<TABLE width=500>
& Y9 G8 @2 e+ c( L<TBODY>2 K4 ?9 T$ X, I1 w' @6 ~ s
<TR>
. J5 O7 a. O8 ~<TD><PRE>Method 01
; \1 a6 \* d; o G" W=========
) n4 O: g1 b+ e+ c8 c% A9 d8 ^! S- S2 X A& t4 f# }
This method of detection of SoftICE (as well as the following one) is
7 F0 J! @1 o" e h% m/ @! U- ~used by the majority of packers/encryptors found on Internet.
$ P7 I2 f2 Z5 Y7 {5 iIt seeks the signature of BoundsChecker in SoftICE
3 ]* B+ e6 h6 p5 o) A. ~5 |% `- \6 D5 J/ p! _" `* e
mov ebp, 04243484Bh ; 'BCHK'. ~' _& m& _; u' R
mov ax, 04h1 k0 ]2 v$ \1 K% e$ b6 L! @9 a) ^6 w
int 3 / X# g& b5 O, v8 y( [$ f) \' N
cmp al,45 v. D! ^' P5 t' ?! }3 t+ B
jnz SoftICE_Detected8 A- J5 ^! c9 | w: t2 l
: X0 {, c" ]4 q1 a; R7 E( P# x' Y
___________________________________________________________________________
- `: `4 e/ N6 z+ Y! G7 ~2 w# t% d' Y( d* e8 [) R5 p+ P6 T
Method 02# N' Y3 C) N+ l- g3 f! o
=========# }; p# |8 l; l3 J) t4 c
5 ]' G) H! P4 {5 M! l/ {
Still a method very much used (perhaps the most frequent one). It is used
/ h' k7 X# @2 t$ b" z# \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ h8 _3 v9 P$ G% N, p t- k
or execute SoftICE commands...+ C8 t9 P# N) x0 `
It is also used to crash SoftICE and to force it to execute any commands
4 S8 F0 I) w) I9 l4 ~+ s(HBOOT...) :-((
* j; E) Z* V; J" i7 _* v% _2 g
; M0 s8 M' k2 q( Z: Q) zHere is a quick description:
5 a. d2 ]7 y: `# e: F, {-AX = 0910h (Display string in SIce windows)% ~) H* j; q8 r
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 w1 T* Z: k+ Q# G8 N2 {, g9 A-AX = 0912h (Get breakpoint infos)2 X9 a0 m) U5 h* \: \' T+ |; R
-AX = 0913h (Set Sice breakpoints)
( s' i& {+ H# f& N- J$ e6 U-AX = 0914h (Remove SIce breakoints)5 v: `9 g- j3 n9 P6 l5 b# V* O
% x* x+ L: T$ z7 b0 [6 h/ u( l
Each time you'll meet this trick, you'll see:
" D+ l5 s4 r/ l: y-SI = 4647h) I* g! {# a' J; e+ Z0 q! B
-DI = 4A4Dh
$ p" v( E6 a6 ~Which are the 'magic values' used by SoftIce.
( `) N/ P8 a4 \# M1 I5 W" U, d$ FFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) j- z* w& ]0 B4 V! y
9 H( e4 {; j- s& ~$ ?8 I5 v' f% D
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ N' F5 q/ X N' x" Q _5 T2 ^& l
Envelope utility use to protect DOS applications:& p: Q& E1 P. }" F# L ]# w
9 i1 U! j) u2 ^# c k, p
( H" s8 }6 b. v' U4C19:0095 MOV AX,0911 ; execute command.; y0 r3 i, I B2 M! {: a/ L9 l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 y4 A/ C4 d8 w/ o; y( d9 I: S4C19:009A MOV SI,4647 ; 1st magic value.( k: O; M' g' l: F
4C19:009D MOV DI,4A4D ; 2nd magic value.
