<TABLE width=500>
3 ~ Q( P4 w: P7 [$ E1 Y<TBODY>
" j- Y; c+ M# t9 l: C; o<TR>( {5 \ Y6 B. Z2 A* o7 B: b& ^
<TD><PRE>Method 01
6 ~! \& C6 \& z" e=========
5 R1 X/ l2 G/ ]( V
: V0 V) Z% ~1 F( }This method of detection of SoftICE (as well as the following one) is
6 j A/ Y, W5 zused by the majority of packers/encryptors found on Internet.
3 k6 S0 e. o3 T) d4 ?5 W2 Y$ EIt seeks the signature of BoundsChecker in SoftICE
$ E% j2 y. R; d$ d9 }$ Y
) A/ O. E' e T' F. i |/ v mov ebp, 04243484Bh ; 'BCHK') c' |8 a7 ~2 m. y+ p& H
mov ax, 04h$ V1 |, `+ w! R- q+ Q$ _* K G
int 3
2 d9 }- l8 A4 l" o8 Y$ y6 M cmp al,4
2 v* {3 C1 F. q9 t- J; E jnz SoftICE_Detected
! W. L3 l- F5 E$ C2 {7 ~1 t6 S" Q1 j0 Q
___________________________________________________________________________$ g1 ~. D* V/ a# C, W6 v1 f
9 D' C. i! p8 w: N$ c
Method 02* ]* {5 I2 }/ e0 i( H; [% E. o5 r0 B3 k
=========5 c& d4 N7 S2 J9 a
' K& W8 P8 m/ T9 A! O- k4 w7 \8 aStill a method very much used (perhaps the most frequent one). It is used
$ m. E( x h1 X; }" `) {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* m) C9 B+ m- b9 r. Nor execute SoftICE commands...
( M+ M- E6 `( ?( X5 ZIt is also used to crash SoftICE and to force it to execute any commands! o# l9 A2 U1 `" L$ w- B
(HBOOT...) :-((
A2 `5 _& ?5 k# s+ r3 H
* Q! }/ s/ g# B, w3 u+ z( B6 nHere is a quick description:
; m. i, A. L: T# M. q6 H; e- i-AX = 0910h (Display string in SIce windows)! ]/ B! t2 i1 _- m9 _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) R* _% M, G; x; C( l
-AX = 0912h (Get breakpoint infos)
# n8 S2 s4 B+ [, `3 h: d* s-AX = 0913h (Set Sice breakpoints)5 l; I6 x+ T$ f9 M! k/ |
-AX = 0914h (Remove SIce breakoints)! [1 ~& C9 F% {2 H# C& u
; s& J2 Y" ^9 P# i! I6 k
Each time you'll meet this trick, you'll see:
0 ]' h3 W# U4 M" K; H1 a-SI = 4647h
; S2 H m" u: w. i-DI = 4A4Dh
' c3 {' k( u+ ?) {0 ~: KWhich are the 'magic values' used by SoftIce.
1 i: r$ u& ` J0 f# ?5 nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) r+ c# z7 j4 N4 E: @
+ K2 L+ |9 A. n7 jHere is one example from the file "Haspinst.exe" which is the dongle HASP
: g5 u1 X7 e& s% i& E7 w" vEnvelope utility use to protect DOS applications:
8 q& Y- N! y" C0 g# h. P
: d% |$ @6 L6 z# G a3 J1 h1 s$ v8 P! g, L1 ~+ ]
4C19:0095 MOV AX,0911 ; execute command.
3 C& L0 U# Y" n1 t# x9 E8 N; W4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." g/ a" _- a! u0 Q1 K2 d
4C19:009A MOV SI,4647 ; 1st magic value.
