<TABLE width=500>
; E+ l& s8 J* |% m<TBODY>
2 U3 i3 |0 R4 t9 l: b' F) i- ~<TR>
& N6 w+ A. Z/ Z1 d$ g0 d, S+ R<TD><PRE>Method 01
- q1 J9 D) w7 A8 i1 s* s0 d=========7 v0 Q$ V9 C# H# U3 O
0 U* |, E2 e9 FThis method of detection of SoftICE (as well as the following one) is4 A4 v" B+ r0 B8 j
used by the majority of packers/encryptors found on Internet.. N' W% ], ]: t T+ j* A8 d& s, c
It seeks the signature of BoundsChecker in SoftICE
* s1 n# y$ {1 ]
6 p( `7 E0 W. G5 z: s2 p, v mov ebp, 04243484Bh ; 'BCHK'( c# g* s+ r$ [$ \* ~
mov ax, 04h# g, [& W/ [) ]0 k
int 3
8 K4 ]" _+ q4 _1 Y8 H4 d' l cmp al,4' ]& x& H8 P* N
jnz SoftICE_Detected
. E/ r% |5 k& n6 O) T6 N! K& m
3 _. R' c* d* e___________________________________________________________________________
3 R" j+ H3 s0 F% W
' K, `" O4 i8 z- V' q4 vMethod 02" H& Q4 j/ I/ F( r' b7 [2 @
=========, s( l6 m' K* \% ]/ g! _: e& X, P& m
# C2 O; |1 v6 YStill a method very much used (perhaps the most frequent one). It is used0 {- q; C& ~3 Q/ o6 h& T
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. w1 E( ?9 n2 d/ l& V3 n
or execute SoftICE commands...
6 X0 b) O3 B' z! R% hIt is also used to crash SoftICE and to force it to execute any commands
, H# k7 |9 A* D# R(HBOOT...) :-(( & f A: H! ~5 Q ~) v( R* C! L
) ?9 B" V$ Y5 W4 ~( E" j$ mHere is a quick description:* K; n, A6 c8 c- @
-AX = 0910h (Display string in SIce windows)2 R5 {8 l' L# [' } Z, c# c; Z, E
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ O* J) u7 D, @9 ?: E3 x-AX = 0912h (Get breakpoint infos)
* S3 P5 F3 n3 q9 Q) Q6 O0 f6 ^-AX = 0913h (Set Sice breakpoints)
( g b0 P% h0 V-AX = 0914h (Remove SIce breakoints)% M. }. q6 ]3 T1 w3 v# D! }
+ e, B- m" t; d/ Q5 i k3 h. q' L7 `6 h
Each time you'll meet this trick, you'll see:
$ f0 k* E' B- @/ B, j% D-SI = 4647h
( M3 s. @2 O5 P-DI = 4A4Dh
6 F ]" w1 j+ H4 O' hWhich are the 'magic values' used by SoftIce.
1 [7 ^" m9 \1 M; ]' DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 @& F+ ]+ t/ q5 Z# W. F0 Z- ?% M& z
7 l0 u$ `" O1 @2 p9 YHere is one example from the file "Haspinst.exe" which is the dongle HASP* F( t9 o3 J# z. c$ @: ?, k6 E p
Envelope utility use to protect DOS applications:
) w: T# H# f5 b: ~! y- H' o5 _- K# b8 z
5 L8 e: S" F+ L$ I* @9 N4C19:0095 MOV AX,0911 ; execute command.* {7 v) s( b, Y( Q& I @7 x. L
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) G$ i, M! v5 Q: L9 U0 J6 K
4C19:009A MOV SI,4647 ; 1st magic value.
+ Y/ {* F+ c* y) t1 j& U4C19:009D MOV DI,4A4D ; 2nd magic value.! S6 f9 G7 s& H3 M' N
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 j( H8 ~9 m" T- X3 a/ D2 K; K4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ h" f) q. d. E4 V4C19:00A4 INC CX4 @' b; i% l* T' a5 v
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 l8 j$ x W# o4C19:00A8 JB 0095 ; 6 different commands.