z( C1 B6 g; I9 I6 k. z( M# k4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- J8 {- K6 F* b5 W3 o+ w' r4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 u8 y6 k! p. Y& N6 i3 B4C19:00A4 INC CX
8 ?6 a7 Z M; f! P! C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 a) M$ R" S8 m1 }4C19:00A8 JB 0095 ; 6 different commands.3 }, | G5 u+ n/ H3 D
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; |2 `$ z. H( T3 n6 \! c/ d2 c4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* Y; u J) d* ?# i9 g+ o: ^7 L5 M
' w9 ]5 R( x% W, f) w5 Y' M
The program will execute 6 different SIce commands located at ds:dx, which, U# \" j' ~' R0 Y8 ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., I4 l6 n2 X! U9 C& ?$ D- P/ ^
0 L5 Y9 K& I3 y5 v) G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' S v8 c% Z9 @9 R/ w) a# b9 e___________________________________________________________________________# k7 e" ^# A; \0 e" F
" _2 u5 Y1 q( t/ }( \
: X. E2 |' j( d- V, r0 E& V. g0 v# [Method 03. P9 W! Q7 D6 W! `* M- U
=========
: q" ^% r2 [; c" d I7 R# Z
# f, F; t3 S# S+ m# \6 \Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, _! T6 F% F3 o0 @2 P) h(API Get entry point)* V; Y9 O% x/ ^( ?( q
; y; u7 R7 B) w; q* f
/ S7 }* C, ?7 I7 J+ S5 H' q! v
xor di,di
3 u& _. `( z8 J& l mov es,di
) ~: V% Z% K- T. l N mov ax, 1684h
% X. F' b# F# C& v* c2 c2 k u7 P mov bx, 0202h ; VxD ID of winice
* j# }$ T' ]6 w' T: j% R- j% n int 2Fh
" {0 \- W7 I1 W9 _* f% W1 x( ^, j) M mov ax, es ; ES:DI -> VxD API entry point
) ^6 U1 J% F- j% c7 T add ax, di
, C0 R% \' _- M& I test ax,ax4 M# I3 ^5 r/ c2 B
jnz SoftICE_Detected; t' @0 m4 d6 Z3 O% _- \; \' X
% q$ d# P9 `; d. o( r7 k
___________________________________________________________________________6 O. j- D9 V9 O. Q
& d: O. v' x5 B) i$ g' U9 X; nMethod 04" T2 j! u* F( o, z+ U" O' K
=========0 ?. r n; \3 N0 H4 o9 q; {
% j' K5 Y3 n6 k( v0 |4 h+ PMethod identical to the preceding one except that it seeks the ID of SoftICE
& A1 O4 F+ S) t1 B* R3 y+ ?# AGFX VxD.
' E# T8 \; h# G5 S( T2 N3 y7 P8 L0 H4 v
xor di,di
, J5 O4 r3 e' ^8 J0 z mov es,di; R; Q% V1 Z9 a! A
mov ax, 1684h
D, x- e3 p( w7 q/ N mov bx, 7a5Fh ; VxD ID of SIWVID* F6 t' e/ ^! }- v, }
int 2fh8 V' m: G5 @# \3 x6 o
mov ax, es ; ES:DI -> VxD API entry point0 m F* H `" z
add ax, di) I( q: D2 D; s! k* S) e3 Z7 W
test ax,ax' u% H/ Z# A. x
jnz SoftICE_Detected- N; I6 ^, N; G" f
9 x. K3 C9 t4 E
__________________________________________________________________________' Q7 N! v% T% M& T
( @2 V5 b. A, ^7 R) l6 y+ ^" ^+ s& r! e3 A5 c( g
Method 05! a) Z2 H! S5 _* \& e8 v
=========$ i) o o+ Y; H( r1 Q8 d& k. k: O
/ ?6 ]5 f! k) |6 x+ z8 f9 O B' SMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 B; l4 x0 } Z2 a1 h# F% U U
debugger. It calls the int 41h, function 4Fh.
