<TABLE width=500>) s) [6 y! R. x8 x; j
<TBODY>+ u6 M7 p4 t. N# W( Y$ i: ]
<TR>/ B6 s7 b0 A2 E9 Y) ^$ O J
<TD><PRE>Method 01
( T/ v$ F& O" X& m: T( l6 r=========! V3 S) B$ E( ~5 V
' e+ ~" ]* \) Q6 x4 V. u" o% M% q$ u' _This method of detection of SoftICE (as well as the following one) is. H$ s( o" b& Q$ \! o
used by the majority of packers/encryptors found on Internet.& h, O% r% Z8 v9 j( X
It seeks the signature of BoundsChecker in SoftICE
4 y9 Z; v* q' y$ i3 b1 y. t+ q* c( T8 s- i
mov ebp, 04243484Bh ; 'BCHK'
' b7 S9 p+ [% c# ^ mov ax, 04h
" u! N) f1 Q- b/ A$ N' Y9 B" x int 3
$ a# x* |6 i6 y, F. i8 p+ y R cmp al,4
9 Y0 ]7 c j2 s1 a# u jnz SoftICE_Detected
: x0 x/ e# g8 _3 H& k' o
( G) r. y/ j4 d( B9 r! U___________________________________________________________________________
& [" D& s9 k" R1 s. j1 u7 H, o( P0 v# C W) y+ V. ^* G/ W
Method 02
6 S; j( {2 ~+ a5 u. H3 Q( v9 ]=========
2 x8 i( C6 @6 @& W
$ s1 j; Z$ i* I) |Still a method very much used (perhaps the most frequent one). It is used
4 x9 e" r' Y% X0 C- E7 O tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 J: w3 o3 H: f2 Q4 b7 J
or execute SoftICE commands...
5 S+ c9 x" ^# l3 z5 t( uIt is also used to crash SoftICE and to force it to execute any commands! ^4 h) L/ D' O8 l
(HBOOT...) :-((
( v: @ @3 }( `7 L+ }$ g4 k. u% S
3 @- Y# d2 \1 R' Z, B0 rHere is a quick description:
! G! F- s& T4 t-AX = 0910h (Display string in SIce windows)
0 u3 B1 x; X8 ]' \( n5 ^. w-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), S( G" T/ O- B/ ^% |4 Z* x! S
-AX = 0912h (Get breakpoint infos)( e& N E& K2 c( C% W, [
-AX = 0913h (Set Sice breakpoints)
0 @! `9 R+ {3 ^2 X t) i# D$ e-AX = 0914h (Remove SIce breakoints)$ G9 }3 Q1 g! s E4 ~
9 ^ b9 a6 d6 `+ v+ M
Each time you'll meet this trick, you'll see:
& Y$ Y6 [7 T' F; {% c5 F' | W-SI = 4647h
6 Y6 j) _& _ |6 @: H" J! W-DI = 4A4Dh
4 r; w; Z6 x' D& H7 C0 Z% o/ p' \1 |Which are the 'magic values' used by SoftIce. t3 N, |5 k) c, ?6 p# K& `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; K- ~% ]: ?/ J+ u
, T& O, J6 r4 i( w# Y9 R4 PHere is one example from the file "Haspinst.exe" which is the dongle HASP+ t# v- r" y8 U* @% p, i
Envelope utility use to protect DOS applications:
" x7 i0 H3 f$ N& N7 a1 k3 n2 x7 \- j! i5 {% W
8 a) P8 E9 k7 K7 f7 R ~4C19:0095 MOV AX,0911 ; execute command.4 q( b6 a8 e6 o5 R i& C: O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 U1 I8 g/ A6 i7 N+ P, i! d. R1 h4C19:009A MOV SI,4647 ; 1st magic value.
