<TABLE width=500>! ~1 P/ [1 [, \ M
<TBODY>) F! n+ a0 p- L% X3 \8 E$ H
<TR>
: _8 q( [$ c* q6 c! X<TD><PRE>Method 01
' y0 q' E+ Q8 {, E) |=========; H/ ]/ t( H: Q5 r% ?6 O3 I
% w; [- I2 l) oThis method of detection of SoftICE (as well as the following one) is+ g8 b# A. D2 a7 m$ b
used by the majority of packers/encryptors found on Internet.7 H6 f7 q; z) D4 y
It seeks the signature of BoundsChecker in SoftICE6 v& D& t! b; L0 X
1 H, B( Y3 ]/ C) W5 C mov ebp, 04243484Bh ; 'BCHK'
1 ~1 T( v2 q: I2 `" P/ r( B% }" [ mov ax, 04h4 C# F) C# h+ }& S. @
int 3
! z' w$ c1 H3 j8 k cmp al,41 ]: a) o& Y" p
jnz SoftICE_Detected) g! z: j# J5 e# k9 ]" K+ r
5 T w3 ^+ F/ S6 e- w___________________________________________________________________________
' w0 k3 ?$ J! M7 R! o! g' d
# [! f0 H+ i3 B+ ?, \% |Method 020 z! e' e p; S* B8 L; e
=========
9 c2 \8 [9 w( `$ o" X3 z. [: z' u' g- \2 z M* K
Still a method very much used (perhaps the most frequent one). It is used
( V( {8 z! r+ n$ P, pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. S. `2 \9 l4 G8 P' lor execute SoftICE commands...
3 L) `/ Q$ W1 h; NIt is also used to crash SoftICE and to force it to execute any commands! Q% @) n! e+ X! X; E
(HBOOT...) :-(( 6 Y# {2 c3 m1 B3 u
, @7 I; `, P8 O# hHere is a quick description:
; N$ E1 Y2 L/ k- z: W7 c5 |-AX = 0910h (Display string in SIce windows)6 Y+ [3 c1 U) J( x- Z: f/ n8 _- ^
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 j; }, W; v D8 s h
-AX = 0912h (Get breakpoint infos)
; }1 e( p+ z3 |* j9 A1 a-AX = 0913h (Set Sice breakpoints)% \: N* @- c& ^% ?/ p5 k1 y
-AX = 0914h (Remove SIce breakoints)" e! ?- Q' }5 V! p
- b1 x0 T. N7 H5 T8 @; r4 Z3 G: _8 J9 WEach time you'll meet this trick, you'll see:
& P2 y+ {8 E( f4 a2 I/ y% D-SI = 4647h5 y- D" E; t7 P' ^8 K& h
-DI = 4A4Dh
) d8 s* I6 ^# |* q) M4 P2 @: ~Which are the 'magic values' used by SoftIce.# |4 W2 M5 N8 O) A; {# M
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 d3 U; G/ C% q/ [9 ]
" T+ T8 U8 g+ fHere is one example from the file "Haspinst.exe" which is the dongle HASP
* Z0 w" R! T# F, f& EEnvelope utility use to protect DOS applications:
" m4 z2 H+ e0 A
+ ]4 b- U. E4 V, l! X r/ a& H
# a4 p8 w, w/ }5 x8 d* ~6 g4C19:0095 MOV AX,0911 ; execute command.
8 ]: E. Q4 j6 d4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: k+ Q% X% V k- A4 ^4C19:009A MOV SI,4647 ; 1st magic value." k6 e. h0 J u; u1 p% {
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 c+ s5 R' h) _4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 \8 i) J9 D! l0 r4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 Z0 D3 @" P9 ]4 J; y- Z
4C19:00A4 INC CX" h# X' |6 Z4 e# X& \( m1 y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, l7 m9 D0 E) L5 V7 u- | L4C19:00A8 JB 0095 ; 6 different commands.