# ^) a7 v I8 Z7 ?1 g( f( Y) ?! xThere are several alternatives.
. ~4 Y0 ~; Z Z# R* P( X( C9 e- k$ _& z- v' h0 I- L8 `& E
The following one is the simplest:
}& ]* H* F+ `3 }9 _0 H' O/ V' x& a! T' a
mov ax,4fh
9 P. P8 m8 y9 n+ y4 b1 d int 41h, \; E. ~3 u" e+ g
cmp ax, 0F386
0 x* y' @" s* \ jz SoftICE_detected. g6 q/ }9 m# j' m
& m# q. G/ m# l6 K# {
( C7 ^. |4 m3 F2 ~2 d- `Next method as well as the following one are 2 examples from Stone's
% s z; P/ M, Q"stn-wid.zip" (www.cracking.net):
; m+ [* r, _# R& W' V9 l
! `, a& v# f; R& s: Q! K mov bx, cs
7 f' R% x# v4 i; R+ j3 i lea dx, int41handler2
6 y u1 [8 n9 M% ^ xchg dx, es:[41h*4]
1 l1 A! R3 o# I: p xchg bx, es:[41h*4+2]
3 }7 @- y- E% ?' g4 K) m mov ax,4fh; z: Z3 u% W/ ^4 u* Y# j9 l) I
int 41h5 m# R* f5 j) `9 ?" ^1 p
xchg dx, es:[41h*4]8 Y6 F2 ^& k! q; Z
xchg bx, es:[41h*4+2]7 r8 A A, h% }% s( H/ ?
cmp ax, 0f386h
6 l5 I" L6 z& R" q/ V! t7 X: G" y jz SoftICE_detected
& e7 P) [# J, ]$ U; O
) s. G8 x3 Y7 R" p" |int41handler2 PROC
3 N% ^0 s3 w+ H* r iret, b9 e7 K8 a: a# H; H4 x* F, z- s
int41handler2 ENDP8 x4 H3 t [7 i! I/ B3 ^6 @
* u2 V5 P, |) H+ I3 ~4 u& ]: _" j. r/ Q
_________________________________________________________________________
9 [9 T8 [5 r. H0 V$ Y; R
# _3 w6 D% l6 A, l
* d- b3 B; c$ ~& ]7 M4 @Method 06
5 e% X3 y7 C& {========= w; w. C" E& ~ q5 S/ V
6 Q7 D. ^1 v' H y# i- l% N5 |- C2 d. V5 X! A$ s' b& A B0 _% i
2nd method similar to the preceding one but more difficult to detect:
% m Z4 I) h; W" u. S* H
) P3 r2 H# j( Q' Z# x, u; R! ^/ c: l! b+ {+ Y
int41handler PROC
$ a/ n3 x7 B& N3 Z& g mov cl,al9 c% r7 R" P; z8 K
iret
' g" L. d! `9 q) b. e- C1 l. rint41handler ENDP' M6 M2 C- X7 `: ~. Q
$ \; u& V9 d+ ?# E# [! w4 ? p1 L' D$ K- V) d" \; N1 U$ ~
xor ax,ax
% c% v2 H8 B: @/ x9 T) E0 Y3 ^, A mov es,ax: W" P9 n8 @2 o0 w# _5 _* ^
mov bx, cs* Z; F A1 j$ f# k
lea dx, int41handler% _+ d2 }+ `$ Z7 u2 ^
xchg dx, es:[41h*4]
+ G- m+ _! w; o8 x; { y! C! u xchg bx, es:[41h*4+2]) R% F/ X/ P' ]8 z4 M3 c
in al, 40h. d8 `# C; G, H0 d& r
xor cx,cx; u; N |- Y/ O$ d- x' o3 A
int 41h& s; S+ p$ _) B; W! I2 ^. Y `! [
xchg dx, es:[41h*4] L5 }% V; _: u ^- Q% ]/ b; `, c
xchg bx, es:[41h*4+2]5 N9 |: c) G2 K! |0 G
cmp cl,al
/ S6 @( O( ]" n' h9 v jnz SoftICE_detected
C9 l3 n! e# _% c
7 J, ~! k( F6 _1 S& S7 ` l+ w1 I1 c) o_________________________________________________________________________
5 j/ z: ]: O' H* D( x* w" f& z
Method 07
/ |& ]" v# p: D2 n! H========= A- q$ x) c, Q3 O2 W
8 F! M/ x- _- N% y% K4 a0 pMethod of detection of the WinICE handler in the int68h (V86)4 P) K" n$ x7 _% N
. m2 x# ~% V2 p# _$ S$ q/ w1 r mov ah,43h
0 t, [ F; Z& c0 @9 [& X int 68h
2 {' Z' n* ?1 f' K cmp ax,0F386h
0 p2 p2 v6 v: U$ N1 M7 O jz SoftICE_Detected$ N0 ?- E$ r' e- i+ B/ m0 z