( Q& ^; K. x( ?& J6 \4C19:009D MOV DI,4A4D ; 2nd magic value." ]( i- B' `4 o* }7 o% K
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). ^1 j) {; X9 _' b! D; x; @% B
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 c+ B5 |& }4 ]+ v. ?* `: L! l/ a
4C19:00A4 INC CX
# [% P# h& P' T0 _, ?4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! v: x6 y' v- e7 G0 Q: O. f4C19:00A8 JB 0095 ; 6 different commands.; m; z' t! J: s h2 H
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, z, `, L2 D4 Q: X" ]+ f4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" {0 q# Z; m% t$ M% G3 ]8 T! p
' H4 m; W i0 n1 X* H# y$ h5 @1 x% UThe program will execute 6 different SIce commands located at ds:dx, which
y% n# T+ }& S) o$ i) {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 v4 ^# O- k4 G6 J8 h5 F
& r- \* W, z- h I$ j/ s1 q$ P' _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 i6 c$ R" m, S1 U) p: [
___________________________________________________________________________
6 m9 [% X1 Q2 h' |4 n# t/ ^
/ G5 B5 U: n8 P' s( d7 q3 X$ ~$ ` G, Y
Method 03
& l6 P$ C' @% v& P/ s/ y=========7 w# h7 z) q/ C; J0 @$ k L
0 t8 T% Y+ t$ ^4 t" F
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 N0 S: m/ I% `* o" x* M; F; r
(API Get entry point)
9 ~" R# s- x- t2 d & }- a8 `5 a/ i. \) P) U* D
7 v; r) u1 V' x9 \& k( ^
xor di,di
5 \$ z, m/ V$ A1 G' W+ @* X mov es,di- g) ~" f0 Y+ E& j
mov ax, 1684h
2 q- t/ x# a% x7 f4 @ mov bx, 0202h ; VxD ID of winice; l. q$ i6 w, h& R9 w8 W7 {
int 2Fh
. j' o6 }/ O$ {/ a! S mov ax, es ; ES:DI -> VxD API entry point
" {9 u" {- [/ I! P add ax, di
, t/ ^; J0 c+ E6 j% z test ax,ax3 F7 x$ n- f- ~- M
jnz SoftICE_Detected
4 w+ g5 d* L' J( o' | X# ]/ X2 R# m1 F5 m' C
___________________________________________________________________________' p. y# l* r$ ^. V
+ B; X, M+ Y- u7 z' k) n5 w
Method 045 \/ M, {5 X6 L6 l _
=========
. I# w: {' b7 r
. Q1 w+ E" E4 ]5 [5 D* eMethod identical to the preceding one except that it seeks the ID of SoftICE! ~0 ^) |. l+ X6 {5 }) v
GFX VxD.
( O& { K& c7 k- Z+ ]2 e/ l$ K
3 k& D( E7 R: v& k9 G xor di,di% H. p6 ]! D' `
mov es,di8 ^3 {( P6 ^1 r/ W3 _/ K9 W
mov ax, 1684h ? Y6 D' [$ n* f- x! z4 j
mov bx, 7a5Fh ; VxD ID of SIWVID
s' d. s9 y' G int 2fh7 e% X q# } S$ ^( b
mov ax, es ; ES:DI -> VxD API entry point
/ k" v, s; ?8 L0 } add ax, di
7 E3 ^; N3 D: @8 Y4 B/ E test ax,ax
. c ~9 {3 g- G' F7 N# ?: \ jnz SoftICE_Detected
" X( B0 W& l* P1 s6 ?2 \! Z' M S. c
__________________________________________________________________________ H3 }3 i5 n. y$ I# N
+ G( T9 z, X0 R; z# z: U( A6 q6 e v' E
) e5 I* m, |' i( L" f3 t" tMethod 05
/ _5 A. V2 h7 g, r1 k$ o, |' R=========- ]0 U4 ]% d3 r% ?
0 I% A+ l0 `3 PMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 z) ^' ?* ~; k. }9 ~! odebugger. It calls the int 41h, function 4Fh.
