<TABLE width=500>
) r t' ^: M( x4 E* R, q' L<TBODY>, N0 |# i* c3 c+ k
<TR>
. a9 N! t* J. b& t9 C8 o<TD><PRE>Method 01 5 K& e% {1 V' a) u; B: W
=========
2 C# U% d: w5 B" c0 x r* B- q5 E
This method of detection of SoftICE (as well as the following one) is; K- X, }! H2 H
used by the majority of packers/encryptors found on Internet.
8 g5 ~; s' m, d1 w. TIt seeks the signature of BoundsChecker in SoftICE: I6 ^7 B1 A5 W9 l
; N! H+ v3 y. `- w5 K# i: q
mov ebp, 04243484Bh ; 'BCHK', [* h) z* Z- n- G" H$ t
mov ax, 04h7 T4 h* E* i" {& I% | c
int 3
/ ^5 [# m2 H8 L) P; ]9 h6 C cmp al,4' b: j2 T7 `2 c4 h9 D! y
jnz SoftICE_Detected
' C- K/ |5 E0 e" C0 y0 e1 r w* [5 v* g' A8 ~4 j
___________________________________________________________________________- B# Q* q: r7 J
" w2 D6 H; S+ _+ m0 w
Method 020 l _, y9 s% e. q, h; ?
=========$ n1 q$ P. j9 k
, Q* q" w# r! e
Still a method very much used (perhaps the most frequent one). It is used4 ^6 ^! H# j$ b5 Y* d; u# u4 G/ U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 S# H V8 e8 |1 ~0 N
or execute SoftICE commands...
. q5 a2 q+ ^$ k+ d; S7 Z) Z- e) GIt is also used to crash SoftICE and to force it to execute any commands- H+ V- g' Q# C0 p ^" Z7 T
(HBOOT...) :-((
/ P' T# c$ @: t! L' j6 M, q% Q
# b4 s& A, h+ ^6 }4 CHere is a quick description:
+ @. z0 N, ~$ K# y/ t: ?# P-AX = 0910h (Display string in SIce windows)
% ~# |: u/ `4 c9 N" t @-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 N3 N: ]: }7 a# ~-AX = 0912h (Get breakpoint infos)
5 J8 h. Z0 Y+ a) X: h5 k-AX = 0913h (Set Sice breakpoints)
: r6 f& `* P/ Y% w- j) x-AX = 0914h (Remove SIce breakoints)
4 l) W) Y2 b H9 B' P( i6 Z: T: F! ^8 a. Q) W
Each time you'll meet this trick, you'll see:; M5 ^) D" t6 ]9 }
-SI = 4647h
% P6 D( [# W" p-DI = 4A4Dh
* E5 _/ H" B2 r8 ~Which are the 'magic values' used by SoftIce.
* B6 J: V- c4 x% m( jFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ V% u/ S" N0 q: ^% L# ^/ C
8 c$ }& ~* j# L& M% L
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 V- S3 E) K- r$ KEnvelope utility use to protect DOS applications:
" [- t- S* X+ q5 y: F
3 p; l9 s% L6 n; @! I* H8 K: u2 J, U/ ]" Y
4C19:0095 MOV AX,0911 ; execute command.
* H1 o! h0 W+ d% ?2 I( d3 ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ a% |8 [1 c: Q# y4C19:009A MOV SI,4647 ; 1st magic value., j5 {- d1 V, l' D+ a' V7 i' f* }" U
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 g9 Y1 R5 u+ Q$ `4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 k$ h+ Y! y( J" Q; Z- t
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ \7 u7 P/ _; F: e) o( \' s
4C19:00A4 INC CX
) S& T2 t4 } Z3 Z9 t0 F$ G4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
d! U- \8 P& T; |3 x6 ]4C19:00A8 JB 0095 ; 6 different commands.
