<TABLE width=500>3 z' n+ n1 ~( q5 k5 w
<TBODY>
$ p, d% t) E) f9 P9 n: R0 F<TR>
4 _+ T0 [: j6 C# b+ `<TD><PRE>Method 01
; P& `" Z; ^" ]! S2 e$ v=========# A5 ^; Z4 w4 i. r- Y/ K! @" k
% F) _3 g( A( N% H7 e m& |This method of detection of SoftICE (as well as the following one) is. \7 a+ ^+ V2 [- n) F
used by the majority of packers/encryptors found on Internet.
$ N) M/ G4 I9 u$ t: mIt seeks the signature of BoundsChecker in SoftICE4 n' O; z% X4 g9 i0 U0 u( Y8 Z
# I0 p" J9 v7 u) v6 y mov ebp, 04243484Bh ; 'BCHK'
, y0 ^0 O# Q0 T5 s/ X0 Y mov ax, 04h! }; ~, T& V+ U$ z& v9 N
int 3
. m5 V M$ ]. {0 l3 M8 c8 n# Y cmp al,4
! l9 K5 M6 h% D( R8 n jnz SoftICE_Detected X0 n/ d9 r, }! [4 k
4 P6 z; }+ E% N9 m! F
___________________________________________________________________________: B4 T b# ]/ S& n3 Y
6 u1 }7 V' |' U! L1 i
Method 02
0 ~. O% p$ G/ T: _# v=========
' a! {* c" |- X( m; Z5 _- _: G0 K& M
Still a method very much used (perhaps the most frequent one). It is used% P8 r0 H( s3 s6 S$ S2 \/ J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ j9 M( X# Q s7 f' o
or execute SoftICE commands...# f2 j0 D/ c: B5 d- o6 K
It is also used to crash SoftICE and to force it to execute any commands g* X8 Y* | V; ~/ ?
(HBOOT...) :-((
+ o' S, C+ y3 t% l: t4 P) [; X5 y
/ p% J+ N# v& oHere is a quick description:/ F0 q) A9 s8 ~! g
-AX = 0910h (Display string in SIce windows), v( d) [; r' J2 x4 T3 O* F3 _3 W
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# R3 `' k- u# s A# J
-AX = 0912h (Get breakpoint infos)3 m: @- T, X! p h, M
-AX = 0913h (Set Sice breakpoints)
; z# r: J# J9 E2 }! t/ r) n-AX = 0914h (Remove SIce breakoints)
$ k/ D$ F' T2 s9 @, n4 |* H$ Q! @
Each time you'll meet this trick, you'll see:3 D0 ?( z* X( i- F
-SI = 4647h% W- S$ g7 L! q! V
-DI = 4A4Dh
i0 J1 Q- ]% R$ O; KWhich are the 'magic values' used by SoftIce.
) d9 D, E: v0 F9 N+ uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., r5 y* Q; y" d* g* A0 I( V
; l3 v+ I; s% ^- i, UHere is one example from the file "Haspinst.exe" which is the dongle HASP! n3 \: _1 \3 E3 F j1 N
Envelope utility use to protect DOS applications:
/ t8 F! Y' U- j: j I; d' i- x( m# H* ?
& q/ [7 q1 t* n' }$ `4 E4 S5 J9 v4C19:0095 MOV AX,0911 ; execute command.! N' }3 ?9 j' ?$ x1 V" f7 F* l9 x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* J6 k3 ]4 E5 F7 }$ A4C19:009A MOV SI,4647 ; 1st magic value.
?6 P( U" J; i4C19:009D MOV DI,4A4D ; 2nd magic value.
E8 c$ S3 S; ~( x' ~4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 a- d H( m- ]; _: d% o" ]5 j4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 T8 l! d3 V. [% ^ k* Z: ^4C19:00A4 INC CX. V2 }1 H- Q$ m' p( P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& r3 u1 U/ B+ M' {/ W
4C19:00A8 JB 0095 ; 6 different commands.