2 m6 s& I9 Z! }: Q" o4C19:009D MOV DI,4A4D ; 2nd magic value.; M/ h+ K7 @# Z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): R* T2 _( g( D2 G
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' A" Z+ U5 F5 R# B# y' W/ h2 {
4C19:00A4 INC CX
, N, I1 |5 F# I. g1 ~, D" P4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; g# ~1 x) B; I) o4 K( ^5 P4C19:00A8 JB 0095 ; 6 different commands.$ j5 ?& g; N2 W' R! \4 R5 E
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 L: j+ X9 Y; N' y2 j4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- ~% G9 K6 N$ p; B3 J( D2 w( Q) y6 P7 V; r- k( t. }4 H% o
The program will execute 6 different SIce commands located at ds:dx, which
! w+ P7 z7 R0 V8 O. X' ?$ `* X9 ^are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 l0 _% v; K1 P `$ ~' A: t) R# n) @- J& C: v5 q2 D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. r) Z% c' n( S' ]$ H* [8 x
___________________________________________________________________________
& |* q1 A: K v* k7 P' O u
9 l+ g0 s5 }" ]) E/ n6 o
, \/ O' z* C6 r) N" ?* rMethod 03
3 y$ d# y0 \# }% ?6 d0 t0 H; A9 c+ G=========
$ n6 e5 X9 {$ Z4 G: `" U% ^" W% K3 g1 j4 M
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 | M1 \$ i$ ^* U5 \
(API Get entry point)! N7 e9 Z1 E" B1 v
: y8 ^5 w6 l8 P/ D+ N
4 k6 q; O3 h# \/ ^1 s& p! q# x: A xor di,di
- } P- _6 J% `6 E5 @( Y3 H mov es,di
0 T% L0 Z ^6 c+ Q mov ax, 1684h
! i6 t; j5 P4 L' d( G5 d2 l mov bx, 0202h ; VxD ID of winice
, | W/ ^5 s* }- t int 2Fh
) o+ O, j1 @* E: n3 V4 O/ s mov ax, es ; ES:DI -> VxD API entry point
2 X Z4 ?- w. ~1 p" [% ^ add ax, di
) X" o2 k2 t/ k7 ]1 Y+ t6 O test ax,ax
8 I$ X% ?! N' b; N$ P$ H jnz SoftICE_Detected
( t6 h' p, o6 U8 p( y5 p1 @" G" h
9 k h9 `( {7 c0 Y l___________________________________________________________________________
5 b2 t6 A8 }" A0 B5 x3 r( x8 B7 }; F1 Q6 _* m4 a p2 j
Method 04
$ T$ A: X+ X j: }% S: G: [=========# |1 h; I, a" V
& H" Q1 L4 {5 r' f, E
Method identical to the preceding one except that it seeks the ID of SoftICE
7 V, a7 {! ^1 ]5 V) A. _GFX VxD.
9 T3 m5 W$ C v, @. i5 P) F- }
( f2 c' `5 n% i9 U& n+ ^ xor di,di
- w$ e5 g$ _: a9 t mov es,di3 A- R, p/ G( L0 c$ T- v
mov ax, 1684h " }4 l& Z: s! Y4 k, A! ^7 Y& I5 X( [
mov bx, 7a5Fh ; VxD ID of SIWVID
# Z5 G' d- w0 t: A/ J int 2fh6 [, b: K n; e( \- e4 X
mov ax, es ; ES:DI -> VxD API entry point G9 m+ u9 _9 ?8 P% X0 g7 H/ b
add ax, di
7 S3 @! f% _- v1 g5 b( M Z* h test ax,ax& j( G( x+ s& }5 B0 I0 t* t9 y
jnz SoftICE_Detected
% C/ m9 |$ J5 w, O" ?8 z; v9 E ?) p: }- b0 O8 ^. X: ~6 }2 F
__________________________________________________________________________- C- @, s" @6 t7 W, J
" {/ f1 l, H7 c0 a! B3 N: Y- l% W `9 }; ?6 F) I3 }+ v6 ?
