<TABLE width=500>
6 T6 Q6 i. C: x2 ^<TBODY>
" X4 {4 \3 M, c<TR>0 s0 |1 T) w8 R) Y" F/ y
<TD><PRE>Method 01 ! p. q- c, b* W/ k: C
=========/ o! B% Z( l+ r c
# H0 ` f' |6 ~( ~0 P" M
This method of detection of SoftICE (as well as the following one) is' x% c5 M: I+ J& k! @
used by the majority of packers/encryptors found on Internet.- Q p0 G0 b" Z& e
It seeks the signature of BoundsChecker in SoftICE# Q7 z+ Y3 _- N4 ~3 W, x6 }5 c
5 p1 L' d' F, E" e
mov ebp, 04243484Bh ; 'BCHK'% ]2 m* N# q5 @4 p9 W# t0 r9 Q
mov ax, 04h& e) E, k, {2 |& m, K$ Z
int 3 $ t3 ^4 f3 ]' F' F3 D
cmp al,4/ z1 s Q; B6 h+ f% q5 ~- P$ C
jnz SoftICE_Detected- i: q2 \' E+ N
# u( v. f& v7 [3 ~
___________________________________________________________________________6 a) I3 `5 {' a) E! g" G
: y" {2 Z+ k6 C9 RMethod 02% S! Z4 r: h: \' |
=========2 ^/ Z, p) P9 i" o5 O5 }% ^4 y
1 } J) g' f9 l8 AStill a method very much used (perhaps the most frequent one). It is used
}) | W- I. a1 g7 u* A" Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ v c! {+ \- k! F! q P
or execute SoftICE commands...
9 R% L h% `8 y: lIt is also used to crash SoftICE and to force it to execute any commands
' V1 d/ s& g5 m4 H(HBOOT...) :-(( / V x& W; r' q3 E
0 H0 T7 q. W8 p( AHere is a quick description:/ _7 E( Y2 o" \3 F5 h$ {6 {4 C
-AX = 0910h (Display string in SIce windows)$ }" |3 i8 u" U0 n5 m; G: H3 _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: x( l4 s9 I' o- d: b-AX = 0912h (Get breakpoint infos)9 p* J1 }. g3 V" h
-AX = 0913h (Set Sice breakpoints)
3 x1 L: I. Q* o0 l- [% l-AX = 0914h (Remove SIce breakoints)
' Q3 o" w h# S- E, ]
( o: f8 j4 G9 M$ IEach time you'll meet this trick, you'll see:' e" f, h d. F) a" N8 R
-SI = 4647h6 \6 T& Q3 f1 G1 e( _
-DI = 4A4Dh
" P+ ?1 e% F4 [9 t: yWhich are the 'magic values' used by SoftIce.
) ^$ H& B. x* k' e C: o6 IFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.# l V- D" h7 L, e6 v) k1 ~8 E a
0 b& a. m2 T( w8 a6 t8 G8 [4 I
Here is one example from the file "Haspinst.exe" which is the dongle HASP0 c {1 W0 |( e
Envelope utility use to protect DOS applications:
3 e# N. U" O- J2 ?- }! Q- K
. h7 f0 j2 r U7 y" W; a, g! V! c; m
4C19:0095 MOV AX,0911 ; execute command.
3 \9 i Q s, e" e4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). y2 Z' s& D7 _0 `* V
4C19:009A MOV SI,4647 ; 1st magic value.