+ E4 Z' V# ~1 c) ]% I4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 X3 @* i+ H$ L: _4 b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 } N2 U) K# [! {6 J/ g* ]
( H- L9 I2 F6 z+ m+ {" u% J4 m
The program will execute 6 different SIce commands located at ds:dx, which' d- l6 X8 @1 k$ w
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; m& R& @$ M3 O& f8 x5 K1 B$ @- C" N
0 d3 w* P1 I1 [, U, k, }$ J8 H, v: K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 a, o2 b3 Z- `
___________________________________________________________________________+ t3 p5 W' ~* ~- K, a1 ^4 A2 Y
m4 V3 y) I, l6 E. E4 Z
7 M9 X) [3 |: a* V, DMethod 03" r; W! y! }. T* p, P
=========
6 D ]9 I' e2 R; s/ ]/ `2 Z# U; y4 F3 Y4 g
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: r% l9 E. ^& Z5 B, V(API Get entry point)4 |; z9 q& t3 \( p" G
; `8 }1 i5 y! W" g+ v
2 k- m! C+ p0 a xor di,di, r3 [) C! O F( V* S7 A+ W
mov es,di
+ }3 v4 |" i5 ^9 r6 g1 ] mov ax, 1684h
2 E5 n& i k" j% c mov bx, 0202h ; VxD ID of winice
4 J" V7 y$ r' n+ \ int 2Fh
' {8 g/ ], k- O& s8 Q mov ax, es ; ES:DI -> VxD API entry point
7 B6 r% P3 ]/ G. E add ax, di
* Z, J: n I: ^ test ax,ax" t' p0 j3 ^* G) J- t1 A
jnz SoftICE_Detected
3 G. P- Z |; ?) g$ v( ?2 K8 m4 @- }& P) N: \+ b1 J+ K4 `8 \
___________________________________________________________________________
6 x# {& e0 V; f1 V. l+ v- [6 b& D' q9 G6 I/ @& R
Method 04
- D3 d% p7 E. g4 Q0 s8 V3 U$ e: D3 b=========' S) k) `* }/ J9 n
! \" _7 h) }6 }, [) |" X- G! w
Method identical to the preceding one except that it seeks the ID of SoftICE
8 B9 ?0 ?2 F9 W, [GFX VxD.
# y; U" J2 A, P6 e/ O, c3 ~
% t! a$ e4 m* H" ^6 m xor di,di% b7 r# h; _8 ~8 G
mov es,di4 s, z7 [2 q7 q1 V& D0 L
mov ax, 1684h
% L4 w0 i) _- T) c mov bx, 7a5Fh ; VxD ID of SIWVID. J2 q/ _" z6 B. X3 ?% l6 R& U
int 2fh
' r+ F$ w' v; \- N l& | mov ax, es ; ES:DI -> VxD API entry point
) H. q3 F1 U( I1 s" A: q add ax, di
0 O# S% z1 O# K% P test ax,ax, @9 u* ^. G6 q! L3 h
jnz SoftICE_Detected7 e! c9 P: S; l, Z' {: a* p/ \
* w2 C* R4 B" ^% @6 D9 X' L; i ~
__________________________________________________________________________
6 `, M! v0 I9 Q' \1 @# B. V6 ~$ `5 O6 @! S+ `6 J* p
& {9 J) D( i7 C/ K6 R( p, MMethod 05: I' a, o( M5 e
=========
9 c# J9 B8 }# [1 H0 S
9 d" Y) `% `7 K7 g' A8 f* VMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ M8 F4 D: u: W. `$ c0 y! a
debugger. It calls the int 41h, function 4Fh.
/ H! _5 h7 r& y! @$ p4 r! G0 w5 ~6 F5 _! DThere are several alternatives.