) P, g% y' k% `6 U1 s4 y9 g+ N; V, `
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ G4 b# G! u) T3 c app like this:
: M* ~% m ?! `* b+ ~/ F6 |7 I( {' ?8 @, F& p/ E) w
BPX exec_int if ax==687 F @* T" V) v7 ]* ~& E
(function called is located at byte ptr [ebp+1Dh] and client eip is
0 L1 E6 f) C, _, b located at [ebp+48h] for 32Bit apps)
8 I( j0 @0 R* E: R9 |% c__________________________________________________________________________. u; E7 N4 d8 m9 }: F5 y
- l3 s/ Z; m1 m4 H" c: v
0 d4 C3 w( z+ _; j* D8 r! ~
Method 087 G9 ^5 I& x" {; y, M" n
=========
/ [) m0 D+ u5 C9 i# r- ^ z: i5 _6 Q: u* a1 `; Q( {
It is not a method of detection of SoftICE but a possibility to crash the
4 h% f3 Z3 ^7 c! _! ]system by intercepting int 01h and int 03h and redirecting them to another
3 P' T* R- k+ `. _. X2 froutine.
2 ~" j2 R1 J( R7 L/ n3 tIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# h" s6 \5 H, E% }$ Kto the new routine to execute (hangs computer...)
+ X" Z0 V% a# u1 H$ y% m* ?4 c1 p( V. V% ?$ Q
mov ah, 25h# C5 f) j6 o/ W
mov al, Int_Number (01h or 03h)2 Y5 M8 X5 J# p; y2 H1 y( |
mov dx, offset New_Int_Routine
+ f' c C9 g5 ]& \5 ^ int 21h; t! ^; F! O1 S- |' v/ {
! o+ c/ T' n: Y, p( G2 \4 @
__________________________________________________________________________
6 F/ B9 @! `, x! B K$ F8 b
2 X. z$ H3 c* D2 c* MMethod 09
) B+ C Z3 s, L X( R7 W=========
" P* L* K% P) K& f( U
4 I" O/ |8 a' M, X7 A# ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& c! q$ D+ y! `5 O
performed in ring0 (VxD or a ring3 app using the VxdCall).' T% `/ A& v/ I/ @; I I; U
The Get_DDB service is used to determine whether or not a VxD is installed
! r) \2 \! l& jfor the specified device and returns a Device Description Block (in ecx) for! E: J% n3 ]+ x7 a( s
that device if it is installed.' R9 D% ~! g# O; Z, Q r% b7 Q
$ D: z! a5 k! n6 C; e3 T' J5 S u mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# Y9 F$ o2 \; r6 R# A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) l2 a8 [ Y4 x+ v9 R4 B3 ] VMMCall Get_DDB3 D7 v! x& `, d j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 T) F' z. J7 ~ V- b& O% C1 \, J: I6 ~+ u" w6 q. f
Note as well that you can easily detect this method with SoftICE:
1 @8 x$ {4 X# G b$ G) q4 `" n bpx Get_DDB if ax==0202 || ax==7a5fh
% F1 x/ R! @8 q
; p# j1 F3 {- P7 E6 n& ^__________________________________________________________________________, J0 ?! T8 f7 W( r9 Z
" e- k+ S4 q6 T# }, S& Y
Method 10
3 q6 ]2 t4 c% H. q4 N=========0 |# y" \7 G9 Q/ h" P$ H# l
; z! ]5 W0 M+ ` z) o=>Disable or clear breakpoints before using this feature. DO NOT trace with
p* m; C5 C. M* d4 d' k" n& o SoftICE while the option is enable!!