' i- I; z1 g E+ a2 v1 Z' L/ n7 [4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- x, f1 ^$ z' }1 F8 O0 w' e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 ^* |: a: v) e. y* W" l, C; T
8 P; S: v6 j5 P! `
The program will execute 6 different SIce commands located at ds:dx, which
& i* O% r4 L; I7 |; c/ vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' z- i8 T0 d# U* L
: p b- ]1 e9 ~: l* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; n6 @4 C9 w+ Y- h3 O___________________________________________________________________________9 I8 v3 G" o, K u6 B
: m& \5 Q8 n" ^0 c7 U2 R
& \5 }+ g9 ], m* X; U0 GMethod 03
9 {( _ c& K3 O=========
" i# T' w9 S, r) A( y% o6 F; O6 ?
3 P9 {+ M$ N* v& P" v( e0 L% BLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 S( y z3 V6 a" f4 M5 B! Q4 w. w4 `
(API Get entry point)! v8 ?$ @( \) y$ b" h
! |3 D3 Y+ Y8 H4 y# E3 H$ M/ p' W& l. O( H8 ~8 J
xor di,di) K! M% |5 o o' `$ d
mov es,di" t0 u: Q& w8 Q" Z, ]
mov ax, 1684h
' U3 O& j) ]! v D mov bx, 0202h ; VxD ID of winice
& d& I9 g2 J* N int 2Fh
9 h! W' d. q" ]4 D mov ax, es ; ES:DI -> VxD API entry point
, a+ l8 G3 P2 S I add ax, di
8 T8 P$ E; K- w, B test ax,ax
1 i0 p& n$ y$ ^: P9 p8 W. N jnz SoftICE_Detected* o1 {0 I5 o2 t- x. o+ D M2 n
2 V% J! a1 V7 _5 ~7 {$ a# q# D
___________________________________________________________________________$ L! m0 f/ d G$ |; g/ k; Z' [& V
' D. a# j& Z& w! tMethod 04( h: P% ~1 m4 P' S' ]- s5 `
=========
) \( W- m9 c" d |8 h% }5 |0 t7 ~6 |9 @ C
Method identical to the preceding one except that it seeks the ID of SoftICE9 y0 o5 w" [, n/ F# \1 j$ Z
GFX VxD.& P0 S o+ R! Q8 p# i
6 _( u5 G& `/ O xor di,di0 s+ _" t& w1 X) M
mov es,di
0 s' B- l2 p' g2 C; k K- q mov ax, 1684h
) F8 n' e0 u$ E3 e0 Z' m mov bx, 7a5Fh ; VxD ID of SIWVID
; `' B/ A8 b# ?. j: g int 2fh- ^& m: p3 o* k G' z z( u" G
mov ax, es ; ES:DI -> VxD API entry point
1 N. k7 j) p. o; m add ax, di
; D+ a1 W9 O; d& M! _0 g: y6 h test ax,ax
, |. Z* i+ s) C' f4 g# o) R! b3 d jnz SoftICE_Detected2 T* M o$ @/ T& w" A
6 h/ J' J6 f' ~2 b8 \- d__________________________________________________________________________
) q7 W. ?& v5 z0 ]8 Y0 Q$ s
3 z5 K! z% |- u1 M7 K P
$ Z% a; D) A( Z% Z9 |8 E6 JMethod 05
' I) `$ l0 N+ U! T=========
/ G/ W7 t( I m' l E0 X" X+ l5 x3 j& C }' m
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" O, |; A% W- J% h6 I, x$ ddebugger. It calls the int 41h, function 4Fh.( q+ p4 W# v& T2 j* ^4 _* T' G4 C
There are several alternatives.