Method 05; ?6 m" E. ~& [( z# j( U
=========
3 z, b l9 L4 w: F' T1 h. L; r3 Q4 y" H9 s4 O
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 s6 ]) \8 E5 |8 O$ V" z
debugger. It calls the int 41h, function 4Fh.
& X; P. p; U& j. `' @" _There are several alternatives.
0 ^' ~5 v' ^9 V% u' l+ ]+ z
( r& \ F0 V: Q; Z- u" RThe following one is the simplest:0 z! z* n- R( l, m% k% l
' ^/ i2 }7 \4 u mov ax,4fh- b1 @1 W3 p+ e' w, l
int 41h
& j. N6 W, O7 |1 X) ? cmp ax, 0F3866 S& N/ E5 S+ ? C9 |5 S; V- D* |
jz SoftICE_detected- p) b" f- M0 \, n; D- H( c
" k' \ r- z& A# S' S# Z& s
, V7 w/ F6 o3 _+ v) `Next method as well as the following one are 2 examples from Stone's
$ H6 E6 }0 \ L3 U2 x"stn-wid.zip" (www.cracking.net):9 W+ X1 o( _, H! G3 P
4 |9 L8 c' A$ ]/ T
mov bx, cs: M/ ]0 ]9 K1 y3 l( |; X3 j
lea dx, int41handler2
3 ]* K8 i6 r0 d& h$ N9 E xchg dx, es:[41h*4]) n6 E" L. T; v, p- U5 _, b! u& c
xchg bx, es:[41h*4+2]6 E, C* H6 h# o" [3 T6 W: d
mov ax,4fh
}* x/ }8 m X( A int 41h
& S3 l2 u5 l6 p2 F. q5 k0 `4 j xchg dx, es:[41h*4], p* }& x6 S7 O6 ?% Q5 c
xchg bx, es:[41h*4+2]: h# E6 n+ k' J F J4 ]
cmp ax, 0f386h
0 F5 E% S6 f0 I% c! D jz SoftICE_detected' _4 E5 I$ @; T8 E7 u4 z3 ^
8 M. q* I5 v6 \* wint41handler2 PROC4 F* t% `. R' \# C! |4 U) G
iret8 Z9 Z2 _2 @( r2 E6 @) m' u! v: v
int41handler2 ENDP
6 d6 i% T/ L2 B& g* r% B" c4 I2 D
( m7 g, n' `$ ]$ t7 f& O' f: K/ t" U; ~
_________________________________________________________________________5 p( Y( a0 o$ v7 ?/ Q3 s+ s
! Y$ ^4 t/ W5 m2 M$ @1 w8 n
$ G/ y5 P! H4 l+ s: s5 L; u
Method 06
3 g4 }4 k4 V7 G+ Y: `* q8 o* g1 m2 u=========
- p* o3 {1 n e2 X
) D4 d8 i0 I! Y3 R2 Q" s* j- m" |) x- M0 N. i
2nd method similar to the preceding one but more difficult to detect:% x" C. w5 b% `2 }. _5 {
* R) R( k- N2 \2 N5 N% P! [# y: b% u" P0 ?* N+ g( e1 q
int41handler PROC" X2 W7 n' Q. _
mov cl,al
. M- i% M+ Q0 e, x" f. j iret7 }" s' \, W: d- A
int41handler ENDP- k' X: h; ?0 L8 W6 Z
8 K8 V$ X* }) M6 A
( n! l t6 M) V
xor ax,ax& ~( j+ v8 y- k, T7 [
mov es,ax( P- X/ w% ^' I$ {( d3 C
mov bx, cs) v* h8 Y, D% ?* v
lea dx, int41handler1 k9 z2 [( T! |6 n& L7 d8 \; J
xchg dx, es:[41h*4]- G7 H' o: L* [1 u$ l" K( l4 j
xchg bx, es:[41h*4+2]
% I: i' O% S o4 m* R; B in al, 40h
$ ?5 G2 t! U! S# X) L xor cx,cx B4 c6 a! q4 O' ~- t# U
int 41h3 A/ j7 {) d5 }
xchg dx, es:[41h*4], m' G" }' W3 @& J' |$ c
xchg bx, es:[41h*4+2]
" j5 w, N& S; b. d3 I cmp cl,al, l" e% i( I' T* A( r) E- `
jnz SoftICE_detected
Q& w0 q6 n" P+ B s) n m$ S6 U* c$ d
_________________________________________________________________________; V, g9 y; d+ ~* G
: a! C/ m1 I; u. j/ \6 vMethod 07
# n+ |" z% E7 h% S, f=========8 `# V+ R9 ]* ~9 S/ a s2 [5 y3 {
! U6 L x" C2 O6 x& F5 W% ^
Method of detection of the WinICE handler in the int68h (V86)
% d, M: n( W0 B1 v/ W0 W
; i. W' g" N! S- n/ p& K mov ah,43h
|. l2 V& F7 T3 M9 l int 68h3 l2 [ G- f" O# A: V