4 c3 o+ t" V7 N9 _0 s2 r7 i. J5 p& R
! _- c2 x0 S7 t& _6 ?This trick is very efficient:( k6 H- M' E$ |5 p
by checking the Debug Registers, you can detect if SoftICE is loaded* z- Y: r S+ w5 s9 S4 G( ~- l9 p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# I: f( s5 r' k; k& @0 m& \8 n
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( V- y+ }2 x4 }/ L; m8 ?. hvalue (in ring0 only). Values can be manipulated and or changed as well/ }1 k! {& R4 g' m9 ^4 F; T
(clearing BPMs for instance)' `! h6 k" Q, O: T. |
8 N% i' Q, F% |( [. h
__________________________________________________________________________
) e/ d" Y* ^# H" Y1 g4 r: z3 Q1 Y) `6 P8 E2 w, T
Method 11
9 ?& \5 ^; \$ h0 u: S9 ?=========& y7 ?2 A' Z0 a, Z2 ]1 S
$ w. b0 A: m8 r% E o) KThis method is most known as 'MeltICE' because it has been freely distributed
2 c2 Z2 P; C1 I, @via www.winfiles.com. However it was first used by NuMega people to allow
' i7 i- P* L# D% U) C; I7 hSymbol Loader to check if SoftICE was active or not (the code is located: k* z. {+ R1 B/ Q
inside nmtrans.dll)./ o) \# v. G# A
2 I& }# }& c1 E$ f* K0 f5 V, cThe way it works is very simple:
. p2 U' [, C+ pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! w) p4 J8 w, q% B& P- F) PWinNT) with the CreateFileA API.8 [% V6 S3 u$ a& p# M% l3 s5 _" o/ ~
& u# S8 V2 B ?$ q8 s* FHere is a sample (checking for 'SICE'):8 p* N4 L7 R( J D& @
: T1 B: U: H. i+ i' z* q- _BOOL IsSoftIce95Loaded()3 f9 T- L% l6 a) I
{9 f+ D6 Y( a5 {, f2 n4 \
HANDLE hFile; V( B% i1 O/ ]* j3 m. J
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
g. Q/ z, G) b FILE_SHARE_READ | FILE_SHARE_WRITE,
' U% H( o( \0 a NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, O' x2 Y G6 \7 M/ b/ o if( hFile != INVALID_HANDLE_VALUE )! e ]5 |! e7 H6 Q3 T
{
" R- P p2 A7 ^3 U) W CloseHandle(hFile);- _! v2 m4 n! R, q: F5 K
return TRUE;
2 i" p5 |; E$ ]. j. W7 H) E }
, \ Y8 X8 m% R4 M! E return FALSE;
& b7 L$ Z# I4 e$ w- h# }}
5 j$ f; ]4 m2 @+ p. z& G: B) i, M$ s
Although this trick calls the CreateFileA function, don't even expect to be; d6 Z6 g( I" F# I3 ^
able to intercept it by installing a IFS hook: it will not work, no way!