8 ], i5 H& U1 X* e4C19:00AA JMP 0002 ; Bad_Guy jmp back.) C8 p; H6 Q O
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 p# d2 q( y4 M% f
3 X, l$ B. B) U! C& ?
The program will execute 6 different SIce commands located at ds:dx, which% u9 T' r0 @: o4 H, i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% l8 V$ l* E8 [% \ o0 s
9 R8 V9 j; o! ?; n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: a: C2 N3 g9 h$ M6 Y# E1 m___________________________________________________________________________
: C- l; m* |% {. X% w8 L ?# b1 d G; e% r1 q; n' }; Q
; C7 L4 G9 r( N! X/ c' o8 k, xMethod 03
* O9 Q6 `7 J3 c=========+ `' `4 | y7 R3 Y& t' j, z0 Q
- a* s' Y1 F# S9 n4 F% q5 e" |
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 v7 R+ a6 g4 U
(API Get entry point)
5 e0 E: F$ d# d9 J7 c. I
, P; W. x; R" a6 m( `. `
$ Y* F& P; v2 u8 c6 l! W( k/ I xor di,di7 Y1 k: [( {* g' w
mov es,di
5 n4 \% N3 r# c5 N5 [ mov ax, 1684h 2 H) w% C2 D$ c! z4 K- L
mov bx, 0202h ; VxD ID of winice/ h1 f7 [5 j: t# F7 `
int 2Fh
5 ~/ k9 R, ~1 Y) M mov ax, es ; ES:DI -> VxD API entry point
/ I3 w" F* }# ^ add ax, di+ A, N: P8 q! ^5 M m4 s7 @6 {6 E
test ax,ax
" p7 s6 _" W* a" D jnz SoftICE_Detected0 q1 N. z6 M* J3 p4 x* U' {
$ I) o/ u" z* H9 P8 [7 n+ ?( E
___________________________________________________________________________9 K$ q! ~. r, ^$ u4 {+ S
" o, }3 R) ^- U. J, J, M
Method 04
$ x9 ~6 w ], M$ Y/ b8 u=========
# v# T4 {% o3 g7 i+ l# M0 X# m7 D" @# k1 I% }, D
Method identical to the preceding one except that it seeks the ID of SoftICE! o. T. B9 `+ ~* J3 E
GFX VxD.
& R0 K5 w+ l6 S5 u2 c! Q& {: H% J7 {$ o' q7 D
xor di,di
0 t+ c8 o/ j0 W$ k3 Z: I* [" _# [ mov es,di
- m6 t- J" N7 ~ mov ax, 1684h 6 q9 `# w1 S8 Z, B, t5 _
mov bx, 7a5Fh ; VxD ID of SIWVID* n4 V' o m( V8 t. B" u. `
int 2fh
" s# Q1 U" e. e5 i* ? b mov ax, es ; ES:DI -> VxD API entry point
3 X- d3 G% y. l: o5 E2 P* N2 n. Z add ax, di
* ^. P) u, J6 f, N/ X test ax,ax: |! o3 e# T' X! n7 E9 S
jnz SoftICE_Detected* K/ x: L: L. X& p7 @
& v' z0 D2 z9 e( Y
__________________________________________________________________________! R2 D$ s8 B8 M* v5 V4 f5 M
% t+ P& W& U* j) k) s" d6 ]- T6 `& v( N" x
Method 05# { W# m5 }. F
=========+ |. L: b+ c) \2 B) B
% L9 B! X* n6 z- x- EMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ K" R! w- G- j, N5 O. ^
debugger. It calls the int 41h, function 4Fh.7 n( d! [# r! _; O2 z
There are several alternatives.