' j! a- s1 a: S( B% |6 v/ dThere are several alternatives. ) x3 K- n' ^/ w* ^
+ k- D' V b& Z* u6 }7 d1 QThe following one is the simplest:* I0 G! ?8 P& F8 {
6 H8 m3 V6 O# p" o) F7 X$ S5 z
mov ax,4fh C( I* s5 P- J
int 41h
! Q: e& m2 u+ ?3 _ cmp ax, 0F386& @6 E: \2 A( q. H9 o1 h8 p" d
jz SoftICE_detected
, [2 y/ x& v0 `7 t- h( E6 O/ S5 B! Q7 n, s) o# |
: V0 A7 ^6 R6 o' RNext method as well as the following one are 2 examples from Stone's , @$ t4 K$ a d _
"stn-wid.zip" (www.cracking.net): C+ O/ A Z: ]
; Q3 }* D2 r5 i, q. H0 l mov bx, cs' {8 o4 n/ k) k. L3 O
lea dx, int41handler2
( {# p2 }8 z9 |; I7 f3 }( E xchg dx, es:[41h*4]
8 W' p! z2 o" c7 v; ? xchg bx, es:[41h*4+2]
6 D) W" P0 p$ n mov ax,4fh% B* o; v) i \. x$ O, }- E
int 41h
; L: L4 n* u! T* _& @4 O9 ^ xchg dx, es:[41h*4]
! F& _: y1 V7 }" v8 Y# i xchg bx, es:[41h*4+2]
( A3 w& N1 `" i cmp ax, 0f386h5 L. B$ _% ~) L/ h+ P: R
jz SoftICE_detected1 M8 V. N3 y0 e' A
+ B9 K2 J& m. D X' Z
int41handler2 PROC* [+ p/ A! d' g s# ?
iret
$ m! v$ X" G7 Z* x* ^int41handler2 ENDP% n# K( j1 j; Q# C$ p
1 l- `" D( o0 D5 Q& n+ H/ _2 s1 n& p) a# O8 m9 j5 r3 a
_________________________________________________________________________
3 W' a, C3 w* T: [4 F# j* c6 N, {% u' t6 ~
, Z5 v! b) o) r' DMethod 06
1 c7 ^# p' o3 _+ c6 v) q @8 N=========% ]; N& H- n/ V! _9 G6 o$ y
/ ?6 Z6 d! l5 f/ V
: i! l$ y( I% \* X+ \2nd method similar to the preceding one but more difficult to detect:6 z0 {$ q1 D B4 `0 k! h
+ a. W$ U) R% f8 C5 T1 I
. `- R! W7 C8 g& F! ^2 y6 a$ V& Nint41handler PROC
1 @; Z& K0 C% Z7 ]9 A4 Q! E mov cl,al7 h; ]( n- D4 k% @" ^
iret
4 p8 R8 g, z; A+ h3 [: \int41handler ENDP) C+ _( @, z* q9 I3 r
* u1 X. A% J1 ]. B9 ?/ @/ l- x; @
% w: T, }! H5 X, ^7 u' f+ G xor ax,ax
" h9 z8 [5 ~' [9 n5 R mov es,ax
* f( z6 x: P7 s$ |2 c4 ` mov bx, cs
( x/ Z, N1 `, O) m lea dx, int41handler
3 b3 D, {, b- x9 ~8 H1 i xchg dx, es:[41h*4]8 M2 K7 E. V& V5 T
xchg bx, es:[41h*4+2]
7 a0 S* u& z$ s7 z/ U& P in al, 40h
9 i0 ]. n) A- r. @" f! a8 {5 @0 x7 u xor cx,cx c' d3 R* ?0 t
int 41h
4 o+ ^/ R9 N- i8 r. P/ g' \ xchg dx, es:[41h*4]
a+ s$ T8 T. [' l xchg bx, es:[41h*4+2]
T/ d) v; U; I( `0 ?4 s0 a cmp cl,al% T8 _. R. X+ H8 i
jnz SoftICE_detected
' A! ^. P5 N0 z& N) l0 G4 F; J- |/ o4 v