6 ]& u9 J# d9 E1 A& H% o! K6 @! x6 j* Z) S( G/ b/ {: n
The following one is the simplest:: l& G. q4 c: @8 ~5 M1 C
) O. B) g4 P% f* s7 O8 d- u
mov ax,4fh
q) e/ u0 j G" ?8 W9 H& x int 41h! s0 t3 {8 A6 O
cmp ax, 0F386; E8 q y4 l6 g) g; v
jz SoftICE_detected
: Y$ z* _+ g7 y! `# J; n, X5 S( x/ g# B0 E$ x! B" F9 C5 x7 ^; z& H
/ E9 E& c. `& Z' m( E- ^& V1 l
Next method as well as the following one are 2 examples from Stone's " r6 H& _& t3 C8 V# V- C& R1 N2 `$ p
"stn-wid.zip" (www.cracking.net):
% o- K6 P) e4 D+ N# x
2 A* g( Q6 [% I+ p/ X, j5 q mov bx, cs% h% a S' J# D, u) r
lea dx, int41handler2
. a( a' b9 |' |2 l/ @3 f6 l xchg dx, es:[41h*4]
$ \9 z: z" H2 {8 B6 F$ e- J# L xchg bx, es:[41h*4+2]
# g$ j3 ~; i- a/ r mov ax,4fh* y' R: Q5 | k5 a, S
int 41h( \+ ]/ |, t" F/ I0 ?' C
xchg dx, es:[41h*4]0 b/ @) {$ W& o/ I/ e, h" v- Y
xchg bx, es:[41h*4+2]* y; B4 Y E |0 g
cmp ax, 0f386h
, X/ Q% {( w( _5 x+ T jz SoftICE_detected" y! @8 ^, \, [6 v9 z9 d; K
4 Y; p: M4 T* t6 T& [0 b. m4 [4 xint41handler2 PROC* R0 m- a" X' Q9 U$ I1 J( x
iret r1 U& R0 a# `# P
int41handler2 ENDP: z4 U, I4 ^- V; [! J9 r$ M
+ W4 V' i ?7 ^" k1 m5 `0 k
7 F+ y( m7 {: d/ z p3 A0 \& E, ]_________________________________________________________________________
. G: a6 h: Z0 [+ h" [ P0 m {: \" R; b4 E+ q3 D
2 [4 b: m8 u* ]6 U) Y" eMethod 06
! g5 @" v- u2 Y, n( g5 }+ I6 k=========5 e* F* @/ L7 o# f
4 u) x0 o" N4 b9 k& Z6 _9 Q
5 ~; [& O" |. G. ^4 L9 U/ V5 Y* g% R
2nd method similar to the preceding one but more difficult to detect:! F" ^. t7 J0 {
+ F2 {2 {7 }( y5 v) E
0 W: N+ I) y* rint41handler PROC% I8 Z2 E/ C& ^3 d
mov cl,al
* z% t ~5 c4 r; ]2 o' l! {+ u iret
$ c8 }- `* J6 ^+ E- V/ n+ aint41handler ENDP
+ b7 o1 D; F: p. R7 W* d1 ^8 g9 `1 e$ H2 B9 u- {. O6 a" j) v1 t6 z
6 V* g* e9 e. {2 e' @% F5 B& l xor ax,ax
) X2 j" U4 i- Q' Y: v. I mov es,ax
+ D+ V5 I |3 i: I2 Z, S mov bx, cs
. Y l3 d& D: f0 c6 j/ i: `5 I lea dx, int41handler
9 ]7 h# {' F9 C! e6 ~4 @. O9 ~ xchg dx, es:[41h*4]! R6 A6 P; U7 z% I/ }
xchg bx, es:[41h*4+2]) i! X0 S- S: r# B- f
in al, 40h1 S- h7 \/ P0 g% F# c5 a
xor cx,cx
& C. J) F& m I% p& f int 41h/ n4 ?9 g* U/ a: k; T/ l
xchg dx, es:[41h*4]# E! @ I* }6 K+ q+ ?( M; j% ~) E
xchg bx, es:[41h*4+2]
1 b; n% ?. X4 J! C; B6 e cmp cl,al
2 b; c; ^, y9 @; q( _; |. |0 U jnz SoftICE_detected8 l7 H" e$ A' e
9 f# u7 r' ]* z" D1 H_________________________________________________________________________
! J `9 B) Z8 n7 z8 H, B( W; Z7 }1 k- U0 d6 X `4 N o
Method 07
3 n/ z; j+ X+ r/ y9 ^=========1 W" e4 ]+ O6 l- w; o2 M: u5 s* i
0 e. e. ?" H8 J/ R1 e, Q' f
Method of detection of the WinICE handler in the int68h (V86)' g) l _5 A% G7 U' `3 u! X
% l7 I: z' a3 d" _0 | mov ah,43h; l+ e+ x! e' K4 [. l1 J
int 68h5 z+ L% G* Z/ i$ u
cmp ax,0F386h