# R/ |* i% V! q! b1 Y4C19:009D MOV DI,4A4D ; 2nd magic value.
+ n: Y: N4 \5 D2 L' J8 \8 p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 m2 Y. l$ M) n8 n0 k4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 _3 K+ }; |5 X |
4C19:00A4 INC CX
) m8 |/ U. Z! g- E: d* T4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ ]) e! I |. A3 S1 d4 K5 o, z t4C19:00A8 JB 0095 ; 6 different commands.9 Q: z: F8 P! M8 p' E# y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 x2 i; X0 K$ Y/ a& s! K4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- H# V8 E1 B. M! r2 W- `- O! O
* |# c4 t0 n5 p, o4 pThe program will execute 6 different SIce commands located at ds:dx, which
0 h5 t. }8 a$ eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' u! X* K" J4 t
" o0 X3 F# k, t; @4 r1 F* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& e0 s5 H* v# t i" u1 i) i___________________________________________________________________________
2 B8 n* \3 ]. X4 _% U
$ Q4 C3 L; u2 a/ g* J& Y; K; M
+ b$ j! w0 P3 l" N3 G" p4 QMethod 037 X: @2 w. m1 v0 j2 z. @! C
=========
2 r h; i1 W$ U O! ]4 \( b
8 e# U, v4 v O. C& `$ qLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ B9 ]+ F8 K5 O: u9 T
(API Get entry point)) H, U) y- q& Q+ M! y, ~
! L3 X! n1 }6 n8 ^" s0 l' M" W7 v: s$ ^# ^3 _: d
xor di,di+ u6 G' E3 ?# T: H& ]
mov es,di
' B4 N2 ]. Y/ Q' s" C$ C mov ax, 1684h
) u; h7 e% c0 S2 ?; W8 u& K+ C mov bx, 0202h ; VxD ID of winice0 x0 h! B1 P" l% A
int 2Fh
; P% O1 s* N R& _4 I$ t$ P! |: o mov ax, es ; ES:DI -> VxD API entry point1 z" C6 a! x$ o* k, s, X
add ax, di
7 C/ k3 r3 `! y- ] L) C5 z! D! n# C test ax,ax9 {7 y0 A' M& ]( H
jnz SoftICE_Detected# \' ^3 G. G3 e" V" P `) S) t
1 ?+ A7 `& [0 @7 w! ?% p___________________________________________________________________________# C, a6 n. C4 L$ V
: @6 c7 \' A1 I; l5 o3 i
Method 04. W/ a- T$ T4 v2 V6 K. O
=========
3 s) O: X) ~/ _ |$ h* V9 a' E5 _7 n' x# e
Method identical to the preceding one except that it seeks the ID of SoftICE
" u- ^: ]% h3 X# q5 x4 ^3 CGFX VxD.
# F+ G' G8 N. A& n0 M% S K8 _
: w. c" A0 V, T( r xor di,di# W0 V# S8 A- e- H
mov es,di" p$ ~+ N* Q/ Q/ c9 J! W/ w6 e
mov ax, 1684h . H! b% V; H N* i& K* J
mov bx, 7a5Fh ; VxD ID of SIWVID% Z% W* W* v J1 V* E- b/ z: {4 J
int 2fh- m7 z5 k" n0 `: q& @
mov ax, es ; ES:DI -> VxD API entry point8 g$ [. n- d( Q- F$ o7 v
add ax, di; ?* X& i2 d U/ d3 x9 {# v
test ax,ax9 t$ C1 F @2 }- k" B" l
jnz SoftICE_Detected
/ i3 t, Y( k; W. O r0 J" _* o
( p5 D/ _5 T+ U2 g, g' F& h__________________________________________________________________________% x. h8 G( g0 f% K P0 G7 q q. w, y) O
( Z0 x0 X0 t; C' n) J/ v, p
) `; p8 d+ W. y+ p/ c
Method 05; ~9 p* j8 U# Q
=========
9 U8 f+ n ~/ U1 W7 _0 z$ j5 [: n; x* q
Method seeking the 'magic number' 0F386h returned (in ax) by all system: Z- b; v% q; B$ a" C2 I
debugger. It calls the int 41h, function 4Fh.
7 g! q/ F: z: J& dThere are several alternatives. 7 O* F8 R3 I2 V2 }, s2 } ^! J
; B# Y5 D4 m4 K; b, SThe following one is the simplest:4 X& n- T( ^$ l' y5 }
8 Q1 @. j; E# [ mov ax,4fh
$ y% R/ V8 s( a: H6 E! |8 g int 41h2 V: y+ x4 u" r( L
cmp ax, 0F3867 k) {7 w9 X5 f) Y2 [+ |# A; G
jz SoftICE_detected
# y" S9 U) o& J h7 {
5 V6 y0 [$ ]# i
( a; p# _- a, W: cNext method as well as the following one are 2 examples from Stone's ; V1 ^# ?5 y. ^/ H$ q; f% k( m' p
"stn-wid.zip" (www.cracking.net):
- |" {2 {( i# s/ P6 ?4 V. o5 @$ z
# e1 f, \! ~' r3 r" c( Q1 f. P2 t mov bx, cs
/ R( D1 d0 s4 N lea dx, int41handler2
4 Q9 J9 g- p% h xchg dx, es:[41h*4]7 i4 p' M1 W3 M
xchg bx, es:[41h*4+2]+ s. \# j9 |) W7 h% O8 K& v2 I
mov ax,4fh) ` k6 q* W, s* ?- t" U
int 41h0 o) B4 i6 s9 B' P$ X
xchg dx, es:[41h*4]! G6 l& G( x1 [, r0 Z
xchg bx, es:[41h*4+2]7 K/ M7 {' \1 k+ C* U4 T. q; F1 x1 p
cmp ax, 0f386h
; g. c$ ?; P, U3 p- A. h jz SoftICE_detected) c4 a- B4 U# G3 p
" Q) a8 e; P% f% P) kint41handler2 PROC
! G6 }6 E3 K1 a iret
% q$ Y6 m* \4 P% B3 B+ [- Tint41handler2 ENDP7 U( R8 v4 P# [, L0 t. ?