_________________________________________________________________________ g6 K1 G2 m9 w S4 U
3 a. f! m- P! |% f8 j5 V! ~# x2 k
Method 07
% I# Y1 x9 ~. r* b=========
6 k m* X+ e$ T$ b1 o9 J, _9 y
) U+ c" H6 F6 [* u5 WMethod of detection of the WinICE handler in the int68h (V86)
, y( a$ W3 Q3 b! H; J+ E$ W
0 J7 p! Z- {" `. ~4 Z$ B$ [8 s mov ah,43h" b0 k; N6 K- v3 g# D
int 68h
. W. i& w- ^- [. |% J B+ I" v cmp ax,0F386h
" ` P/ j2 G* Y" n jz SoftICE_Detected2 P2 y" ~- |- B: P( [2 j
. E6 X# y i' k
! I# Q8 c2 B8 O4 Y1 h8 l% J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" N( }: C+ U* r. ]: M app like this:
T8 Y6 d6 P I/ x1 k' Z0 f
+ e* g! x- _* d& ?3 H. Y BPX exec_int if ax==68
, |, s& H1 L3 ^4 Z3 N Q+ ]) ] (function called is located at byte ptr [ebp+1Dh] and client eip is
6 W# |' w# h# }# w- O4 K located at [ebp+48h] for 32Bit apps)$ D9 w/ l( ]' _
__________________________________________________________________________
4 a. R4 K' m p {1 A5 W2 A) T
, [0 X$ _' F! p0 q8 j3 M9 X, \- s
! |3 x, H, t: J( cMethod 08
5 f9 d8 D% |0 I8 C0 X9 x" S=========- b, |. K- B- K& Z
. x/ u' }. k- ?3 k( G- e
It is not a method of detection of SoftICE but a possibility to crash the# M2 P1 r9 c( o5 |/ a4 }; h
system by intercepting int 01h and int 03h and redirecting them to another. W9 R# q8 d; h- V+ O
routine.: W- }8 \2 R. K
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 Z4 _. A2 i" ^' X
to the new routine to execute (hangs computer...)
! ~; P9 j7 q& }0 H0 Q! o; }0 s( j( q8 u
mov ah, 25h
, y4 D) C5 B+ r5 }/ B% t mov al, Int_Number (01h or 03h)
7 L' Y# Q& z1 M- W) f: `* x) N mov dx, offset New_Int_Routine
! e/ S9 h* U( |( c8 L int 21h( }2 z& b3 l; _& j: k) T
* K* S+ m2 I5 n6 \8 e
__________________________________________________________________________, z, Z- j$ V0 Z E
/ r6 \' `- {" W; B" R bMethod 090 b$ g5 I4 \/ F9 n% k: A
=========, }; ^) y! G2 b. ]$ f4 L }9 R* j
5 v- v( t0 e7 y% U: d6 B6 n' y$ K
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- G' R" F4 o3 o2 g. n: |3 H% r( operformed in ring0 (VxD or a ring3 app using the VxdCall).
! F5 ^- t) E* l0 Q) }The Get_DDB service is used to determine whether or not a VxD is installed/ {; W& Z! `! _. ]
for the specified device and returns a Device Description Block (in ecx) for
7 ?9 t* T0 j% I! @! B+ vthat device if it is installed.