" E& L/ w/ S4 M o
1 n8 v! G- p5 C/ b4 F4 o& iThe following one is the simplest:6 B1 l. y! A, W0 P) x, T7 e* ~0 W
2 R$ f+ J, P3 W) O& T mov ax,4fh# @* t+ L+ r; j" m2 x4 }' s
int 41h
2 u# S) E$ s p& `- c cmp ax, 0F386
4 J/ g3 s# N: ]* U jz SoftICE_detected! S/ D# h- ~! B& s3 E
, d8 B( ^- l3 V" n9 J1 a
' f" x7 y! C3 SNext method as well as the following one are 2 examples from Stone's
2 r {7 q# X( _3 e"stn-wid.zip" (www.cracking.net):1 ~/ B0 E/ Z( T4 A b7 ~
7 N0 k* e2 N9 n o7 v9 @ mov bx, cs
% a" X3 w3 o) X1 u lea dx, int41handler2
% O# U0 G3 e! z+ n. D7 [7 { `; N9 u xchg dx, es:[41h*4]& Z ~2 G, B( ^- L7 w1 ~2 Q
xchg bx, es:[41h*4+2]
5 L1 O( j; e/ A6 W; c mov ax,4fh
2 M' n0 `- }/ f! ]$ b( [ int 41h4 n4 i2 F }3 S! r. T0 n
xchg dx, es:[41h*4]
1 c C- S8 {% A8 x7 K xchg bx, es:[41h*4+2]
/ z2 Q0 W# i8 Z, y7 d: @& f cmp ax, 0f386h+ V5 \! E" A& G* w; b$ v
jz SoftICE_detected# o! l3 j, ]' r+ z
" `* p+ c) W: Z# v
int41handler2 PROC
, |/ H5 E& v I& h# J+ q! t8 T" J* @ iret$ a- p8 n; y% u2 I C9 R$ ]
int41handler2 ENDP$ ~( c- X0 A8 l( J. C8 q( @
, }0 b- R/ D" B% L
# @+ @2 L0 y; |. v9 O8 |" s_________________________________________________________________________
* }) z6 W4 P, x; Q( O1 ?" D* V, A( |2 h7 |8 h8 Z$ e+ l
' |2 k' T U h. _) wMethod 06/ r I3 B# h& M0 \$ W. L& r
=========2 a% q4 j& ~6 V+ O8 m, ?
: n9 Y7 k6 f2 ^$ t5 b; [- w! l7 W
8 k: c& y4 R2 o+ R* I3 U& C2nd method similar to the preceding one but more difficult to detect:2 h8 ~( {! m" t% Q
( f8 U4 v: ?# p3 v
2 S8 r5 a* z" G4 @4 E* N5 C( iint41handler PROC
3 ~5 O2 B/ O2 o8 H. z* N1 i+ V mov cl,al, W9 }! q( P8 ], t+ J! V1 r
iret0 [; H2 N5 y& J! y. H# m
int41handler ENDP2 U8 F: s$ m2 r. y3 d$ }2 @4 C
+ g0 i/ q' M" c# @* H
! e+ `% F1 E" J( o% [9 E2 g' Y6 w5 r xor ax,ax' Y; [3 `/ t( @/ k+ [
mov es,ax
. h: C$ F/ s- V' e0 U5 V mov bx, cs& h- Y. X2 Z% S/ X+ ?- D" j0 n: f/ d) j
lea dx, int41handler
U: J+ a) R# E8 u xchg dx, es:[41h*4], G* U( |9 _) a" j+ d3 n* i
xchg bx, es:[41h*4+2]( {" M5 n9 q( l0 Z9 L t T2 X7 }
in al, 40h. [( f x" X, v# ]! P
xor cx,cx
3 z6 r- V: l1 n$ ]- u/ N5 j int 41h( x+ q; G8 z5 x5 S, {$ \. s0 V! f
xchg dx, es:[41h*4]
, f8 H. p( G8 x _5 ?- [; } M5 R xchg bx, es:[41h*4+2]6 W* U/ |% q( i* A3 e" W# K; j
cmp cl,al
5 n9 Y7 p- b$ X jnz SoftICE_detected! L- \9 g" R! X5 E; s; z- O
# L/ p; p* A: |+ x( ?_________________________________________________________________________) F& E1 {" c( O1 A
6 @3 T/ k: L% j) t0 X" ?
