ |4 @5 o. m$ I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ B, j4 U' L- M1 dWinNT) with the CreateFileA API.
- d) c o' m$ `( v; r1 u: L1 V
8 S$ P$ _1 H1 w/ @- E8 RHere is a sample (checking for 'SICE'):
6 }; g7 z# y7 T( Y4 T- ~( x! I" K1 J" n' e" `) k1 b6 t5 n1 s
BOOL IsSoftIce95Loaded(); ?: j; D1 @7 d X, S
{
2 }' F! o5 @, j* {" u HANDLE hFile;
1 g A) V0 w8 M hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ V/ V9 c) l \8 P! S# G
FILE_SHARE_READ | FILE_SHARE_WRITE,
! R u- X. c& W1 `" b+ E4 a6 W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ T% R5 a5 V6 Q$ b
if( hFile != INVALID_HANDLE_VALUE )
/ h3 X$ D+ W6 S$ f {
4 f0 ?5 z+ s E6 h CloseHandle(hFile);
7 r1 }1 f) K5 a4 l/ H$ F# j7 y6 K return TRUE;
& W5 r2 g6 Q3 T' I }
( q( e# w: Y( }: ^1 k% L return FALSE;
" W% i) c4 ~" _2 d0 k: p}4 a ]+ ?8 C8 h R0 ?; f
/ y5 `/ V( d7 g( X5 _& z oAlthough this trick calls the CreateFileA function, don't even expect to be0 ~7 X# S* o, `) N7 }) H# p/ R
able to intercept it by installing a IFS hook: it will not work, no way!# b0 R8 P2 E. e7 p9 U* a
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- l: o5 e9 N7 `; r' g" @service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. a7 r. M: _, z4 r; L0 R: ?$ d" dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 d' ~4 L+ _! Xfield.
4 @$ ?$ ]: i6 a/ L) XIn fact, its purpose is not to load/unload VxDs but only to send a z) \. ?/ l- N2 `2 ]: P5 H( \4 }; Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
U& T7 w, T7 kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& ^8 y$ C- Z6 L U. yto load/unload a non-dynamically loadable driver such as SoftICE ;-).4 N4 t, Z+ \) m$ k
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ T) T6 }) R9 _0 R; z( H" o @% bits handle to be opened and then, will be detected.7 Q1 Q: P+ R1 c, T! Y
You can check that simply by hooking Winice.exe control proc entry point# \& E2 ~0 u$ o/ `/ m+ R
while running MeltICE.( i" H: y( R% H5 q$ ~
- [% K$ p6 x9 p$ G9 ^
; t! E- d" X6 m+ Q) Z
00401067: push 00402025 ; \\.\SICE) q% O# b" S2 Q' [: y/ J
0040106C: call CreateFileA; r& u7 w" u+ b7 i6 Z0 x/ `6 W5 Q( ?
00401071: cmp eax,-001
9 @+ g1 n& {9 A# |0 K. r9 r; I+ j 00401074: je 00401091
9 ^7 q* h1 h, i- x( V4 _- ~) y" M0 f# k4 z+ a
+ q4 L7 s& R# NThere could be hundreds of BPX you could use to detect this trick.
- f4 Y! h, w; Z-The most classical one is:
& a" c7 [1 m# `5 B' k+ C BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 [# M* B: |/ g- n; }/ t+ H
*(esp->4+4)=='NTIC'
/ Y z; a- L3 C1 I0 L$ l' k7 C \+ j% p9 F7 h6 v0 M. c6 }* @
-The most exotic ones (could be very slooooow :-(. \' v$ b+ b% U+ @, y, q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 T( v3 L; I0 t3 ~! N( y4 u+ e, f$ ~/ l ;will break 3 times :-(3 Z/ h0 q: \6 `' F
) C3 R( B1 z: A- O( L/ U1 r* A6 }' g-or (a bit) faster: 2 h' H2 K6 |4 J5 o5 S( q5 N% U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 A% a& q* P( m' X- ^
5 t+ b- @5 a: n3 ^: R. L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 g5 P& F$ l% q7 v- \) F ;will break 3 times :-(% V! [) |$ N1 K6 w8 l8 |6 c/ n6 c* z
% L5 Q. i& w$ ~7 G3 d-Much faster:
3 I3 M }* t& a9 O7 x( s8 r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', {* u1 X" R. J- R1 m7 v$ y
6 f/ {8 u/ i' T. I& r; YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 R6 C$ G# z, {function to do the same job:
+ `6 T( S/ ?6 \7 D" |, L
9 M2 b/ T7 y7 g; m push 00 ; OF_READ
- K- R! O- \# \. A! X8 x; E% o7 j: X mov eax,[00656634] ; '\\.\SICE',0$ Y# D- u2 @2 _
push eax1 ^& Y: \8 c% D9 A0 j* c/ D1 r7 R
call KERNEL32!_lopen
1 }& H E' E1 J( i' c( Y inc eax6 S9 k# ]) G& o! y* G
jnz 00650589 ; detected
) T/ |0 E& l6 h& I" |: ~4 Z push 00 ; OF_READ