7 A/ t6 W/ w, B$ E# R: g! t! q/ [5 u/ c
The following one is the simplest:
+ a! E5 B4 X* S! v* v, E/ y6 y2 Y
mov ax,4fh
! k6 c+ ~% n6 y2 k int 41h9 K9 g5 F; I5 W* v
cmp ax, 0F386
) V1 t+ @' }+ ^. f4 ~! ^( s jz SoftICE_detected1 v) _) r$ i+ x% t2 P
( I1 m, f$ f) p# a# t
: G& O1 e( S, d) g; g2 s0 _$ A; y0 gNext method as well as the following one are 2 examples from Stone's
, x) S- c0 m6 I- j% d"stn-wid.zip" (www.cracking.net):
% E$ N9 ~! P5 t4 J+ C! g' Y1 _4 u
mov bx, cs& i O4 c5 I! ?# y- C4 c
lea dx, int41handler2
& h" p) `! z% `2 p' O. T- \5 t xchg dx, es:[41h*4]
. z7 g3 }1 j3 b: ~& x xchg bx, es:[41h*4+2]
: x( f; N' z0 Y" U' i# Z2 h mov ax,4fh
& c' K9 `7 ~- J7 r. s int 41h
1 U0 F8 p/ V0 e# R- j xchg dx, es:[41h*4]( W0 ?) B/ r G8 [% F
xchg bx, es:[41h*4+2]
; |/ n' q# J9 E! ]) G; ~! x cmp ax, 0f386h" S, E4 ~4 i/ H+ U
jz SoftICE_detected
" b8 P8 @3 W) a. K0 }! ]7 O
0 t" n( U+ p6 n c3 V( ^5 u3 Lint41handler2 PROC
+ }9 I) L% ?/ ^# t, \$ j9 D0 k iret
, r* G& P: r& v; B' ~int41handler2 ENDP/ l( P4 n6 O7 R2 p1 c
! t* V: t& T+ X
% u! V8 I/ o/ m
_________________________________________________________________________$ S/ r( ^. {/ `3 a+ y, ^+ M
9 M4 ^) l) y) J( B7 U' h1 i
1 D" ?% O* b8 }, } V2 z8 a0 E6 _9 yMethod 064 _, J# h. s4 ?/ C& u% K% x
=========
W. S( ]: v) C! C; A: v+ Q9 A4 @& ~$ |4 \" a. x7 x" S9 T# c9 P
1 W |6 ~+ t7 K& z7 s& B% R
2nd method similar to the preceding one but more difficult to detect:+ }) I9 l+ {# t3 R5 b
3 i: `6 l4 N9 D( s m) I( Y0 H" z: s& e9 b, q
int41handler PROC Q+ ^6 h* L/ Q6 s
mov cl,al
! a x! ], z. J8 C5 ^1 U& r- ^; B iret! g) y! \) k' F
int41handler ENDP
% s1 j' C4 m8 \2 H
" T1 @; V& p/ H* N* u2 ?1 M% I, c( i
8 O9 Z8 |9 L! S4 A, y. q xor ax,ax
$ A% \' j- K' s" R1 [ mov es,ax
9 Y9 r n# L/ [9 j# Y6 T+ X& W+ K8 Z mov bx, cs
, i+ `1 h) Y) ] lea dx, int41handler
5 N4 A# I9 p2 h3 F6 n5 M xchg dx, es:[41h*4]
+ X+ h; h; i7 e xchg bx, es:[41h*4+2]4 l- K; b7 l; `3 O+ k% R0 A0 b# f
in al, 40h0 G4 c4 b, d: w( ^* U* S
xor cx,cx& h# l) B2 w9 j" j. U
int 41h
1 A% h5 k% |, y: ?/ T/ P$ b1 Y xchg dx, es:[41h*4]- r4 Y' D- f d* T( E
xchg bx, es:[41h*4+2]( m7 y. Q. a B5 E
cmp cl,al/ G0 s" o3 O1 t! h
jnz SoftICE_detected! [9 J g7 {" s- V( v& U
2 S* o& {/ `6 }0 W( i0 R
_________________________________________________________________________
+ P- ]+ K# T' k; i: _. h8 w& U3 E# v5 e6 V
Method 07
! S% w, O8 `) o+ v0 R& B/ s=========
5 @# V# I( T/ T; u+ h& a0 _5 g/ D3 ]7 k# C# E
Method of detection of the WinICE handler in the int68h (V86)
0 f1 R& \( K3 C/ W7 k h: T
& O* e% J e4 J mov ah,43h
) C' z* ?6 ^; r% | int 68h
, u4 S- v; d# E( C: X( W# C' o( K z cmp ax,0F386h$ e0 X* y! b* C4 ?' G" z& U% h# b
jz SoftICE_Detected
6 U/ a& R" e' j% u% Z$ l$ J
: W0 M) U/ |# \9 D8 ]; M. e- o& [: }7 T9 \0 @! D0 ^
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" \( a9 q3 f4 H. p6 @3 C' B4 y app like this:
: g8 ~5 y: M, v8 o) R! D7 L. }# \9 S8 l- A8 ~
BPX exec_int if ax==68
0 q( V$ s0 g8 t' c/ N' A# H (function called is located at byte ptr [ebp+1Dh] and client eip is
% C2 D# E8 e$ u, S. E/ z/ E located at [ebp+48h] for 32Bit apps)% ]# ]/ r% r/ C4 F \. `+ _
__________________________________________________________________________/ j$ }2 r- f, y
H1 n) C) J5 v' m
( w8 b5 O! s4 d0 B* H: M. E7 Z+ KMethod 08
3 G6 _3 ^: F9 k& r. ^=========2 u8 X. J- T% q0 h
7 \0 T8 M: s8 A1 u; M7 h* ]; KIt is not a method of detection of SoftICE but a possibility to crash the
" e+ T# J' j; E8 k! _ o: Usystem by intercepting int 01h and int 03h and redirecting them to another
7 {( K$ J. ]& Z8 T1 |& P+ _routine., ^$ Z( L) z9 v7 L [5 ^
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# t1 p0 \: C0 X- E5 l2 P( t( n, E
to the new routine to execute (hangs computer...)
: t- i3 d# A9 w: [- a; {, D4 ?' q0 @+ r5 x6 j3 X4 [8 I% N$ k
mov ah, 25h
, e7 D1 n( d7 J* L) S2 I mov al, Int_Number (01h or 03h)1 x W6 G+ E' w4 A
mov dx, offset New_Int_Routine) p4 \0 \; z! h& @
int 21h1 L( \6 H! D) f% W0 j$ ~
$ @2 ^( P7 A' s' T. _
__________________________________________________________________________5 c' H$ G, B( I2 w( b) _. m
2 Y% ~0 Y" A" d) yMethod 09
4 l6 Q6 x% J' f2 z=========4 @# K* N" u: V/ `; A
, d4 {1 Y4 r" F0 y9 tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ ?, @9 p/ @2 q$ w. k6 z
performed in ring0 (VxD or a ring3 app using the VxdCall)., g! S6 r, L+ R) p b- } q, m
The Get_DDB service is used to determine whether or not a VxD is installed
7 ~0 Q( r1 m% E. k- vfor the specified device and returns a Device Description Block (in ecx) for
) b3 ^ q2 {% }- j) k2 Rthat device if it is installed.& b$ l$ ?. t P$ t- e. L4 S# u
0 J, a T1 w0 B; u( g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: i, T6 P4 ~- q3 X1 F mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 U& ] v. ?- l9 M3 K) m
VMMCall Get_DDB$ Z. r& r }2 W& M
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% } \' \1 b' A
3 h& I1 D; g6 K! `" L: N- N
Note as well that you can easily detect this method with SoftICE:
! f5 N5 H+ k$ z1 ?9 K) o/ J bpx Get_DDB if ax==0202 || ax==7a5fh
$ H/ H7 P6 m' c8 _' i# j
3 f4 d/ e0 o2 a" O5 n4 X__________________________________________________________________________
0 }" q" ]# x: b; |) Y( \
: K# O% p4 I' Y6 D$ tMethod 10
4 K# ]$ A# r7 m) D Z/ Y( I=========7 U9 Q% x* |5 y/ S3 Y
, z4 I. l" y3 h4 a- o5 @
=>Disable or clear breakpoints before using this feature. DO NOT trace with6 o! J7 l* e* k6 a8 q" K
SoftICE while the option is enable!!' n; N K5 [9 _* |' n& }/ Y6 W' G
; Q3 l4 _6 ]5 H( w" P
This trick is very efficient:: w: f9 [3 K: ~2 g
by checking the Debug Registers, you can detect if SoftICE is loaded6 b) U' g- s8 L' b/ K3 v; s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 k; f/ A0 A+ Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their. `5 d6 O# c# x# u* X4 D+ y