Method 078 @7 |% ^% ^# y
=========! f; R0 r N) H2 p
8 @8 _9 L/ u6 l8 z
Method of detection of the WinICE handler in the int68h (V86)% K) k% O8 W7 |
2 Z9 K8 d8 Y3 o7 ], S mov ah,43h; A! e4 y% ^- u) U, Y
int 68h
+ V$ O" j A9 |7 M) u3 T- O cmp ax,0F386h! n$ I0 b p* \9 i8 ]
jz SoftICE_Detected2 D: e( k9 P; _
0 T' ?. n, j+ y/ M9 D9 D4 n7 n7 E9 n. r" |4 Z, Z+ V# Q7 d
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' ]/ W/ f" g* M0 s$ \5 R7 A# E
app like this:, u% T, R* M- R3 k
. i! f: Q9 p. D7 Z1 v" q, g BPX exec_int if ax==68
( E' B$ a" D1 r9 Q. L (function called is located at byte ptr [ebp+1Dh] and client eip is
2 H6 u; F4 E( t- X located at [ebp+48h] for 32Bit apps)/ w/ [2 V+ Z: X3 J" _, n# i
__________________________________________________________________________ j* N/ l4 x& i0 S
1 Z7 {, A. b4 ^. [2 _/ Z f) k, `- L0 G% d. ~" J ^
Method 08
/ z3 O- O. b/ ?, f$ V. p=========
$ {4 x" D# E9 G( _$ l3 j- o7 O0 |# X. R- O9 {7 E
It is not a method of detection of SoftICE but a possibility to crash the' m; a1 U: Q8 _
system by intercepting int 01h and int 03h and redirecting them to another+ B; D$ D' W3 X9 M; b
routine./ W' H) d& y# d# B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 w# r+ K( G1 x' E9 o4 m7 \. G. Tto the new routine to execute (hangs computer...)5 P& Y6 C1 l) C# w
$ P2 V7 ^0 J2 ^, M2 l1 Y7 H mov ah, 25h4 o5 m9 m2 D, E$ {2 D
mov al, Int_Number (01h or 03h)
5 F6 z. A4 F4 I4 P% s7 d# J5 C mov dx, offset New_Int_Routine
* f6 y2 K$ B" m) T1 D. f int 21h# h- b2 V1 i+ V1 X
, H3 e5 u# b' d3 e
__________________________________________________________________________& _ ?5 Q2 q, T' j
+ X# k: V6 L) |, \; A6 _Method 099 Q6 }5 J/ X1 p6 W5 v9 D
=========4 \4 S5 q" \# @% {, [; l+ w
) @" @5 h1 m; |+ r0 ^/ f8 S9 R
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) p# {+ @( i. w$ n9 |
performed in ring0 (VxD or a ring3 app using the VxdCall).( I6 k. \/ F' C( |+ Y# Z6 T
The Get_DDB service is used to determine whether or not a VxD is installed
1 S- v0 _) [1 m5 F9 k y: n- g1 Ofor the specified device and returns a Device Description Block (in ecx) for. p( O+ E# s9 T: i
that device if it is installed.+ \, }6 j0 h8 F, N4 R! V
- T4 b" X. \) J3 ~& Y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ Q0 ~, @) O# h7 D% m) R+ P9 i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 M0 G9 [. K0 `
VMMCall Get_DDB2 F" j3 k2 t6 l2 K* i, T
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- l4 z0 d8 K" b
) K6 Y1 R- a/ J4 n- ]Note as well that you can easily detect this method with SoftICE:0 Y1 H* @* P4 H% c. s- ]6 w4 u
bpx Get_DDB if ax==0202 || ax==7a5fh
& I6 G. w: O6 m9 D7 H$ r# i& Q+ ]
: }% R: X0 g l+ y__________________________________________________________________________3 Q' u2 p5 `3 ^ J
7 n4 d7 }( l; V8 U- Y
Method 10
" @1 S G9 Y, X0 Q4 b=========% Z5 k3 v4 c+ T4 L- s& i
: ~- D) {2 @" B+ V: ?' {& i+ ~) f( E
=>Disable or clear breakpoints before using this feature. DO NOT trace with$ v* w& |- E" j) ^7 }! s
SoftICE while the option is enable!!