cmp ax,0F386h
9 }& O5 Q9 l" q7 M" g jz SoftICE_Detected! }( j. Z$ }) m- a' s( Y! D8 j
8 E, S0 k+ \8 a, B
+ G7 W5 P2 e: G' q7 g! e7 s
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 q1 Q6 v# S+ c9 t# T' b# ]( H! v app like this:
+ P3 _7 l# l0 l8 H+ T, B! T+ s) {/ D6 L+ ^9 J
BPX exec_int if ax==68
3 S2 u; R0 P( J: s (function called is located at byte ptr [ebp+1Dh] and client eip is
2 V; f9 H' X" G& F- T/ e+ T located at [ebp+48h] for 32Bit apps)
; X8 m( _7 s$ v__________________________________________________________________________7 }1 X" C P3 R. Y: T7 d
7 @2 T2 F6 s( H0 Q
! p! [5 R6 i7 B" U: O' A6 QMethod 083 k$ h2 N* y' n
=========5 q4 A" K; G0 {1 s& n
6 Y8 N; n9 J# g8 G
It is not a method of detection of SoftICE but a possibility to crash the
# E! Z3 ]1 i# {6 Y# f; e g) \( Dsystem by intercepting int 01h and int 03h and redirecting them to another% G5 T0 e% b \ P4 l V- V. f
routine.
) d; [1 _4 v: m; m% c6 [* n+ M- c& G& WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- b+ g0 s! [8 ^+ G1 L# x. jto the new routine to execute (hangs computer...)# @; U$ V" W R5 ?# b
( T, l1 {! S. h6 f% E% j mov ah, 25h5 g3 P( F* p# n- O" ~
mov al, Int_Number (01h or 03h)
7 T' L3 u2 k9 N( } mov dx, offset New_Int_Routine
5 B* \0 W: Z, ^. R int 21h" E a2 a6 B* |7 L3 @
- f r4 j" D# P# f) M
__________________________________________________________________________. c( _$ g( r: h0 P. j* H
& _$ }. J$ P; a& y7 ^
Method 09. l1 L! n+ `% l3 o/ J
=========
; m7 V' N7 Z2 l6 i" I. z T) n* Z* m4 X, V" r. g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& W% V5 f8 k. L
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 b5 F* u( f! ~6 RThe Get_DDB service is used to determine whether or not a VxD is installed
4 s* G# L( ^, s. a: x1 jfor the specified device and returns a Device Description Block (in ecx) for. `) Q+ c- l Z
that device if it is installed.9 n9 U# D- i" S* k( ^
_, ]2 w ^% [" D) l- d
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" Z* o0 |5 p0 ^9 z# M* @
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" Q i' k% m- c) A* W$ m6 A! p VMMCall Get_DDB+ n( \ m+ w+ A: w5 j% ?7 Z5 d
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ A& @$ W) u* J3 R6 _+ S6 R! A- K( Q% |
Note as well that you can easily detect this method with SoftICE:" ~" e) H/ a* ?/ x5 v
bpx Get_DDB if ax==0202 || ax==7a5fh
, b z0 e; k* Z& G$ z* {3 l
2 o+ Q5 u( X5 |4 a" [__________________________________________________________________________
7 |* v- p% d4 z) M# B$ a, q4 D3 M& L% y, ]8 r
Method 10
; d: Z5 L) R7 R1 ^! s=========
# T8 \; _0 _: ?! `
. M$ b7 @+ F7 U9 I# E6 M=>Disable or clear breakpoints before using this feature. DO NOT trace with4 i; J a! J4 o4 @9 Y& s* k/ H
SoftICE while the option is enable!!' f7 H( G0 U) _, W# D# X5 B& r3 Y2 b
1 A e6 e) d( m8 D
This trick is very efficient:4 l% f1 ]3 u# z( {5 H: a% ]$ U