( d g7 H7 x+ v2 U, v5 k4C19:00AA JMP 0002 ; Bad_Guy jmp back./ U/ ^( Q! T7 | B/ z" X& S
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 F$ P# [9 F, [/ ~/ }$ s3 v0 U
( z* d, N0 E1 g- g3 s l- `
The program will execute 6 different SIce commands located at ds:dx, which7 \$ S. v5 e# V
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 v9 r. N; Q( |6 v; k4 H. v
% J) s5 L& A; @* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." l+ D/ T K! w- G6 d- u# Y
___________________________________________________________________________3 M. p1 c# z. A# ?, h
\8 D' o9 g ]) c5 d$ b( ]9 X, b
; q' F5 ?$ ^2 C* f/ e- u/ z
Method 03
" ?0 c1 C! i7 l! t& }6 T=========1 ~/ @" E2 K$ y4 ~! p$ B# m
6 I m6 d6 ] G0 D8 m: ]$ A/ X/ S. @
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 B, U8 l8 v, M' _4 m' l) L1 ?(API Get entry point)
- c: G# S A7 t- u
5 q' Z7 F, y) u0 @! `5 m) [9 q; ], d) `: O. `1 x
xor di,di
5 H* n& d) y+ D, L' J: N8 P mov es,di
, u9 ?+ ]2 l) M; p# u& E mov ax, 1684h
- ^0 `" x, X; n- @ mov bx, 0202h ; VxD ID of winice
% U& Z( E+ L3 p( x* V% H int 2Fh
7 Y O3 V6 _5 f @) | mov ax, es ; ES:DI -> VxD API entry point
* {" Q% I" S; v) j# c( o add ax, di/ y# A. i' G' W- O Q$ t
test ax,ax
( _& p/ {& _$ s+ p2 x7 @3 | K; \ jnz SoftICE_Detected
2 a& z; _, \3 P0 U7 E7 T
2 l4 U! A0 o% }$ r___________________________________________________________________________
$ Z. X5 ]8 e3 Z" |
8 s0 y; n9 U- V. m5 J, z; bMethod 042 u& Z# P: J6 S o
=========
4 C- N' `2 l7 n& ]
. k5 d( `, e' g7 gMethod identical to the preceding one except that it seeks the ID of SoftICE2 ]+ J8 L9 k' Y5 T ~7 o9 x
GFX VxD.. e# B$ i: w! D9 Z" p$ `
X0 J4 j) A0 l; A: z) d
xor di,di/ i$ `& l4 I0 U7 Y/ \
mov es,di" C# b2 A: T2 Z$ n. d
mov ax, 1684h ' }+ \, e9 y5 a5 e' _4 Z
mov bx, 7a5Fh ; VxD ID of SIWVID: t# M1 w" m/ S9 s" k% u
int 2fh6 @- Y. w" L+ z% j; G
mov ax, es ; ES:DI -> VxD API entry point( ^( \4 } T" h0 a* g U. P) k. A
add ax, di
; `' r, `+ R9 w" I& X# ?! V test ax,ax( ~' k$ T+ z; S" Z+ ]5 Z/ |
jnz SoftICE_Detected
+ u& _1 p! t# E# c0 G2 w
$ C: J+ w. H$ _- q7 I. t! C__________________________________________________________________________
; g5 O P$ T( }: r: j/ s9 w) P! Z
: K5 C& p _8 i* ?) i8 G0 @
Method 058 T1 G8 M/ b0 L9 F. Y4 t* E' b
=========
" ^3 m" j5 D) A! F: o8 H: {
. K1 p0 a2 L2 f) J' z1 d' `8 wMethod seeking the 'magic number' 0F386h returned (in ax) by all system
' }3 t! k4 Y2 p0 v' g: r1 y! ndebugger. It calls the int 41h, function 4Fh.9 }4 Q$ B" f% g
There are several alternatives. ! p5 d, E4 |2 W+ ~! }. X
& x! i& y1 g! x: D. A+ mThe following one is the simplest:. I" p. R+ z, b) n I' V# w* R
! h; O; |7 ]# k& ~+ n( y2 {