; `/ F3 {# b# H' d$ l' U) @- J+ q( d8 J# Q1 Q5 j6 x
_________________________________________________________________________ K0 F+ v7 i1 r1 k4 U# ~* |* g6 S
' Q, U6 ~: V' x% _( Q/ o2 \0 i; v0 |0 W/ C. P9 r4 B. c* `; o8 J
Method 06' E, M9 V5 f, Y
=========
5 X* }! c2 R2 K) Y' q1 \; z
1 v3 Q+ S. T) i: O, _* e: D, a2 s. L/ r1 g0 e6 K' _0 v5 \
2nd method similar to the preceding one but more difficult to detect:& ^% i1 W% C$ s
& ]( u8 L; K! `# l- n
+ ~1 C' i; u0 x( H' u9 Yint41handler PROC/ }$ Y) c# j2 l7 T* T' D" {4 V& t
mov cl,al# C' m5 M! [/ J( U# A
iret
$ }5 \, p2 L) G! O. ~7 _int41handler ENDP
' C. o2 l5 \' v5 a& b1 [$ B
+ l8 m* k# }6 d$ y2 {: s7 H5 B+ z6 {1 P+ w( V3 r3 X
xor ax,ax
2 ~1 [& R* O) e* f( M! N1 ? mov es,ax% H4 p& Q0 x3 `) Q L2 y9 V( f
mov bx, cs9 W1 W& R+ s9 l7 Z
lea dx, int41handler* k6 {5 x5 ?; F+ K
xchg dx, es:[41h*4]
+ R( ^7 S% `+ S% e, Y xchg bx, es:[41h*4+2], l+ z0 [# j" m+ k- f
in al, 40h
4 T( d; H1 Y0 K/ L9 s, \* t( S xor cx,cx
6 Y" { B; |" ^. { int 41h( b) W4 `6 r# q, S0 r% O
xchg dx, es:[41h*4]7 _2 E' }6 E9 l, u
xchg bx, es:[41h*4+2]: y3 r% ~. p( f- X0 c, Y; ]
cmp cl,al
% m7 A1 r+ B7 X7 `: I. i jnz SoftICE_detected
! }0 Q8 C+ D# V4 C3 y5 y
$ x k8 r! A; E1 ^8 [- x_________________________________________________________________________1 F0 H) S1 v' I# {+ V
- {6 x. T( j1 D$ u% n5 i% A% B5 @Method 07
% I4 S$ ~0 \, Y/ s=========6 U m6 b& }4 Q; i) O% t6 Y
L6 G+ N1 c6 n( X
Method of detection of the WinICE handler in the int68h (V86)
% F/ j7 _7 |7 ?, s5 u; n5 D6 A# m; L" W
mov ah,43h
; @2 q- Y1 D- M. U! @2 n( v int 68h
3 b' f- }9 ]" o0 u cmp ax,0F386h# }' o, R9 d a2 v, y
jz SoftICE_Detected
' z6 g% e; R7 s& G8 n: z. \& S7 C* }# O
1 L( N1 i9 _1 K d, T) B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" V5 Z2 _# }$ E, _% z; O* F' ]4 ]
app like this:, v r+ m- N4 n$ C9 O
- K5 Z( T: q2 I
BPX exec_int if ax==68- |! J3 t3 O* u9 ^3 Q' x: ~
(function called is located at byte ptr [ebp+1Dh] and client eip is5 h; ]- f- { l; m1 p, g+ |
located at [ebp+48h] for 32Bit apps)3 A" B" s( y* ^- M, S
__________________________________________________________________________
* A0 v0 ~! n6 \$ t0 ~; }8 Y4 V: B% ~8 {
) _7 D6 N- k8 @- d: l0 I" M# _& ]; [. I' x. i) B& I- X
Method 080 R% h, e- F# K- d, J
=========
9 v& s" M& m0 H4 t f/ B
+ _( g" }' H9 p) u$ WIt is not a method of detection of SoftICE but a possibility to crash the; q: j2 V6 H9 G( f$ S& O
system by intercepting int 01h and int 03h and redirecting them to another1 w; B7 Z- d5 |# f% \
routine.. T+ ?. D8 ~( _6 {
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 p2 |+ L6 B0 Y8 O8 R" S9 Tto the new routine to execute (hangs computer...)