- i, D% G2 U: g& W
7 v6 e& X; D- z7 s1 M mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 \* P9 c7 v5 u8 j8 f$ |6 @. O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 l: W- C/ q* n: w VMMCall Get_DDB3 W( F; x# G6 ]4 H* \* x& |* z: p- o; ~
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' r, t5 T ?1 A% p3 x- C
2 O4 l$ U6 ?! W; w' n4 ?8 G Y# V/ GNote as well that you can easily detect this method with SoftICE:
7 v( o8 H! r& u* W7 t# ~ bpx Get_DDB if ax==0202 || ax==7a5fh+ {$ J' W' S: X4 l8 a0 N
v5 ?+ }" h+ Z8 c% z* ]
__________________________________________________________________________
2 h* E' q+ r) d2 v( B+ e- y4 p! Z& U( I
Method 10! S ]6 ~/ r" d: b% K
=========; p. u) y' j8 s; c" h, f- `: P
8 v5 v t F4 i+ F4 {% F
=>Disable or clear breakpoints before using this feature. DO NOT trace with) Z6 @6 H' m* C1 J Y0 x
SoftICE while the option is enable!!$ S. |* ~) c5 Y' r/ p; D3 c
+ b' a' ~ B p/ G9 j! e
This trick is very efficient:
. g) K, H& c6 _by checking the Debug Registers, you can detect if SoftICE is loaded
0 d8 h9 Y6 G0 B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ i2 U8 A+ K' f. @
there are some memory breakpoints set (dr0 to dr3) simply by reading their, f) X2 Z! i3 j2 t' C( @- n
value (in ring0 only). Values can be manipulated and or changed as well: R" H1 w `, N' j. a. D
(clearing BPMs for instance) X; J8 o- \ q) t; r
1 [) X7 ]$ {( l2 k* I) o__________________________________________________________________________
m+ L# s! C, q3 T8 L* D* g3 Y) `; f9 K/ X! U/ Z5 o }* z+ h: Z
Method 11' I q9 l5 F' ^9 L) N6 z( X; J: ]
=========
1 g' r3 _6 Z$ [9 P, v
7 L8 S ^/ i! c; jThis method is most known as 'MeltICE' because it has been freely distributed
A5 v/ S: p2 r6 p! z/ E; k) F jvia www.winfiles.com. However it was first used by NuMega people to allow
2 D! S. j: c6 t( F- [2 c$ Y5 tSymbol Loader to check if SoftICE was active or not (the code is located3 A3 |0 ~6 H4 e+ c- M6 s; g
inside nmtrans.dll)./ j' i/ b' L% @0 l: i1 U1 B; T
& u9 g: T( R, X4 m* g. d% DThe way it works is very simple:
' W3 V- _2 c8 @2 PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' z% s6 t" H6 S( \: u
WinNT) with the CreateFileA API." v7 t1 s8 i1 r; T. J
2 a9 s& v4 o2 J- V) @Here is a sample (checking for 'SICE'):/ {3 s! q6 L& P' r5 q( h, D
A `4 |9 F4 M2 w- g* E% L3 |
BOOL IsSoftIce95Loaded()+ C9 m9 Q9 ^ H- o' c5 r5 E+ k3 M
{
3 c4 N) a# G: {! V& W8 p HANDLE hFile;
& N k' g7 k% S# \/ X hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
T4 K) {! h; r# E J$ O FILE_SHARE_READ | FILE_SHARE_WRITE,# d/ C7 }. _* w u
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ S B2 M! _8 n j3 Q' r: R
if( hFile != INVALID_HANDLE_VALUE )
* w4 P% s7 a3 }* u1 @, S- O) n" H; `! n {" x5 W! @3 n0 I
CloseHandle(hFile);
" L; ~% h6 l2 y8 X5 Q, o& n return TRUE;
: }. _$ P4 Z/ H/ k5 i u! n$ b }
2 n* v" r! o4 ^4 j" c return FALSE;+ t4 l7 ]" W/ L7 a* S& `) i9 k
}& S+ z/ \! Z0 j
, N7 I4 a3 p# @+ J
Although this trick calls the CreateFileA function, don't even expect to be5 H& ]2 d$ ]6 Z5 [
able to intercept it by installing a IFS hook: it will not work, no way!
+ g2 U% w/ [0 x' AIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
# T* ]+ `4 B3 d2 r9 j& Q: ~service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 B" K7 V' L2 M X: Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 F$ j* T, H5 ]8 y/ ifield.