# r( [0 `. F6 `" s; X! A$ H6 }In fact, after the call to CreateFileA it will get through VWIN32 0x001F. v# |, k s3 q+ j* q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ f* r6 B+ Y7 a& q3 K6 F- J& zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
. v& Z! V) T1 v; N- a; tfield.: S/ C# u L% g8 }
In fact, its purpose is not to load/unload VxDs but only to send a
* |7 m8 A# I x, j, I7 I( ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ @. m, _1 T, l+ I4 u
to the VxD Control_Dispatch proc (how the hell a shareware soft could try' V) H" \3 X# [; ^$ W: M
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
u! u2 I. X3 V( A7 q7 ?9 Z) L9 DIf the VxD is loaded, it will always clear eax and the Carry flag to allow
3 X) v/ H) ?% H O+ ?( i$ Aits handle to be opened and then, will be detected.
+ J# E/ h% C6 |9 P* `6 P ]You can check that simply by hooking Winice.exe control proc entry point
% T, V# w/ Q4 V# Xwhile running MeltICE.4 A% u, D" }: M0 k! O1 Q% N
9 C1 n, @5 C5 a0 h1 v9 |) h3 }: d9 l$ G4 h& y
00401067: push 00402025 ; \\.\SICE
' U! E9 q. a0 m; o+ ^2 E% R& }% _+ b 0040106C: call CreateFileA
0 f! ?, W) p- W7 F; W' x 00401071: cmp eax,-0016 r2 X, k) _+ R& Q( a5 Q. j% S
00401074: je 00401091
# P* o& P, O* E; p, g1 [& a" `+ U3 _; P _2 O: j( _7 o- A
3 G* X5 S5 f* `% U- YThere could be hundreds of BPX you could use to detect this trick.
! o9 `: r$ A/ K1 B) ^-The most classical one is:+ O0 Q* k' E+ t% h# A
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 p. P D1 v2 B
*(esp->4+4)=='NTIC'
4 b8 d) F0 T9 S0 N/ I" X1 k+ _% \% j5 o8 F/ [
-The most exotic ones (could be very slooooow :-(
" l7 ?8 i! s3 c7 B9 e BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ u: N" Y: |* M4 V: a$ G ;will break 3 times :-(( m$ | }4 D7 O
' d! e0 I/ N& h7 E) O-or (a bit) faster: / O. B; t9 \4 w" B5 n' {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; f9 @1 E S! r3 T# Z5 Q% s7 l( e8 q$ P. T( v% k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 ^% U$ @# I1 u# [1 I; M: a
;will break 3 times :-(
3 F% a; B5 g p2 @, ~
; a; V$ b6 S; G5 t-Much faster:
9 \6 E: \" ?' j8 {% o9 G BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ H+ F# k4 H b. {5 v, j* z) K/ r& p( B4 K/ [6 ~$ i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* w" [ }2 k8 A- k) Q: y$ R
function to do the same job:
, n- g3 L1 c4 ?! @# N9 h! l9 H; w! A# m
push 00 ; OF_READ
3 {! m; n" t# _ mov eax,[00656634] ; '\\.\SICE',0+ @) |2 R" ~' l: _0 h
push eax+ k& g, E0 d. g- ]9 K. f5 `9 n. G5 w
call KERNEL32!_lopen
0 A3 m0 f' c0 M inc eax; R+ T! C. A8 K7 c
jnz 00650589 ; detected
8 |5 P9 f5 Y2 w* f, z6 c push 00 ; OF_READ
7 O* A" d) Y* ^" d mov eax,[00656638] ; '\\.\SICE'
) e9 a+ c9 L3 h+ N push eax6 P" v% R9 B( O j( k! l( Z
call KERNEL32!_lopen, B4 t3 N C0 y7 ?