mov ax,4fh. E' n& O1 E$ t, s9 K9 O p
int 41h5 |. i4 Z9 e1 X8 X' R
cmp ax, 0F386
7 F- Q8 `1 _3 O# Y7 ?: p* a! ^ jz SoftICE_detected
s; R m1 f; }
/ q; R9 [- o: u1 H9 ~7 Y! `1 p0 F8 A$ i& g: O) t) a4 N4 y% @9 G4 X* ]
Next method as well as the following one are 2 examples from Stone's
. W8 V; a- d: Z: `# p1 s/ G7 p"stn-wid.zip" (www.cracking.net):- U- F* \7 t( C* { u) y% M: ]* {. G
# w1 B" a: f) l' O' c) P) ?4 D
mov bx, cs
4 w% n( B O$ c: R L lea dx, int41handler2% }9 L* C$ g: {5 J8 z, b! \
xchg dx, es:[41h*4]
# k9 D9 O& p+ B* m3 ~# J! G xchg bx, es:[41h*4+2]
' n1 `4 D* |0 H mov ax,4fh; {6 j4 v0 S, M- L/ D o- ]0 z
int 41h
) M5 j) l& m; t' R xchg dx, es:[41h*4]
8 p; q1 b1 G* A, C$ R3 L6 g xchg bx, es:[41h*4+2]# p) d/ J; h4 P$ U
cmp ax, 0f386h
& k/ |/ ?2 x3 X0 b; s0 R; O jz SoftICE_detected3 n6 ?: A7 @) m0 i
9 R0 F) L3 p# c* t4 i5 H/ [% eint41handler2 PROC
, Q/ j9 s/ J5 H! Q1 J; T" y1 h' i iret
. N9 `; M* J- ^' T/ c* Cint41handler2 ENDP1 G$ r. M' Z4 w4 Z
; p. \: R& R5 Z8 ]
, h/ _; \' A. z. o& ?+ O_________________________________________________________________________
1 q# ^) F3 K& z; {3 C% h" W9 b8 ?8 k5 [: ^& U, A: \0 J
# O- O$ I- K' N* g, L( |' Q
Method 06
/ |2 H2 S ~9 O=========) P: H! z1 ?) ?4 M( Y( C( }8 g
) v' n$ `5 [; ?0 f# Y! g3 s
! X1 l2 ?& q _1 S! l- w1 Q! q, b
2nd method similar to the preceding one but more difficult to detect:
* k: L J$ n" @; }$ }2 _- P- d F- s: [( W3 {) B E0 m
3 F8 }8 R9 R0 C) ]: [4 g6 x' p$ h
int41handler PROC
* k7 z# i( E, D' l/ U, o, d mov cl,al1 \( s* ~# Y" S/ j6 i+ [& p" ^
iret2 x# V) M# m% _: c2 b
int41handler ENDP7 Y9 S+ @1 [* {
' e9 Q$ w0 H1 G' B* `+ J
, d0 @- z4 R7 R" y0 H6 _ xor ax,ax
o- y$ D8 ^, t X) v# i mov es,ax
& M7 W9 v, C! [8 D6 Y% C/ R mov bx, cs
2 W8 T/ u* J( y" W1 z' i+ a5 f$ q lea dx, int41handler
1 c4 P- A7 w* n* U; G" y xchg dx, es:[41h*4]
! ]1 v; M k% q" ~ xchg bx, es:[41h*4+2]
8 I# O$ q1 [* h0 A' |3 J in al, 40h
% h3 D; K. E; ~. E7 V xor cx,cx
! j* q% w0 {) c& ?/ c int 41h
, D4 W/ R) M5 a* e5 Y xchg dx, es:[41h*4]' E7 A3 G+ d+ |! H# ^& ~
xchg bx, es:[41h*4+2]7 F' c9 ?. c/ {; @; B4 O- z
cmp cl,al) z5 s- r$ U% D* [8 P7 O; H; a, ]
jnz SoftICE_detected# y$ {0 h: M, f! ^' A5 |
. T( X% ?" i m2 w( f; q; f" R) P
_________________________________________________________________________
1 x! z% D g' ^4 b( ]+ G2 y, ]/ z+ H" n
Method 07 C4 ^. Y, x" y) S) o- w
=========
7 A0 o7 E$ V' @; C% l$ ~0 e: [6 t. }, ]1 |( D
Method of detection of the WinICE handler in the int68h (V86)
# f8 ?. |1 v( i0 I% Q! q# h4 U! T
$ H% }( q: q+ k& n L mov ah,43h
/ o6 T5 h7 [# Y4 t" w, D7 I7 }8 o int 68h
* c9 i+ z9 g4 q# l cmp ax,0F386h0 l7 Y. m0 `2 Q' w# \
jz SoftICE_Detected