value (in ring0 only). Values can be manipulated and or changed as well' U4 Y5 S6 `( l4 Q; ]! b% D
(clearing BPMs for instance)( X9 a! P( I. G5 o5 s8 Z
/ G5 ]; z# L) {+ G__________________________________________________________________________
% i! Y; E8 [% l) B% A6 V' D1 L# c9 A
* E6 {4 U2 U6 L5 yMethod 11# I# N1 N7 Z$ Q0 G; J' _& S
=========
1 c8 B9 Q! V R( F' @2 W( J% J+ x& M
This method is most known as 'MeltICE' because it has been freely distributed
( p) [5 g& _2 Kvia www.winfiles.com. However it was first used by NuMega people to allow
7 m p |! K, ]. p1 t. F( bSymbol Loader to check if SoftICE was active or not (the code is located
' }& |! u: F* ?/ w8 \& w* ]inside nmtrans.dll).
+ I( X/ O$ @5 R/ K6 G, h3 i5 N* t7 J4 ~; j) r% D0 w+ R
The way it works is very simple:: h# W9 C; G& H! g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" m1 d/ @. b# T4 l5 o. L j3 qWinNT) with the CreateFileA API.
7 F2 J7 T5 D6 B4 `, T& X I+ j
! o+ k# H' r) ]( L% G& MHere is a sample (checking for 'SICE'):( V4 v+ f, U2 }0 W( v9 f4 T. T5 H5 ~
% P4 D$ b# }) ~* z' J! m
BOOL IsSoftIce95Loaded(). b5 _+ h. g3 Y% T& a) B7 k6 E
{
$ E! m6 r* R' S0 N" f5 }$ l HANDLE hFile;
# O2 ~+ ]) ^) ?: O- c3 b hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. R+ ?. \- ~7 X$ l# H' j: K3 Y* s FILE_SHARE_READ | FILE_SHARE_WRITE, g. E& D0 R* e) T% O
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% F" V3 N) n3 V
if( hFile != INVALID_HANDLE_VALUE )
: N, }6 o/ ]2 M% M' M {9 P% C: o. A0 X6 l3 f$ D; r6 {
CloseHandle(hFile);' Z g6 j. c; l- p: R
return TRUE;- }" m- e: s8 c3 H
}
, p- D/ ?1 m. ?; w; J0 o" m0 J return FALSE;
v/ c, b* r* J' U}
/ j, x; F9 W) n B7 g; ]3 k& p, n* C g' m6 c
Although this trick calls the CreateFileA function, don't even expect to be; m C1 |1 u4 {2 v7 l# I
able to intercept it by installing a IFS hook: it will not work, no way!
% t' `: D- J% ~2 w! P# N) N7 f8 |% jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F' g1 X" n+ z$ G7 |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 c+ L7 W' t; g4 I x
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 V; i! G$ f, M9 Q. G! t
field. A; Y% s2 H8 B! P/ ^! o4 k
In fact, its purpose is not to load/unload VxDs but only to send a
7 _4 f r2 q* u/ q1 `9 rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, B! ~4 `4 j+ b* v, \ wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 `! u9 z3 |+ G7 x. J. d" }" pto load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 E; E8 a6 P4 n9 P" S5 o1 mIf the VxD is loaded, it will always clear eax and the Carry flag to allow% \/ j2 T( n: |) l/ @
its handle to be opened and then, will be detected.5 _1 ?' m8 U8 k3 C& m
You can check that simply by hooking Winice.exe control proc entry point2 ]1 q4 k; Q' w5 ~
while running MeltICE.