3 n, }# L& f& y jz SoftICE_Detected* {+ w* d _! ?6 v! [
$ g4 G7 b3 \# u$ q" s
( W. @4 Q# F0 w% d
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* z7 y/ {, l7 u* ^2 C app like this:- v, W: T8 b! u4 V
+ o/ B4 z" o! {$ [2 [ BPX exec_int if ax==689 n; s" @' O J% p' j q
(function called is located at byte ptr [ebp+1Dh] and client eip is
5 `. {1 v1 X7 F6 N, d" J located at [ebp+48h] for 32Bit apps)# P% X" j% ~; W4 o: j8 J ?7 R* }
__________________________________________________________________________3 N& C1 b+ R" P% K) [* D1 g, T" Z
3 T1 T! K3 Z6 ], r
0 _) }% ~9 j2 _& E
Method 08) w6 r L6 D0 c
=========
+ h" Y, E, @. D4 J( @0 [0 F) G6 ^7 U @" _& e8 j( Y9 t; t/ D* x
It is not a method of detection of SoftICE but a possibility to crash the0 s3 _* x3 `% {; ^3 N4 ^
system by intercepting int 01h and int 03h and redirecting them to another
7 `- E) h- x7 }* J& d( v" o1 uroutine.
g7 s/ N8 C% j+ ^* l0 v2 P0 DIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% D! c0 B/ c% B, l
to the new routine to execute (hangs computer...)2 s" C3 g% k% M! S0 V( {6 u
7 B2 n( y5 H4 C" m; l mov ah, 25h" B; {' O; D8 D2 G
mov al, Int_Number (01h or 03h)
$ v& ] f; V8 o0 [0 E* { mov dx, offset New_Int_Routine
3 G' F3 R6 ]8 r7 L5 b int 21h
9 ^, h6 x* F O6 j: H
2 j8 J( Q* c! c9 |__________________________________________________________________________9 p5 j' Q. \! |3 x+ _
. j- `: y! G, |/ E% g: v* uMethod 09
6 ?/ d5 L+ U; N: n. y=========
0 b0 t; O# k" @* {: n# q: w$ @9 J
5 m+ Y, O, V6 @+ F$ e; g" lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 p" j1 Y% n. G: p! u+ i
performed in ring0 (VxD or a ring3 app using the VxdCall).$ n+ x0 g* n9 N1 ?# L, g
The Get_DDB service is used to determine whether or not a VxD is installed1 e" X. h2 a( N0 q
for the specified device and returns a Device Description Block (in ecx) for% ?# H4 P# O, Z" B" X
that device if it is installed.
+ V! h8 i6 r: ]* d; P6 K. s. n8 t( P" L
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. o) V. l) O6 c4 P/ u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ r V: w5 R7 L. V$ C! ~& m
VMMCall Get_DDB
% Y# y0 q& K2 h# W; G1 ^4 r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; c3 |' N* u. t6 j B
/ `, L0 u3 d& A7 K, U1 QNote as well that you can easily detect this method with SoftICE:
- H! s3 H/ m7 l: w) @1 P: y, h bpx Get_DDB if ax==0202 || ax==7a5fh
% E" @- f4 Y: m* \) i9 r) d. N* h% a1 p3 e2 w, a9 [2 G
__________________________________________________________________________
' V7 t" j& f" F5 G* L1 T+ l) r+ y: `. h) v7 z: v2 V
Method 10
0 s9 d1 o8 @) `/ b! e! j* A V=========+ d# D7 {% o2 N
, X. U% r! f7 s* x ?=>Disable or clear breakpoints before using this feature. DO NOT trace with' Z9 A# X4 ?# V* n
SoftICE while the option is enable!!