- N* R& S0 f& c/ T! @. ? g! Y$ G- s. _' R( D: F9 P- N3 T( W
This trick is very efficient:- X/ K4 c% |, ^2 u3 [ l
by checking the Debug Registers, you can detect if SoftICE is loaded& o8 D3 m |8 } ^- d1 _: W( S! j8 w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" K8 m5 r( w1 [- }+ Q
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& @4 r1 i# ]* Vvalue (in ring0 only). Values can be manipulated and or changed as well
+ h4 n/ N4 a/ F5 i7 e$ ](clearing BPMs for instance)
" l$ k8 p6 [6 |2 P& k3 O7 h: z% P3 H0 {
__________________________________________________________________________ Q) X2 U( y* S. o: q3 m
5 Y2 E2 }9 {% j* N, _
Method 11
2 ^* N& t- c& J8 j2 L' B=========. t3 F* @9 L; R) |5 c
# {( w* A7 @3 G6 ^4 r" C1 \
This method is most known as 'MeltICE' because it has been freely distributed
4 k0 D: v. B! w* h0 dvia www.winfiles.com. However it was first used by NuMega people to allow8 R0 a' M9 |9 x
Symbol Loader to check if SoftICE was active or not (the code is located
' {$ u! g# O# S+ U v2 S3 K# Finside nmtrans.dll).
0 E+ M p$ x8 b. E/ s
; f0 K% \1 n6 r1 C! K/ PThe way it works is very simple:3 N/ o# p+ z8 L0 X/ F
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 V1 a0 T5 |! q+ W, ZWinNT) with the CreateFileA API.% K9 k# K1 T5 i
i$ M9 l! D4 |0 w% V' u$ q
Here is a sample (checking for 'SICE'):8 D* ~ n" T; I m% R( R
+ K U4 M+ q9 G w. QBOOL IsSoftIce95Loaded()& I- x5 g5 v3 \) n# |0 n
{5 ^, u/ g! ~) A/ V- q3 V8 ? T" d
HANDLE hFile;
7 O& c0 i2 k% I. X. {8 q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! z) k; O/ U1 a% l+ e. K
FILE_SHARE_READ | FILE_SHARE_WRITE,
* f5 x6 V6 c2 U6 @( j6 V NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! G8 i$ {; d3 }! q2 _
if( hFile != INVALID_HANDLE_VALUE )
$ t0 s4 p6 W' `6 H( B! X$ j E" O- s% Q# z {4 b1 Q# _: k" \' e4 K) P' Y2 w
CloseHandle(hFile);
' [5 A" H! O$ P return TRUE;
4 W, ^6 `% p( Z8 O9 N }# w& g$ J5 z# c; \0 x# L0 d: S6 B
return FALSE;2 x! f E+ ^# @: |% u
}
4 O+ F! `* }0 R' ~* G6 e/ L( q4 }) k0 z7 W& r/ b. g* S2 M0 ^+ }
Although this trick calls the CreateFileA function, don't even expect to be! ]: F1 T2 {8 W, |5 U6 M
able to intercept it by installing a IFS hook: it will not work, no way!, d; x$ z _. ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, t. }% r: B9 _* i' yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 U1 |5 a1 @' c( B _6 S! J2 W
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 N! \; U# m' }! R, h) d, \7 jfield.; T( Q/ |3 N4 ^
In fact, its purpose is not to load/unload VxDs but only to send a ! @5 O' P( v8 s9 J# R7 F4 {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* K* j. O- q8 e( j9 D L" X+ Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try3 W* x9 O& r' b: S- h
to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 x6 T j) C8 H( P
If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ b" t6 J. Y1 P4 `2 B/ }its handle to be opened and then, will be detected.4 Y$ V! P h8 K7 T1 t* V* n. i' F
You can check that simply by hooking Winice.exe control proc entry point
7 p9 F5 ]" ?# @1 i! D3 [0 n2 q3 Pwhile running MeltICE.0 u) K% b9 t# ^" d4 x* H' w) S$ y
$ R3 H$ r/ S" V# \) M( _ I& G
; S4 ^ n/ \. {5 H% X 00401067: push 00402025 ; \\.\SICE1 l, q7 x5 X* S6 d" B+ }& s
0040106C: call CreateFileA
; q$ G' w% Y* n6 Q7 A 00401071: cmp eax,-001+ L! g- o4 f! @6 a: q5 A! C# R
00401074: je 00401091
- j; a5 U U' @5 U' c( J3 ~3 k9 s- B" o1 E$ q$ I
9 ?0 u9 E& R5 i7 K x- T0 aThere could be hundreds of BPX you could use to detect this trick.