inc eax, Y1 w2 H0 C" h8 C0 O
jz 006505ae ; not detected# T2 E" A9 r4 U, x0 H0 k) |1 N
2 F9 @5 s& G' O2 \7 k0 }
6 H5 O! u- c$ V2 Q: P3 Y__________________________________________________________________________( B8 N) p- W% x5 x% U
& i, k* w" y7 J& m# |7 L
Method 127 c, H6 Y* \4 F4 c* B5 U
=========
0 D1 X9 J5 l1 f2 z9 B7 U; m
* w$ D) ~' G6 KThis trick is similar to int41h/4fh Debugger installation check (code 05
; T7 l1 H+ H r& 06) but very limited because it's only available for Win95/98 (not NT)
$ N7 _5 x" x/ `, D; I; t, U" ~; P" oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 R5 Q0 a, W3 i8 L7 R2 e- S& r
. z: _. _3 d# G
push 0000004fh ; function 4fh
- {6 E) P, v l1 J3 s push 002a002ah ; high word specifies which VxD (VWIN32)9 M1 L3 q4 T B; Q5 w3 D+ ?+ L0 d
; low word specifies which service
8 X3 N$ W- a0 B+ o o- R (VWIN32_Int41Dispatch)
5 a8 ?' b1 @( U! v% P) X3 I: G( C call Kernel32!ORD_001 ; VxdCall4 t+ }; d* E4 J1 H( Y6 G
cmp ax, 0f386h ; magic number returned by system debuggers
% ^) d* } v9 c, Z. d7 k: i jz SoftICE_detected `3 y- |1 V5 A6 Y
2 ^1 \. N4 I# D0 w- h# k2 FHere again, several ways to detect it:
8 G! Y/ Q8 ^$ u$ d4 }6 y' M+ x0 u
BPINT 41 if ax==4f' Y/ b; T- o+ d$ p. D
$ b4 h4 f2 u& y. Q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% n/ j1 v; o1 y+ x3 t5 ^3 I& ~( k* K8 m0 a: p- O' P
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: P3 E8 G+ O, G' H* j
* a# r* e0 k2 A5 E3 M BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; F2 _ Z4 R. `1 r6 a+ X2 q1 @& D
__________________________________________________________________________
3 R* v- O2 R. z4 w. ^4 h/ O' t" T' V# J( N
Method 133 x6 j& ?* Q. }- b; i) e! p/ z
=========2 V) c2 D1 x# s+ i4 K1 t
; J1 c: I7 C! h- {6 S# r4 {, m
Not a real method of detection, but a good way to know if SoftICE is$ @$ l" O$ f* e2 [4 O
installed on a computer and to locate its installation directory.
8 s& }$ m8 s2 EIt is used by few softs which access the following registry keys (usually #2) :
3 b/ I: ^7 E2 ~5 D% r, q& s2 b2 }% G7 ?8 n: k# k
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! Q& @7 A! ^0 `\Uninstall\SoftICE
1 g2 v* z3 ]8 T! Z) Z3 O; l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% Q/ h; h, L# y3 P' I) Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ J" s: S% i6 n c: y: G \0 P4 l
\App Paths\Loader32.Exe6 S& O- p: m, E* b) f4 ]- R
8 j9 j6 [) x+ B# O. h6 u: n! k
4 j1 O# G/ R' ]! L, Z+ ]; A1 U6 xNote that some nasty apps could then erase all files from SoftICE directory$ D. V: o) M- h) o* [! Y- D4 f5 F6 }
(I faced that once :-(
& G1 R9 y" Y3 g% }3 B' g, s f; \" f( p! U* r, L
Useful breakpoint to detect it:
0 `0 q! z" T1 R) H( ~' I* y9 W/ b- O8 f: J# E6 a
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 y& R$ j" H/ G% |& \" T! T# T
5 a# @9 m- F3 Y! \2 ]& d__________________________________________________________________________
8 e7 r6 {( B! E/ z9 n$ a% h' z# A8 S/ C3 x( I% H! F
' W: ]5 Z0 n7 G4 H" j1 m+ yMethod 14
; O) I; }9 }' p3 u( E=========' r+ d, b1 X* q' t3 n
+ R( y$ q4 `1 G6 J* X, a/ Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) R+ d, G5 b' B3 j2 V7 Vis to determines whether a debugger is running on your system (ring0 only).4 ?* j( E1 N+ j9 f- h C
: k# j9 {+ \; T+ o0 M: s
VMMCall Test_Debug_Installed
! d0 a7 a8 @; @+ j5 E% G; \7 z. n! j je not_installed5 I' x8 E/ }) e7 T' F
1 u: Q% @; A3 h, r" a. x' W
This service just checks a flag.3 }) u2 t, s5 n2 d" R# s
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