# b, P# W+ r' y: q7 A
6 z3 n7 {& ?! w8 A2 WThis trick is very efficient:
: C+ \9 ]. x# jby checking the Debug Registers, you can detect if SoftICE is loaded. C' ]1 e& P3 c% \& z3 {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& O' F$ |+ g; J5 {there are some memory breakpoints set (dr0 to dr3) simply by reading their
: }- U1 C( r% o, [! z1 W3 Kvalue (in ring0 only). Values can be manipulated and or changed as well; R8 z& }) y" F _9 M9 }0 W
(clearing BPMs for instance)4 T; S* o# M! O0 i0 S6 n9 I: L
/ R1 o6 ?" y& Y! ^# Z4 j! H
__________________________________________________________________________/ w" W& F5 N* R; H7 Y2 T; r- G( v
/ @1 ~* O+ a" z" M% R( tMethod 11
0 T3 ~9 _" x, `, W=========
3 |6 x/ e" E* \+ }1 E& F- F4 Z* m7 R9 {) q3 y
This method is most known as 'MeltICE' because it has been freely distributed
2 N' b: Y. ^8 c" {+ d* x7 N/ ovia www.winfiles.com. However it was first used by NuMega people to allow
% f, t3 ~/ X5 j: s, H4 y9 U- }$ eSymbol Loader to check if SoftICE was active or not (the code is located& G: V! T/ J: s6 O6 _" U
inside nmtrans.dll).
& V; F- q% S E' r, Z, d3 G0 q- O8 j6 ]" m
The way it works is very simple:
" E: i- a3 K6 A; o2 |It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* T; Q" P7 A% b' e1 K) J7 o0 ^
WinNT) with the CreateFileA API.* ` J3 u* z5 ^, g/ V$ `
+ x" u/ B$ o! m% M( UHere is a sample (checking for 'SICE'):
o5 N4 P1 q+ q: O* e1 u7 s6 a
% ~& R/ P/ ?, Q! L& G9 HBOOL IsSoftIce95Loaded()
" X/ X7 y( ]6 _6 T{! i) O2 O3 [2 U. H- Z0 U9 M3 ~
HANDLE hFile; 5 h0 l$ Z% C) V% ~
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: v* v' {3 | ~9 o& k* m( M' R FILE_SHARE_READ | FILE_SHARE_WRITE,3 I; m) q' r( H* L& J
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ w0 a8 v2 I! U. _! W
if( hFile != INVALID_HANDLE_VALUE )7 h( {* ?1 @2 \- u! v' C0 G
{
9 f2 |* i- Q+ B+ a CloseHandle(hFile);' p+ ^; D) F8 V& G5 h
return TRUE;, }! Z) Q, L# w* Z. P
}9 s+ u3 Y. x# u% t# m
return FALSE;
: ~( C ] D d& b: E4 e' m+ P}
* @7 t! B: m' l$ b( z, N; V! p2 }; }' s/ m9 L, X( E j' [1 @
Although this trick calls the CreateFileA function, don't even expect to be
8 t) Q1 P& `6 }$ \4 qable to intercept it by installing a IFS hook: it will not work, no way!
" ?. h) A; s5 F0 S/ c" SIn fact, after the call to CreateFileA it will get through VWIN32 0x001F* ~) }$ f9 [4 f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 i/ d5 k; {; o1 q( Q& _4 E. Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 ^/ n' }, O J. P; I Q3 sfield.+ W$ B" @' ~* D3 @: m
In fact, its purpose is not to load/unload VxDs but only to send a 6 t( `# _" N6 G6 ~ Q, R/ C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ G6 R" b+ Y* g D" a4 ]+ X- g$ x" p" \
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 d8 F0 N6 n& Z9 `8 S+ o0 tto load/unload a non-dynamically loadable driver such as SoftICE ;-).2 m+ g* H/ O4 N# {0 p4 l2 q
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& `2 ~* r0 J( Z4 tits handle to be opened and then, will be detected.