/ \6 F; N4 u' p. v mov eax,[00656638] ; '\\.\SICE'7 f% z$ Z# e& F% w2 d2 p$ j
push eax6 G% X9 ?) k( x0 f5 g% B$ Q+ T% B
call KERNEL32!_lopen& U) Q1 o5 y- k; ~& ~0 w
inc eax
4 J( ^. t3 z: `* j9 } P* q jz 006505ae ; not detected
% v) ^0 |* H/ v3 l* f. _4 p: s
, B1 t" H$ C) L6 @( @4 I: g. S$ z* B& c9 q) f1 c& v% ~
__________________________________________________________________________8 ~; x7 d6 S2 c; @. e @' Y9 v
4 E% z# T! z7 N o# l
Method 126 Q: W8 R; E2 K* n, ]( g$ A3 {7 r
=========
, u" f) R& g* b1 h, N8 n/ p& d3 t* m# b# G( m1 ?5 r7 m: G* v7 ^
This trick is similar to int41h/4fh Debugger installation check (code 05
- ^# R0 c( p7 i( U& 06) but very limited because it's only available for Win95/98 (not NT)0 w2 W8 l/ t. W0 q; J4 J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" S$ i# O% T2 A1 A2 H7 o
+ i7 y/ I( t0 W6 w, T/ Q1 r push 0000004fh ; function 4fh) e' w& R+ T6 G- U$ b; m9 J$ P
push 002a002ah ; high word specifies which VxD (VWIN32)4 z' G$ i" w$ Q6 x
; low word specifies which service
" Q2 @8 h8 k2 v! l7 K/ b2 w) k (VWIN32_Int41Dispatch)
' z' S8 Z" T6 G" Y8 b8 Y+ X call Kernel32!ORD_001 ; VxdCall5 T1 ^* K) f0 i6 L8 ^' x$ T; |0 K, l
cmp ax, 0f386h ; magic number returned by system debuggers7 |' M4 W7 P1 H! G# A5 _
jz SoftICE_detected
% |! t9 S& I: N8 f* Q$ O* [6 b4 h" _0 l/ ^$ y* f" [
Here again, several ways to detect it:
) }; T. y4 H: s' ~
; ~1 E* @$ E- l& {. B- g6 ` BPINT 41 if ax==4f! C; j5 t+ m3 m) H
' g* `5 Z! }/ Q, I2 h- q( H0 W ?$ z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 \ t( N Q2 G* |- ~$ h, g& x s( n4 y7 q8 M6 P& A9 N
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 i* O1 m9 R4 H' L$ p
4 w! x1 S# s$ b) C( ]$ A. p& }% [; M BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 Q1 k, _% T E9 L, F# J
7 v, `/ S/ {+ y/ u4 A! I6 Y! }
__________________________________________________________________________7 w; t$ C1 ]9 ^3 @4 k
3 U6 q; I% I3 N1 s. X9 r
Method 13
. `+ `( S2 x) Q6 ?% M=========
* ~ a* B: b# E" _* r& D$ Y; t) n
Not a real method of detection, but a good way to know if SoftICE is
) F& F& ?2 `5 w9 ` g3 jinstalled on a computer and to locate its installation directory.
+ h. L3 Q* h0 |0 g1 I5 i9 H) ~/ nIt is used by few softs which access the following registry keys (usually #2) :3 w8 g- e. W* `& E% h+ B4 E: G
n; p; {9 j' u" O. x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion o8 l4 G" [4 f" K
\Uninstall\SoftICE
2 F" N9 \- J0 ]1 l( C1 y4 p-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 Z' E, r. k7 e; }+ s# u5 o o* I-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ I5 w0 U& d' ~6 c\App Paths\Loader32.Exe ], G, J4 i+ u
$ a* ]; N; q( Y, @. Q
5 p; G7 x" `4 Y, d) v8 ~9 H
Note that some nasty apps could then erase all files from SoftICE directory4 \' V8 j7 y7 f3 }( E
(I faced that once :-(
" ^" K+ U, @" F, z# N
, K2 C; M2 Q( r+ h3 j+ A7 x! IUseful breakpoint to detect it:. t& Y U; H# k3 w% R7 {
8 Y/ b) M' B& s0 b3 \! ^* ^ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( T( V1 x( O# b
9 @9 y% d3 M* b0 u2 p" y__________________________________________________________________________
* W0 U; D# P+ Z2 A+ W" D3 o& R+ I; Z& Y. L" Y
. G" v. \( N1 M1 O
Method 14 ! h7 d7 e) b3 f$ d' z! i* e
=========# P" c- N$ r" V6 f
$ A r: v" b6 e K8 m9 M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) w! s O9 u7 b7 q1 ois to determines whether a debugger is running on your system (ring0 only).
' I0 V }$ D* G7 z4 d/ f) _
8 Y8 S* n' P, p& m+ i VMMCall Test_Debug_Installed
/ J; a3 y4 ?/ ]( B% l8 U8 c je not_installed
3 l2 l' S* E* N6 K i3 G9 [+ M: s0 K. ^: V
This service just checks a flag.' c; F. v( V/ p* T- Y7 U& }. A+ M9 M
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