by checking the Debug Registers, you can detect if SoftICE is loaded
; [0 J* C6 `. P' D0 Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' v. |% o6 z* H+ t8 V9 W
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( V, e @: D3 ^& qvalue (in ring0 only). Values can be manipulated and or changed as well+ u% X# O6 k6 |, N2 l7 [" |
(clearing BPMs for instance)1 d& U3 T6 B; _% N3 }- _
; H+ {( m, I, H__________________________________________________________________________
' `6 b5 R* b6 {6 x3 P% V, l7 p/ v5 v% C, l+ q7 X
Method 11
; k4 M P/ v- V) L6 R* }=========
: I' D6 [' F ~& p( y. G: n: k5 V7 Z, p6 [8 y- Z
This method is most known as 'MeltICE' because it has been freely distributed
% Q5 [( X! a; V U1 Kvia www.winfiles.com. However it was first used by NuMega people to allow
3 u' B' q+ X9 \+ vSymbol Loader to check if SoftICE was active or not (the code is located" U& |' v/ H( u
inside nmtrans.dll).
5 b* [6 g" X: q. E7 d/ U/ q+ a8 x! x* K% T r* B
The way it works is very simple:+ Y9 b1 y5 S/ B% f+ ?$ a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. q( l1 u2 \6 p% ~WinNT) with the CreateFileA API.6 S! F9 @, {* S, y$ A
7 d: @" X% E* h2 E- {' lHere is a sample (checking for 'SICE'):! s0 j, h0 B5 j+ }
( |' P* K' H' x: r8 T' k/ \: Z
BOOL IsSoftIce95Loaded()
2 \4 O7 K& u$ @& u3 s{, \/ }3 I* E! t$ l! |
HANDLE hFile;
- K- P& e) p$ N0 n hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. T' a( k, R: e6 O. b& D2 g! B% q FILE_SHARE_READ | FILE_SHARE_WRITE,2 c* }- [7 U8 C: h0 \# \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! ^% @5 {. I8 ?; J. L if( hFile != INVALID_HANDLE_VALUE )
; Y8 }, |; e4 Z' I) s {
5 C+ J) P/ v6 E2 ?, C CloseHandle(hFile);9 ~6 K7 H& q2 Q' g' _5 l+ p0 u
return TRUE;6 B' W4 @) w8 x/ D$ z' n; r% j9 w
}; d. O7 y) Z# F6 h1 t
return FALSE;
) x2 V/ d- X# @0 O}% ]/ b, ` n6 h% q& \
1 n% G# _1 R% f
Although this trick calls the CreateFileA function, don't even expect to be
! J, Y _& ^/ g7 g4 O Dable to intercept it by installing a IFS hook: it will not work, no way!. m6 M2 O; D% e. M6 b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F1 d4 ?8 e2 k: e3 b+ u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 n6 ~( J# D/ r$ A7 \* L
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) r( h9 V5 T, Z" j" k3 }field.4 s" d/ |4 s4 Y
In fact, its purpose is not to load/unload VxDs but only to send a : D5 A( j3 Q: R& h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( {; N3 ~6 A7 n* l
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ d* n: B. Q+ I8 z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 U! u& E. A0 p, VIf the VxD is loaded, it will always clear eax and the Carry flag to allow
H) x7 M# j4 _5 q$ z$ qits handle to be opened and then, will be detected., |( E1 @! O; {2 Z( c
You can check that simply by hooking Winice.exe control proc entry point: H% |0 I+ A8 _1 f m; G4 E( S$ r" C
while running MeltICE.