! T- S( A f* o) o! u% P, ?3 r- i) @, d9 @: F/ D1 n. @
* D/ E ~2 H6 G8 g4 @; n
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! j, r9 {( n3 X' v, |7 W2 w
app like this:" d* r# H8 L) z% D3 k! r6 P+ |8 l
+ D+ f( F, X1 n+ T/ C& ]/ e BPX exec_int if ax==68
t0 q7 A& B% a4 n (function called is located at byte ptr [ebp+1Dh] and client eip is. M! I# P1 x0 Y5 ^5 `
located at [ebp+48h] for 32Bit apps)7 W% S1 ~( e) S' Y1 Y' M
__________________________________________________________________________8 C. `" A0 V$ B" Z4 A) S6 m# o
5 e1 q7 P6 b- v" @8 c
- b9 F0 s! I" g& P9 U! a5 r' t; ]1 {Method 08' u* @3 G: r. M* i- t7 e! `
=========" P$ w- n0 m$ }+ \. f% q/ L
' Y0 W. m0 j! o& ` \* D
It is not a method of detection of SoftICE but a possibility to crash the" q, j6 e6 J% }3 k
system by intercepting int 01h and int 03h and redirecting them to another: s! }+ {4 k- m% S P* t$ A# S; f) c
routine.% A. U& m" s- ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 U* q% f' N* J7 m- F! e0 |0 Vto the new routine to execute (hangs computer...)
9 [4 u# v: F- I/ j f1 i5 |# |8 A% D- n- w( Y% a. C
mov ah, 25h Q! `- R2 k( N# T% }7 f
mov al, Int_Number (01h or 03h)+ W+ s: o7 Y# ?" j8 a# a0 [$ v
mov dx, offset New_Int_Routine( Q- q- M9 A+ I2 E5 e" | @
int 21h
; _0 l0 C5 S4 B0 z# ^+ O3 U$ c
__________________________________________________________________________& g/ ~8 ?9 \+ d& c: `
0 M! [9 r0 p4 e2 e! |
Method 09
6 b: ]5 V; k' C, v* p Z=========
. F* e( {: h* q* O: u: J) E4 ?+ j# M1 \* k. R
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. B8 u- o. X' I4 j
performed in ring0 (VxD or a ring3 app using the VxdCall).% q1 o) L, e" `
The Get_DDB service is used to determine whether or not a VxD is installed& v& H2 \# W P7 b2 ]( G9 {4 {
for the specified device and returns a Device Description Block (in ecx) for4 C: o4 [9 [5 H- Q* D! U
that device if it is installed.: [$ F% l) Q- s. c: W0 o! ^2 H
0 T+ O2 T! F6 U: [2 ^+ p0 `. |% O# | mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 S: k7 D7 S* h' E9 @/ D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ K; @+ Z: S3 j( o
VMMCall Get_DDB
Z2 G" H8 F( f8 f mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# ^: V ^' X( e3 E: R: z* j
+ ~/ q. T( _5 W& O4 xNote as well that you can easily detect this method with SoftICE:0 E, i! O* S9 v# i
bpx Get_DDB if ax==0202 || ax==7a5fh, T) M w' l; j5 n9 w
1 X) X. c, b- c; \7 {__________________________________________________________________________6 ~( w ^9 N5 t" @) G" F
9 V* K# X% @# b' A+ u! u5 M ^: f- t
Method 106 x6 T: W" w) D' W' `4 Q
=========
8 k1 X9 E }# s( `5 W5 l' [! \