% O4 B+ W3 ]! U) q4 M8 ^9 q: S3 hIn fact, its purpose is not to load/unload VxDs but only to send a 3 W3 d2 x; b0 a8 j' J& p) p$ g
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! O$ `9 g* \8 |. Mto the VxD Control_Dispatch proc (how the hell a shareware soft could try/ G3 M, k+ I+ _' K, G2 [: s
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 M# ]" n% x; A( T' a4 E2 G- z0 N9 \3 {
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, T9 w8 T+ K% a n1 J0 Fits handle to be opened and then, will be detected.) M, b' B6 U" z# a
You can check that simply by hooking Winice.exe control proc entry point, p& J: c0 f/ T
while running MeltICE.
! t! B9 e: R+ Z1 I# J+ u; K* y& H2 v9 O
3 c2 v) H5 G( q- F( W) G
00401067: push 00402025 ; \\.\SICE
# R$ `3 V5 B7 ]" D- P: l 0040106C: call CreateFileA, d' X' w# q. |( g
00401071: cmp eax,-001: n4 `$ t3 ~" _
00401074: je 00401091
! O* x: p" g: o' W8 U9 \2 b6 I3 i! [6 g T' i! {+ t% s
7 Q* C a& `0 K1 N# l7 C
There could be hundreds of BPX you could use to detect this trick.7 t) i( ~+ X+ S
-The most classical one is:- t$ M5 g. B& e/ ~# S2 d& _5 U
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 P9 e% g0 t: j6 J( [% s *(esp->4+4)=='NTIC'
- \: t- W9 V/ K3 N4 r: c( s7 w0 s, e) o3 p
-The most exotic ones (could be very slooooow :-(( h8 L* X6 G( A! b' t
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " |4 t8 Z# e$ ?1 X* ]4 T: G
;will break 3 times :-(
$ z( ?# M' n5 X% u" j1 Z( [5 k" Z8 I! U( S
-or (a bit) faster:
$ J% a+ [3 _" U9 i0 W3 O0 v. ^ BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). q- A- J$ s/ d4 }" }
9 i j' t/ k6 L, w3 [, [# f, j) ?
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " _+ }$ L: f% T Q! `/ Q c
;will break 3 times :-(
. w: Y( m6 k) t1 A0 L0 x! ]
" @+ z y8 A, T+ M. v-Much faster:3 `7 Z1 @1 h6 j$ X$ M7 [! `
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( v. i: ^% z# }% k ]0 d$ C9 m/ O- s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
, }5 o9 H- w1 d8 X) Tfunction to do the same job:/ r& T, F+ O: L( ]* p" s
& w* N' R6 m% ^& i
push 00 ; OF_READ
: b M9 Q; N; v mov eax,[00656634] ; '\\.\SICE',0
. b# O% ^6 ]7 B; E; C/ Z6 t+ R1 V push eax, T: ^& L. m y& C! I# ?