: T, M2 Y7 v1 E7 l7 t5 l ?-The most classical one is:
/ x3 j5 C* c2 j: {0 i& z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! I' D7 }/ K& t2 c$ ~3 e
*(esp->4+4)=='NTIC'" B2 j4 x4 t) C( s9 O3 L+ R" c
3 s! Q- R0 m- W-The most exotic ones (could be very slooooow :-(! j" W- S% n: }; i+ c
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # l) P+ y& z# z- U% y9 ^% |% n3 R
;will break 3 times :-(
L1 t/ _) L( F' J1 H" Q7 k* b$ }( ~4 P. ^) ~4 J
-or (a bit) faster:
+ p* H' T# Y7 w! I6 U; v' w! h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& M$ q ?2 ?& n1 K. l
" d K; @% D' V3 [& H
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 `9 x5 t% }* x, q) C/ n% i. s- b ;will break 3 times :-(
3 P- U. M3 r# K! K1 k! F+ Y' U* [
-Much faster:9 ~; F' y! J" P$ C$ o! o2 K
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& B) d* B; P$ N
5 d: S+ g9 I4 l/ r! _& y tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! r4 Q8 l+ ]6 l9 [- N( S: |9 W
function to do the same job:
- g* s6 ~1 V2 K3 i& t2 ^
$ q" i- Y4 O/ R1 \+ ]; W: h7 k1 a push 00 ; OF_READ
. i. ?) w: S, _7 r/ \& l( y0 y- c mov eax,[00656634] ; '\\.\SICE',0
1 P# o5 _3 T P3 v push eax
& U6 l! h* v# N) w& ?2 ], \ call KERNEL32!_lopen& X: q7 S9 N, i& f. w7 Z
inc eax
/ t3 ?, j1 r1 |" \6 a4 u! b: q jnz 00650589 ; detected+ Q+ G7 C) ]+ ~4 r
push 00 ; OF_READ
$ ^5 j4 K6 n" J x! B$ f, g mov eax,[00656638] ; '\\.\SICE'
) u/ ^& h: s* R4 c' N+ u push eax1 c( s0 r- d( F+ W; H z
call KERNEL32!_lopen
9 g, x" ~6 V9 V* b inc eax' V/ D/ x: e0 x. {/ m$ i5 f
jz 006505ae ; not detected
6 s. d {% B5 b# X* b/ L) u; \" Y( y1 h u: R( }. E2 b, y( @
. |8 `' v4 q3 I6 }- y6 E7 P8 U' Z
__________________________________________________________________________
' S; Y, n- f) b" a3 B
: z+ I, Z6 o) h, V7 S# D VMethod 12
# O/ k) p: b0 X0 [# C=========
4 s' R; o p) l$ Y; d
/ v1 Q/ Y6 _6 V2 \( oThis trick is similar to int41h/4fh Debugger installation check (code 05
! ?) m& t/ y; W( F9 {& 06) but very limited because it's only available for Win95/98 (not NT)
* I' d0 |: h, `; `+ mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 b6 b) t: S% t$ Y8 Q& a; F
0 j9 R3 ?+ c9 f W; S
push 0000004fh ; function 4fh& U9 z! |# x) l" I/ {
push 002a002ah ; high word specifies which VxD (VWIN32)( \9 S9 k* A2 o' Y
; low word specifies which service
! j& P% {* u& \6 a0 a2 [ (VWIN32_Int41Dispatch)
1 `% j4 d4 X: t. m9 |/ p5 B" g call Kernel32!ORD_001 ; VxdCall# E/ f* a" N6 f
cmp ax, 0f386h ; magic number returned by system debuggers* z! M( A( [0 X" h! @6 {