, S, ]+ ]5 ^2 o3 F6 S: {# v: W& g5 k! n$ y! O7 {+ c
. r/ T! d8 K6 M2 Z6 E3 M7 i0 S 00401067: push 00402025 ; \\.\SICE
" o3 A4 O* q& \+ D5 N" \$ S 0040106C: call CreateFileA
+ a' X. D2 i- d1 T x( j [+ ` 00401071: cmp eax,-0013 G: L# @8 u( b' D( G6 F
00401074: je 004010916 M7 P9 f( W. H6 a, I
$ i+ O7 B7 U+ M$ R4 Q& v
R B+ ^& z; @, s: w9 T
There could be hundreds of BPX you could use to detect this trick.
( e3 w5 f' x2 O2 L, u" |-The most classical one is:2 Y$ e' ] a. n; ^4 B) y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || W/ u0 _: c) x r
*(esp->4+4)=='NTIC'
5 b0 ]8 ^0 U8 B; k! s! f! C- ^' g6 E7 h/ l9 J
-The most exotic ones (could be very slooooow :-(* x+ x0 {' v- c/ w0 a+ {
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % \3 T% T ]1 @$ d% w5 H
;will break 3 times :-(4 b7 w. q3 d" X a" C- \; ^. G" a
4 v/ i" O5 g( Q+ T
-or (a bit) faster: 6 y7 I3 I% U; J/ w* O' j4 @3 \
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') i6 v: W* r7 K4 y# Q J+ w1 D3 x1 E
! h: ]; n. S9 o* g BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # U9 u; v! t$ f) `
;will break 3 times :-(
" h/ f0 m2 J' d5 H( b; ?* G+ v* Q f
# Q) B" w# L0 a+ ]2 V- t* O-Much faster:2 i* z3 d, V1 V( s0 l5 p
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 v8 z' L3 U2 M% y) o2 n: R7 e5 ?3 V; V7 D0 _8 E
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ x# Y. V* X2 Q7 U- c4 y
function to do the same job:
7 _$ O2 l* L, |0 d8 I* \" S- {8 i0 J% M. i
push 00 ; OF_READ
0 K# b, u" Q" H; V% R mov eax,[00656634] ; '\\.\SICE',0
3 f- Q, o! E- ?$ z4 s. G5 S5 M0 R push eax# N/ ^( i! N- R- R* A. r
call KERNEL32!_lopen
) `, M$ o* F% d inc eax4 C8 x- ]7 E* o
jnz 00650589 ; detected$ F: Y3 y! B- S! U
push 00 ; OF_READ
: b( @/ j# ]% J+ V; I) N' L. y$ w mov eax,[00656638] ; '\\.\SICE'
! ]4 e# a/ |! R: ` push eax' L& D( R. j4 Y1 J# S, V5 q
call KERNEL32!_lopen5 x! C5 i" E, h5 _
inc eax
+ Q2 D2 c% z' L) P( \. s3 N5 p jz 006505ae ; not detected
" u: @/ N$ y) G5 e" B7 E' E% Z+ X! d# Y9 c
5 m: p) M0 E% i( P7 o
__________________________________________________________________________: z4 y7 G# S! D+ L0 b
1 I: S8 {$ P9 X& d# q
Method 12; s4 a4 I/ w; Y. X$ ]
=========' s, S* b( \) n
6 U( x- j0 C: E; ^( @6 E% l
This trick is similar to int41h/4fh Debugger installation check (code 05$ E( b- e8 T5 }
& 06) but very limited because it's only available for Win95/98 (not NT)* F, x( t O% F( C" |1 E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! p" n/ H9 l. d
/ n( R9 d h1 Z- v$ \ push 0000004fh ; function 4fh9 O2 A. h! l+ `: V
push 002a002ah ; high word specifies which VxD (VWIN32)
/ j( p. m% m3 g. D2 [- ?# v% j ; low word specifies which service