/ k+ l, N7 V+ `=>Disable or clear breakpoints before using this feature. DO NOT trace with
. h2 Y9 H( m1 d/ j$ b0 o, | SoftICE while the option is enable!!& Q- U& O/ W) F* ^* i1 J! a8 n
8 \! x! C& ]* i3 o8 y& C9 V m
This trick is very efficient:
7 J" c3 i1 Y' [/ b, X& S( S3 Rby checking the Debug Registers, you can detect if SoftICE is loaded
% u/ I) ]7 q* ~& I# Y+ r5 Y6 d(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 X( n/ s. m2 [there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 T& X1 G2 C* H$ |value (in ring0 only). Values can be manipulated and or changed as well5 f- J4 E: g5 j. l: L& O
(clearing BPMs for instance)
/ M; F( p, l: t! q
% N3 V! f4 S% R1 d; K, c__________________________________________________________________________# B2 f' x! x. r; }5 D5 K7 [: x! w% `
" ]" i0 ~ p5 X& _* P" @2 c( @# s
Method 11
, G7 y; X5 `1 i7 z=========, ^+ Q; ?# z' Z! G
9 O" `5 n5 o9 e! Y$ X5 F( J9 q& z7 f. }This method is most known as 'MeltICE' because it has been freely distributed* G, L* s5 D9 C( F( B5 k. i: f
via www.winfiles.com. However it was first used by NuMega people to allow
$ A2 x, j# y7 H- L& |Symbol Loader to check if SoftICE was active or not (the code is located; ?( x( R6 x- T# q# u. ?
inside nmtrans.dll)./ m, ~+ s( V4 j4 i
9 C" p7 l9 s' F/ H- d$ y1 \
The way it works is very simple:& |+ {6 Y3 u$ h% I" ?. V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 e# h5 |( S8 N% n$ p5 u7 C7 o
WinNT) with the CreateFileA API.
" G- ?% O) B- e: @0 C
, z/ ^2 q% L. |1 n+ w3 M1 v# M) y: vHere is a sample (checking for 'SICE'):2 u+ J/ u2 d" k N$ P0 q! ^
. q4 U5 S) c' E$ o" G! z
BOOL IsSoftIce95Loaded()
* S6 S8 ]& O/ ~6 g' f- V{1 _4 l, E1 X: J7 V* X9 C" O L% L. z( M
HANDLE hFile;
9 v( v& A/ W7 X/ F& y0 I- G hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, C8 A4 h2 V3 ]8 n
FILE_SHARE_READ | FILE_SHARE_WRITE,& D* P; m b6 w- n: V
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- n3 M5 R, Z( t! o) u& s* i8 u
if( hFile != INVALID_HANDLE_VALUE )
, N: p+ |8 w% c0 [5 ` d0 d4 B& l {, V6 J# @+ [6 m
CloseHandle(hFile);
- Z+ ]2 \6 h& L5 Z return TRUE;
]7 t' ~- M. P* X" \9 n) w4 @; \ }3 W1 e. I6 Y/ r; R. D; E
return FALSE;
7 ]) Q' o& X$ @, E5 t2 W}7 Z) G" X8 l8 {( n' J+ b
) _7 {; Y3 T* c, T" s
Although this trick calls the CreateFileA function, don't even expect to be
+ _; s4 u7 F" W" C H- Z1 B2 Z$ }able to intercept it by installing a IFS hook: it will not work, no way!
/ O0 y6 {) L2 Q- R% P2 E) cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! M' u5 X ^5 b! _% o- \service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ `$ N; i$ }1 g0 y! g
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 D) f" X+ s4 b
field.