; v& q* S; C2 ], a$ d# W
1 a0 E( d5 V( c0 v' F" Q% F, m
6 d b) C; ]9 M6 i% p8 t9 R8 t 00401067: push 00402025 ; \\.\SICE9 L4 k* K6 {1 x5 ~9 \
0040106C: call CreateFileA V4 i) i* d5 U3 N S3 N
00401071: cmp eax,-001/ O1 v: W' H# D7 F! n
00401074: je 00401091, {* ?8 F& g9 C! N3 T& K
+ b! L/ G& E" p3 i
4 S3 f% F! } i7 fThere could be hundreds of BPX you could use to detect this trick.
- A0 A+ p# C6 d8 F2 G& h- }-The most classical one is:, L/ {: b- L7 K/ H1 i
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" w" g. i; p5 s ~# U. \1 \
*(esp->4+4)=='NTIC'( G, B& I4 k* d. S/ q5 e
1 E# M2 I+ U% q; A+ S0 P-The most exotic ones (could be very slooooow :-(
) M4 |+ k z) J3 P3 u& U+ x- x BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * D3 s- X$ V- |6 K
;will break 3 times :-(
( M' {8 X. }. c+ p4 q3 w2 m7 j) N% O) o6 t/ ^
-or (a bit) faster:
5 ?9 c/ }6 \4 [( A9 j BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( R$ ^5 [0 b% R5 ]& p2 n8 T8 K0 A+ W
1 R$ g1 ]# Q' \6 T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 }- p6 n, Y/ G. |" k, P4 L& J) _ ;will break 3 times :-(
" ]+ Y; q0 g$ P v) `2 f. k
]0 N3 N9 k1 V0 P-Much faster:! \ m% X" p, w3 ]
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 c7 |" U3 X" g4 r3 J% d* w7 X+ ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 g$ S, v, b1 A- v. Bfunction to do the same job:
: U9 W0 y8 \, G4 @+ S
' `+ r3 K* \# j3 ^% a) {# } push 00 ; OF_READ
1 t7 d9 W# ]" z% H. j! M' ?( } mov eax,[00656634] ; '\\.\SICE',0% ?& f3 u8 `! Q9 {& x; d1 R
push eax
2 G* d% y: l# y4 g1 a) i( [' B call KERNEL32!_lopen2 n0 Y$ d, n2 o5 `9 B( K( _0 n2 H* S5 Q3 x
inc eax, `, x2 W$ `7 A9 Z. H
jnz 00650589 ; detected! _ ~4 V! [, R4 O1 K% \
push 00 ; OF_READ
8 I" g7 U! `, g. a! L$ Z mov eax,[00656638] ; '\\.\SICE'
5 T7 `8 H1 ^! H. u push eax4 k0 g7 \4 {8 a9 m8 E
call KERNEL32!_lopen6 u! N4 E3 q- E; ]3 {) r! V* N
inc eax* }& p/ {" S: h& G( S& J2 h9 w
jz 006505ae ; not detected: i4 U: f1 U: L; y% d. b- M# x
7 o- K6 E* e) L4 ^* K/ D
+ A( d. {- G4 i__________________________________________________________________________$ I" l9 g; M2 [ }' F* j
' ~" w) N- k9 j8 J* E3 f, C; \
Method 12. e8 C" E3 ^& w8 h0 _3 g: u
=========8 s" ]6 Z6 h" m9 i% X; n; Z
2 A5 p& }' R* T" s! m; iThis trick is similar to int41h/4fh Debugger installation check (code 05
/ @0 ?7 u. H# I% B! \' f; D" M& 06) but very limited because it's only available for Win95/98 (not NT)
! U0 L0 s& ~! ~ pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.) ?" j' C0 {' ~1 s6 _7 L
1 `5 g: V8 \2 r% p ~! R0 |) k push 0000004fh ; function 4fh9 m8 B4 i) K9 E2 R7 @
push 002a002ah ; high word specifies which VxD (VWIN32)
7 d" u/ T1 K: B A ; low word specifies which service$ M( p2 `7 U) P0 Y$ ?! }9 g$ e6 X+ Q% ~