0 ~* E( A/ j/ c5 r2 v. F$ ~- R8 IYou can check that simply by hooking Winice.exe control proc entry point0 `" V4 f' S! v
while running MeltICE.
; V- k* u% B* M2 k
J, k2 k+ n0 |. t7 [; ^9 i
+ ~& Q# p2 h" C; s9 `3 q! L; l 00401067: push 00402025 ; \\.\SICE
/ \8 V/ t5 g& m$ ^ 0040106C: call CreateFileA
' a7 u. S8 K) c 00401071: cmp eax,-0018 w2 B% J4 o7 g& E& W
00401074: je 00401091
7 a* v9 T1 h Q( |
+ k) s$ o1 Q9 {$ S/ v& J, }1 O3 w7 y/ ? Q) R5 @
There could be hundreds of BPX you could use to detect this trick.$ i4 J- o* ^. a6 {* X( d |, U
-The most classical one is:, b0 s7 S6 e) m2 ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 g" r: W6 x0 v, e; i' F5 `* I
*(esp->4+4)=='NTIC'4 F+ t! O0 g( A& `& ]7 ?( J
0 h3 I0 M- B' V: E3 }-The most exotic ones (could be very slooooow :-(0 [* L/ N7 i- {% ^5 P, z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, {3 i3 M0 h6 B% Y, N- n ;will break 3 times :-(2 \8 |2 R; x( I, y6 U0 o% V
( u1 {+ C/ T4 L8 e6 u1 v) {' r. S
-or (a bit) faster: ; w0 [* s. C2 F" g
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: f: h% X c: D8 T5 T+ O$ S1 n9 N! P9 e2 w! G( K4 v
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 \% G6 d5 r& `8 m* T* y! J
;will break 3 times :-(
4 S, W8 t9 f* S7 q, o) _0 R/ }5 Q& r+ j3 l$ N% @
-Much faster:5 {9 k1 f* B y8 e( x* D) s$ Q7 _
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 n7 \. X! m2 U/ ]3 I
1 \' Z- k+ R! L) }2 o) z9 ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( c( q: t; j# d1 u
function to do the same job:$ [ d* J1 @0 J, N$ N4 G4 P
1 T3 p, u2 i$ r: T: U, p1 a e1 y$ |/ J
push 00 ; OF_READ. c) K) [4 y l* u3 E
mov eax,[00656634] ; '\\.\SICE',0) A. O8 Y0 N) `# Q9 S
push eax7 E7 E$ H" Z, j
call KERNEL32!_lopen
& D: l# D, h, r$ g1 o, ]* b inc eax. ?+ ^& v% C3 k6 d- ]$ _" P/ x& ~5 D; Z* r
jnz 00650589 ; detected4 W: d. {* e3 e# v; F* ?3 n
push 00 ; OF_READ5 D' ^, v, _1 m e- n, H2 I& U# e
mov eax,[00656638] ; '\\.\SICE'5 E1 o$ G( R% C' G
push eax
0 ^6 w K& D# d$ I, z/ D: |: N call KERNEL32!_lopen0 n& V% N# \3 U* y% `( E( c' g
inc eax
0 B4 H# r6 W/ |7 C0 b8 }! j( Q7 H jz 006505ae ; not detected7 I' ?- o' v! l- d
. M9 F' `. t* v2 K/ E$ X; E1 ^. w* `7 }4 U2 w5 Y- M; R. ]1 F
__________________________________________________________________________' j# ~2 Y1 \3 V% X c3 B3 N
. q7 {# c% q+ M
Method 12! p2 w8 D& z0 A6 `! r
=========
+ G- U7 ~" \+ {# u$ ^* c: F# C$ p$ X- i8 R, i7 l
This trick is similar to int41h/4fh Debugger installation check (code 05* K. d L. e! s
& 06) but very limited because it's only available for Win95/98 (not NT)3 N2 a! J, d$ q- v* Y Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 f) O) V$ \4 S5 o2 O& W
0 r$ o* d b% E) g. Y push 0000004fh ; function 4fh& @8 a4 J. b) w9 s4 B: ^