! ^" a, b+ ~4 [In fact, its purpose is not to load/unload VxDs but only to send a 5 y/ g8 o' K! P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' o* n8 r8 }- g {4 ?% ~8 p1 y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: N |( q$ j0 R9 l+ U( Z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 ]! h) z( S B& Y2 V6 z
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- \* s/ t; I! ?its handle to be opened and then, will be detected.
5 t: r' }. b8 n, H" WYou can check that simply by hooking Winice.exe control proc entry point& y& {+ l, H4 g& M; J2 J
while running MeltICE.( g, r8 U: [3 V6 ^# R4 v) o: C
1 G) e0 E# I8 G7 I% x* D- @6 Z* B# Y3 S6 l8 N& t
00401067: push 00402025 ; \\.\SICE( h! i4 c& u" {9 g% E
0040106C: call CreateFileA
2 J: j- Q& E" s- O* L* K# b; N 00401071: cmp eax,-001
+ `4 N3 b& b! U+ b: H6 F# X: w# O 00401074: je 00401091
6 Z) {7 \. b, P* D2 O# L' _7 W* p& e/ I! v. ?: D
: p+ \$ ~+ h4 g$ [There could be hundreds of BPX you could use to detect this trick.7 r H0 M c$ f( W4 Z9 y/ f; R% c9 b& J
-The most classical one is:. D7 V. c; H/ `5 l" F
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 y# X# }) Z |( r" a *(esp->4+4)=='NTIC'8 }% K$ R& |; I/ m/ _, u* v
* O( s) D$ q; L- s0 y: L' y* c% Y-The most exotic ones (could be very slooooow :-(
: c- j+ e6 N0 O. E BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* u2 h1 {+ ?3 l ;will break 3 times :-(
% D9 x5 X/ s" \& u* G
" @; L. @% g& A) ^2 f-or (a bit) faster: 7 [2 x. o+ }. k! d% I3 R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 J) x d' u. i% r& R$ g$ V
4 x9 U: C2 G/ O; Z2 ~ F( \/ r/ K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# z; c, a; {/ Z) o& r ;will break 3 times :-(
$ W; r2 Z& Y5 z u
1 t7 r; K! A/ y5 g {. g3 F( h5 Q-Much faster:
+ o! X% |5 x9 E% `1 t' X, W BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 v' m( _* s0 ~, N# T2 n5 H# r
- ^" d! ]5 M4 j# _& _% |9 k* eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen0 e7 t* l/ @1 }; O0 f B
function to do the same job:8 W; J! L+ X5 G
5 x3 k% ?5 }. S' u1 W' c+ y push 00 ; OF_READ8 l2 g; g9 p3 Y( z+ j5 r
mov eax,[00656634] ; '\\.\SICE',0
- K. d. j9 ~* _ push eax
- _ E; v, ^5 p; [ call KERNEL32!_lopen" |! }) y: I. E3 @2 R0 q
inc eax6 U' \+ f# ~4 B J/ Y
jnz 00650589 ; detected% Q1 Z8 s( L! d8 |' I8 R
push 00 ; OF_READ
$ k( x3 k( ?, w c1 f7 I# k mov eax,[00656638] ; '\\.\SICE'
0 S# o% c; \8 Q3 V* |0 d: ^. l push eax8 q5 C! P% y r& p' K
call KERNEL32!_lopen
9 M9 ~6 [4 ^# P' O6 h- L! T inc eax# R% n; C- g& @) G# S/ r( c4 }7 F. _
jz 006505ae ; not detected8 D9 N, Q' z; K
8 Q% [6 c- _( C. S" E' [' E- w7 g
- m& G2 w$ `/ r( \- Z* Z__________________________________________________________________________
+ f; u5 m6 @& {0 W2 N* p( Q
. ?1 W3 u2 ^7 h! t! R6 R4 v, p% nMethod 12" N" n- s* Q- n% S6 }
=========1 k+ P# z6 W* H' f: W9 }
5 A4 I5 N9 ~2 v( a+ x* X
This trick is similar to int41h/4fh Debugger installation check (code 050 U$ J. W) y/ f