jz SoftICE_detected
9 l9 S4 ^) k T. @
% k; o" L' C, { a& o6 o; ^Here again, several ways to detect it:! D7 Y, n, W. ^
9 A7 v% L4 q( q
BPINT 41 if ax==4f
9 r$ f' k, J/ ~/ A$ v7 O+ P
; g, g$ p' W& R BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' ?' R: [, f" k" U) W& H
3 q- b: F- [0 ^) ~# [ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% J9 ~# U; w* }1 y% \1 X7 W! r9 U* ]0 ?8 g& a. ~ C: R X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: s! \8 K7 b0 l" |$ k
' g" C: x- U) G8 S6 S& Y2 M__________________________________________________________________________4 D# |2 `: H2 |. ]7 o& j9 y8 l% ]- h
5 s( z: x$ H+ k$ `7 L, QMethod 13
2 {+ G6 b! ^& x# P1 F; F=========6 x$ H2 w' f. I% N6 C" u* v3 {
5 S& e( l4 ^; y5 o) d3 j
Not a real method of detection, but a good way to know if SoftICE is5 w& z) D+ S. Q% w3 N
installed on a computer and to locate its installation directory.) v6 I6 P- @+ a- h$ c. c+ `4 O
It is used by few softs which access the following registry keys (usually #2) :
, _7 a' }' ~9 l5 e1 J5 j* G
, ?+ p6 p4 b- N) u L* f& h-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: }! D0 D. @! F. V* |5 Y
\Uninstall\SoftICE$ e9 n0 \5 y2 K; F/ C& ^
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! P2 I O5 }' a' h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ W3 A( K1 o4 p" p\App Paths\Loader32.Exe
# { U9 Z2 z) V7 x. c6 z9 U, x8 C& M& O& Q$ Z
! ]0 j2 @$ ]8 }0 r8 L3 w; M" Y) bNote that some nasty apps could then erase all files from SoftICE directory
0 Z& y8 n+ l) N(I faced that once :-(
^/ o$ t z+ e. ?/ E4 L7 b$ L6 ` [5 a, D6 E4 v( l' n4 f
Useful breakpoint to detect it:# K% @9 { O+ u1 w! q& v a }
- M! @0 f6 P* i* \9 L+ d BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: N& W3 ]: w: D0 z- F p# a6 `* |3 u# S: A
__________________________________________________________________________
4 J+ H) D6 I6 `' `# k F' ]
8 r9 T- C! x/ X% [
8 c) Y( j- D& s# Y0 n4 P% P OMethod 14
1 E4 G! ^2 H# b1 {* ?=========
- `2 Z, ]* p5 c& Z/ i9 s# W- U0 y' s* q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ g3 A! y% w( W m0 `% ?
is to determines whether a debugger is running on your system (ring0 only).
" l3 E% G3 i) S6 s% \( e- x
4 b8 D0 s% w2 F! N3 }8 J4 s; D/ H# O0 i VMMCall Test_Debug_Installed
W- A8 u; i( J je not_installed* P8 s; k; Z0 s$ A
4 J9 N) G8 v4 E1 e8 g
This service just checks a flag.
7 d0 |# @6 S3 L- p) y; f! Q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