push 002a002ah ; high word specifies which VxD (VWIN32)
! a! c$ ^5 `2 t ; low word specifies which service
+ F) O8 p" ~7 D; Q (VWIN32_Int41Dispatch)+ f7 S" U0 U6 W; P! u
call Kernel32!ORD_001 ; VxdCall
$ g$ Q3 A2 A0 b% ~* S+ h* W6 Y cmp ax, 0f386h ; magic number returned by system debuggers
; }7 g- y& I$ C% e0 S jz SoftICE_detected9 ]; ?; p; W" T w/ C- v
4 M9 h# [8 N! o2 n
Here again, several ways to detect it: K! R7 j, B' | w
/ Z7 p( V! @% j9 ]: x
BPINT 41 if ax==4f" J8 o) a, g& u( G
& g5 X, a% b2 r' M6 m" u. C2 }' A
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 t) C- s i5 k. w1 _& S
- n3 N2 z3 z- j% s) K* [* x
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 Y: y7 o2 ~2 n2 s
; |8 N( d7 B1 l# }: t0 R# I# j! B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! y0 M% ^( s+ a ?, L
7 z- ?4 T' P1 k" m f% n- U; z
__________________________________________________________________________
% z. p4 I/ G" @7 ^3 k/ t8 d0 S( P
. k0 G! q0 S. W0 kMethod 13
% M7 r) E4 i. [& ]* g% z; f=========
; U) z: t4 K# S% M0 s( y. n1 H" t5 i2 J
Not a real method of detection, but a good way to know if SoftICE is# j2 U: o5 d* `
installed on a computer and to locate its installation directory.0 M: W% s9 R3 F7 w8 w! F
It is used by few softs which access the following registry keys (usually #2) :; X8 f/ G( R* Q% g3 X2 f2 E
4 J! Y, k" s# Y/ U+ W-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ Q, B0 q: f0 W7 ]\Uninstall\SoftICE+ F8 x3 m) g+ W, ? V) v& x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" B0 i- {/ s" T M+ B% ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& x& t7 ?* L1 [) v% D6 m8 _* [
\App Paths\Loader32.Exe
/ \6 m, h h# r+ o
" ?! l0 g0 P3 F# Z) g# J5 ~, t7 q3 z: A+ N' W
Note that some nasty apps could then erase all files from SoftICE directory
; C5 U! ]2 \8 W( f$ k" b(I faced that once :-(1 {4 m7 ]9 {$ K( w6 b
: e% |. C9 {! L3 i% C, b6 W; RUseful breakpoint to detect it:
* r5 z9 t) @8 N2 @. a* d1 W2 m
) n. o9 n1 I3 w% J( R BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; X( p' [8 _, [5 J0 O2 b2 u% G1 Y; V1 N, q
__________________________________________________________________________* c3 G% w# ]; r% e! w$ U
, W! S7 |1 H1 l6 }$ R/ w8 m$ t
1 E4 \+ r; r1 @* r% b/ l0 vMethod 14
1 ~8 G" A6 p1 y=========
4 o( ~$ C, Q% u8 |2 v3 R/ j" _; t" [! x+ s7 T+ \1 P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! q: i S* r! }! v2 s
is to determines whether a debugger is running on your system (ring0 only).
4 B- z/ T* f7 s0 L- Z. s: J
; }, r# H! z' j, U! |# Z" L VMMCall Test_Debug_Installed3 s# j$ g; R' W9 D
je not_installed8 N8 ^" q4 H1 s( `# W
: H# z5 V- Z5 N* g/ ]7 IThis service just checks a flag.
0 M# j5 r7 x0 G</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