& 06) but very limited because it's only available for Win95/98 (not NT)1 @ P j' W6 P2 C6 k4 T4 M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 Z3 M- Y, R5 J0 a. c
' J0 m7 g* r& `9 e8 j2 d7 x
push 0000004fh ; function 4fh, Y( E X) B, }0 A4 d& f L5 f: c
push 002a002ah ; high word specifies which VxD (VWIN32); c9 S: u; L7 o& w u& R
; low word specifies which service
) r& q; U# I8 o/ N' Q! z* V (VWIN32_Int41Dispatch): v- o4 O9 t/ F* v
call Kernel32!ORD_001 ; VxdCall
& [' R) |( O2 _9 b* D. f cmp ax, 0f386h ; magic number returned by system debuggers& o- H# O2 k4 T R: C
jz SoftICE_detected
8 L) x2 m( u2 H/ b; c: `4 R
% Y+ J" O2 t6 F- G hHere again, several ways to detect it:
; G2 Q, M! \# i& `, W7 T: t3 q t9 @
BPINT 41 if ax==4f
; @( Q7 j7 F7 S/ ~- N9 k( K, `' `1 Y+ R+ Y0 O1 ]
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ y2 G& T9 ]: Q' x: H* _0 p6 ]" ~8 w. s
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' S4 [" j4 d& c$ x: {/ l$ z
- B7 e6 A0 x1 |+ D* }: ` BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 x* H6 D X. K( F/ X3 z
7 A- c9 i0 o1 K__________________________________________________________________________
$ a5 t p1 g( m
+ Y& Z7 `' i, h# v/ wMethod 13
4 V- i! f* q, a" |) b=========5 |# E4 f* I1 A' i/ K, D, B
6 {6 g+ }4 t; b0 v1 JNot a real method of detection, but a good way to know if SoftICE is7 h% Q1 t0 q4 h s/ `* Y
installed on a computer and to locate its installation directory.9 }' w0 j1 g9 b; x: R
It is used by few softs which access the following registry keys (usually #2) :6 D/ `! i) J* i( @9 Q
+ i# f# `: @6 E! q8 o" G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. E$ O& G) ~ h\Uninstall\SoftICE6 D: d9 W8 y9 V3 U$ e5 M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. P$ `- H# z: t7 n- p-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 f' D5 `8 X# G" _( j9 m- a
\App Paths\Loader32.Exe! D/ r7 U, ~) s0 S, `
) [9 O1 f# P2 _( ~5 W6 ]0 v
$ i+ E* X& X4 A; z. x* INote that some nasty apps could then erase all files from SoftICE directory7 f- A# U2 W1 a2 u" e7 H2 f# Y
(I faced that once :-(
! V: y, E1 p7 @/ B! b1 ^- d0 |5 {
6 E- y. `8 \' a1 V: N& m. AUseful breakpoint to detect it:3 U2 `: R7 J: |* ]6 Z
0 y% X6 Z |: y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. c1 {- s$ x, X F
- s- g4 B5 x8 z__________________________________________________________________________8 [9 T- y+ o) s0 Q+ ?5 R5 `/ s
% ]2 g, l: G" x* D4 n# g
. m" D$ U/ k/ h6 G6 W, TMethod 14
# @. f* B/ i1 s% n/ N=========
' T/ M3 w6 ]$ T, u/ ]
' s; f0 B$ k7 h: a3 L7 |) t- S, hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 i# a% s' x/ X5 d& Nis to determines whether a debugger is running on your system (ring0 only).
# S2 k% X/ T i+ g3 B* W) L3 ~# M
5 H8 ]5 ?. p( t u: R; G, }: g VMMCall Test_Debug_Installed
9 H4 ] d' I4 U. w4 u0 U( h je not_installed
' l( J% H0 a& K5 N: j u; y4 | z' O) r" r: T; r5 R- @
This service just checks a flag.7 F) r, g9 `' m) e! \( H
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