& n* u' x! l. R (VWIN32_Int41Dispatch)
, b3 ~) z! _/ p! A" c R8 b call Kernel32!ORD_001 ; VxdCall
, d5 Y; s( m* X* Q7 Q' H cmp ax, 0f386h ; magic number returned by system debuggers8 u* Z: P* ~( g6 `1 o- H0 H% o' d
jz SoftICE_detected8 f/ {: u& s: Z* A; a* a. H; _! e
) O, K/ d" [: E0 w) JHere again, several ways to detect it:+ l0 ?; w! Q) U/ C
6 v ^7 _" ], w' ^& S$ L( |6 E8 e: Z
BPINT 41 if ax==4f
: o, M' |% X r, S' P7 l5 B1 N# v( \ |9 }( O5 S
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 @0 r4 d. g7 g) D8 C
1 ?' Z, g ]8 f, j7 }1 d0 _ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ z! R) b+ y1 J9 }* E- I' s- K2 A- t6 E, P. H4 ]
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' j9 U' m+ L! C3 S2 }
9 ^; x1 b( U7 z__________________________________________________________________________% [: x0 C; u+ e6 s) `1 n
0 p( W* c }* S2 ?$ U/ J4 h+ J4 |Method 13( a0 e% E) E. i/ h8 T
=========
* w; `9 w2 L: i. @# T* m; y* `$ D4 p5 J8 F/ N3 u3 ?/ @: \
Not a real method of detection, but a good way to know if SoftICE is
9 L. d3 @' Q3 J$ a8 d M" Einstalled on a computer and to locate its installation directory.7 `# Y( [- G% b. f
It is used by few softs which access the following registry keys (usually #2) :
! \! ]9 {& T$ b3 G% K8 U9 \: l. y. D" H% b u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 x1 i+ [9 a% }7 u) G
\Uninstall\SoftICE$ L& d r/ W6 a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' C0 ^" j+ N9 Z" e- n. k-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 g Z' z- E) q X
\App Paths\Loader32.Exe( b; }% C! }! P( Q. u
/ e: j* D5 k4 Q# F7 s; t& s7 D; f5 o! h
Note that some nasty apps could then erase all files from SoftICE directory
5 D: N/ ~* [9 R: f8 e9 d9 V(I faced that once :-(
5 o0 B% z$ \+ z6 b, T( d; }8 P
2 X5 r3 b) g! P( v6 G) FUseful breakpoint to detect it:5 w) x8 ?1 J3 Y" y8 j
; S6 [5 {2 w" B/ Z l
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( ~1 o+ i0 ?/ d1 u+ f0 R& u
! h8 O7 `* i& f5 {$ z' |1 }__________________________________________________________________________8 y. U( H% h2 t& w0 Y6 t
- E% I) U) h w# z% p a7 x
& p; l y7 Q( x
Method 14
. r3 _6 k) j Z% d=========
1 @& C) G3 B4 }- U$ M
" I4 u8 v0 t' D7 L2 C. nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; r Q* Q8 a) _* n+ E# j
is to determines whether a debugger is running on your system (ring0 only).
9 [6 H0 @6 ^. R! y. F3 r$ y) v- q2 w% a1 H! N$ ?9 [
VMMCall Test_Debug_Installed- A: X& \& Y6 h& d. n
je not_installed
, Z$ e0 t3 s" w2 C, H: f) E
4 O( v, Y; [# R5 g; U( QThis service just checks a flag.
- c6 `) T. u/ A. |- }- v* N</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