call KERNEL32!_lopen& C! P" Z6 X& f. K% w, n. i6 D
inc eax. S' a$ G9 e0 n; {; x6 N
jnz 00650589 ; detected# @; m+ ]' ~7 ?# N
push 00 ; OF_READ- V3 u3 {" o$ K3 `' a
mov eax,[00656638] ; '\\.\SICE'
9 _& J; G) J, p' ~# ?, r push eax! I% r5 D8 G; K
call KERNEL32!_lopen
" [3 B0 O% X% \2 C, { inc eax( G9 ^6 h( A& ~: b! j' }
jz 006505ae ; not detected
6 S: [7 f9 p3 v& g9 g
# U* [0 j2 }4 I% R4 \0 l% h% \1 k1 a
__________________________________________________________________________* l3 A4 R! h6 x- \0 }& s
$ ^8 V; c) m0 c0 g
Method 12$ o) q6 z/ O3 W+ Z$ `0 U& ^
=========/ k6 e. \( [; E
( |7 O' s, `2 p
This trick is similar to int41h/4fh Debugger installation check (code 05' K* Z u8 T/ z
& 06) but very limited because it's only available for Win95/98 (not NT)
2 E+ m2 K. J5 n, M$ j! ras it uses the VxDCall backdoor. This detection was found in Bleem Demo./ O6 g1 w1 L7 K9 a
1 q" t2 d' S7 z- w
push 0000004fh ; function 4fh
) t; y @. c6 B" G/ @ \- g* q push 002a002ah ; high word specifies which VxD (VWIN32). b- f. ]5 G, g% h% O- a
; low word specifies which service
! E* Z5 X" I- D (VWIN32_Int41Dispatch); O; i$ o$ a& b. `: X! ^
call Kernel32!ORD_001 ; VxdCall
0 j* n+ j7 |7 d( p3 ^9 q7 m1 h3 I cmp ax, 0f386h ; magic number returned by system debuggers7 o( Y1 R' k2 C
jz SoftICE_detected
& s0 J( j1 _: s9 k$ J
; p% t& V, h/ y* ?6 Z" n. FHere again, several ways to detect it:9 F3 K: B$ _7 @* J9 c% G7 Q7 r
7 ~$ ~# P, }6 @/ n
BPINT 41 if ax==4f) |( X1 }& M. Q% @ o( e
. c7 R, q/ }9 [ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( j% k7 y& v8 ?1 T/ {) }! i7 s1 G% d6 j) B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: A5 ?$ L( | g) _* }$ n( |4 e) Q/ }; \# l% q$ U
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 e. C3 T/ A' r4 E. ?0 q9 Y: Y+ e- w, x& J. o; D
__________________________________________________________________________3 Z. \; B& G2 C( b
' W( ?) v6 \2 O6 w* J
Method 139 b* d8 J/ ~$ \# r
=========/ x3 W9 H" b& W! ~' p4 b& u
# U! c6 d9 r& h. W! }! JNot a real method of detection, but a good way to know if SoftICE is
9 R# R7 M5 ~! G) ^* i* jinstalled on a computer and to locate its installation directory.6 K- r; Z" u5 ]- a2 y' R- p
It is used by few softs which access the following registry keys (usually #2) :+ F. }7 e( n% N( z2 N
5 [: q$ A- o4 V v, O m
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ w! ~, E! x- o9 S
\Uninstall\SoftICE
1 \/ a5 T6 m% I& n" F/ u" f; R-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% C" z/ m% t( H+ F6 m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 [- D' {1 P T
\App Paths\Loader32.Exe- N; B5 K) _8 e! v
0 t" \3 A2 {$ ?2 O
2 E* y+ [; Z, u t9 |# _
Note that some nasty apps could then erase all files from SoftICE directory
( J& M; \* p E6 j, [(I faced that once :-(1 v7 y4 ?* E3 {# W! C
9 Z9 N' n) h9 n: ]! O
Useful breakpoint to detect it:
4 m+ h j" @/ ]& ]0 t3 }5 x+ U" |/ ?. `% X' Y7 i5 n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& r- c/ m2 t: V" [2 k/ h( A/ f8 v
; ]8 E: `9 Q+ a' r
__________________________________________________________________________
* t* p8 d( O/ U* H/ C, P+ }
. m( s; u E6 K
/ G {% ^4 x" V( z4 j [9 qMethod 14
$ `3 A5 h5 Y- @=========
J- m2 K6 B# w7 Z# E* }3 r @% h: x* g, `, f0 K- ^, `* F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose b3 `: A: ~- Q
is to determines whether a debugger is running on your system (ring0 only).
2 T' O$ I3 B" s9 V8 x- A; b+ j# B9 E# t
VMMCall Test_Debug_Installed& _% H: z4 {0 M/ b$ L) {. ~- I" [3 M$ N
je not_installed
/ _5 ?" L: J7 R' u, P% J# K9 m- o4 n: Q5 m* {
This service just checks a flag.
" R; D! z, r/ c5 w1 D6 p</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