(VWIN32_Int41Dispatch)3 g8 A' V. q) g5 I
call Kernel32!ORD_001 ; VxdCall* J) K) [! p2 p5 V' E0 L
cmp ax, 0f386h ; magic number returned by system debuggers6 Q# k2 z. u. B
jz SoftICE_detected& z! q3 Y2 R+ W& |6 F
/ A4 b# o# G0 ` Z, b$ Z+ U0 oHere again, several ways to detect it:: k0 L% X& T5 n$ j9 Q. l9 d
3 ~, D4 ?' j1 O' K- k, r$ ~3 c BPINT 41 if ax==4f ]. D6 [' y$ x* q: {2 a
2 h7 t4 a4 F2 [; ^: ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ d# H. K* L2 b, P! n- Q; V s
( s5 s8 }( [2 l: y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 t2 [( E( r. ^, P. r
1 [0 y, }3 Z/ C6 `: u' o/ C c8 t! H BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, v+ a: l' w) v q6 ]: _/ {1 q" z
9 \8 n; _( A/ e: F( Y3 Q! C__________________________________________________________________________
3 Y; G9 ~$ Y$ `4 L
1 t+ b* d; w$ |9 b9 V) Y0 MMethod 134 S* o3 i, N V! H6 B B
=========" l l, c* P+ P2 y! K4 d
, [7 g) u1 W& \8 Q' \5 X# ]9 O; R
Not a real method of detection, but a good way to know if SoftICE is' [$ U5 Y' q. b; Q
installed on a computer and to locate its installation directory.2 ~5 V1 V4 p5 t% o
It is used by few softs which access the following registry keys (usually #2) :, P5 K* U8 S$ t+ S! T9 s( U. H0 B( i
7 k) R+ z' H( G+ ^! q3 |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) L+ I* G" n. y: N0 s\Uninstall\SoftICE
' K8 w8 ~5 p9 ~5 d' ^ A% Z+ l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# k) H! w' X7 O8 ?9 {5 S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 Y! c; x/ y2 r+ ~\App Paths\Loader32.Exe
) v$ L0 }5 ^0 h+ t& Y7 V- V b. k, J1 Z- g
% q. o+ d2 L- s4 `) M
Note that some nasty apps could then erase all files from SoftICE directory
: C( |. [5 F% d' |4 P+ h) C(I faced that once :-(
7 J* y, l) O$ x- j ~ B1 M
k% i h+ X# c' t6 q/ ?Useful breakpoint to detect it:
. u$ m0 t+ S0 E0 J! g
; F0 \& A! u/ I8 r0 m BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ U9 U% D: K9 U+ l0 G- X
1 J, U' g( n( C) g. g__________________________________________________________________________3 |- K0 f3 w+ Z; V1 ~% _' ]
1 a( v8 ]4 S( ^5 ^8 w2 Z& L! u9 n1 a
Method 14
! H" r: ]& P8 R% r% n. F0 x- E=========
! C3 ~5 s3 t$ b& m" h
+ M. C2 z, q2 w( S6 Q* iA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. _) |' @* |1 i" his to determines whether a debugger is running on your system (ring0 only).# M+ x0 M* `5 R2 Y+ r' J- r
& T" H |1 w, D5 c
VMMCall Test_Debug_Installed
2 N/ ?9 g6 F1 m- q1 Z$ l je not_installed/ S* P. f: }. Y7 T7 X& i. p; d) d
4 G7 u9 M% U- a+ D$ k) z& Q3 d& fThis service just checks a flag.
: S; E0 h# Z' Q U, D" k" R</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