, I" m+ }* D u5 D7 m
N5 D2 K0 ~0 o, m mov ah, 25h
\2 x% C$ f7 N9 x" H' Y0 N! w mov al, Int_Number (01h or 03h)
: |! q' g: a6 v: F mov dx, offset New_Int_Routine4 b- m+ {+ Q, |1 V' h0 e5 _( P
int 21h" e$ r# U7 q8 _3 f' Y: }5 S
+ L7 y9 w1 s, e/ g y* ~9 G. C__________________________________________________________________________7 E* S9 Q8 ?8 H& |4 Y
+ O1 M8 j' B* m3 f- o- I Z z& EMethod 09
0 Q4 C; x# X) s8 Z9 T4 z=========/ k+ ^* |$ E5 [# r- }
4 z( V0 J N1 s: n% dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 F6 Y! q0 z. P0 L, L. W4 `3 fperformed in ring0 (VxD or a ring3 app using the VxdCall).1 }9 h+ M5 P, P B
The Get_DDB service is used to determine whether or not a VxD is installed
) M% P$ |, f5 B; ofor the specified device and returns a Device Description Block (in ecx) for
, O# o+ g1 A( W* ?. ^that device if it is installed.
( S, f, F9 U% Q& [
% Q" }+ q+ L0 e) Y% s mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 q0 w! G0 D5 M9 l- x
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- a" v. d/ z& p VMMCall Get_DDB
2 T( }6 W! d1 K1 F$ r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! K2 M4 ?9 G7 a' q+ T! C: I2 l, S1 h
Note as well that you can easily detect this method with SoftICE:' C5 G8 y- `8 Q, v8 c. O9 P
bpx Get_DDB if ax==0202 || ax==7a5fh
, {5 s5 H/ i0 O4 j; T
6 t! I& \/ h3 C1 W+ D! g/ w" @__________________________________________________________________________
) c8 g6 f) q4 j3 r: I6 K* m& i7 _4 p1 O! n5 x
Method 10# s5 k# }% m, L# I1 B4 L6 o
=========. x w+ B9 K6 W7 o. z
1 l0 ^: D, e2 o4 h; K. N. E
=>Disable or clear breakpoints before using this feature. DO NOT trace with
% i7 P" m0 V* j! M' `5 p7 H SoftICE while the option is enable!!
% a0 |. v1 R6 w3 O4 u- w w- \3 g X
This trick is very efficient:
4 B( l, {# `2 d! ]by checking the Debug Registers, you can detect if SoftICE is loaded
/ Y' Q8 ^- V5 i t(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' A+ Q0 [% i2 l& }: n$ }2 c
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! O) D- T+ l9 K) |, Z3 p' ivalue (in ring0 only). Values can be manipulated and or changed as well
. Z5 d! ~9 f. l9 v3 C6 L1 A7 ^(clearing BPMs for instance)0 V) O- U2 t0 L3 Z, k0 H
6 ?/ b5 q: r9 S) m' O" z5 t
__________________________________________________________________________
. m7 u# l( k6 C6 t9 W: k, i) r, B
; C5 d4 _2 O: `Method 11
$ _$ p6 m7 s& r' G. U* I! Z=========1 S) y% p. z6 g0 j) g
5 o9 U/ A, X0 Y5 Z) u: }! aThis method is most known as 'MeltICE' because it has been freely distributed: u8 {$ B! [+ M
via www.winfiles.com. However it was first used by NuMega people to allow5 k) k1 k9 E: f2 V3 i$ Z0 t9 c9 y
Symbol Loader to check if SoftICE was active or not (the code is located) ?3 R# i; x$ u+ t8 [/ q
inside nmtrans.dll).+ I* i. ?5 F* ^3 m- `- y! X( G9 K
% o& Z, b- z& K2 L1 s6 S* S4 \; KThe way it works is very simple:
* R6 S8 t% s- t+ AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% [9 W) L# }6 F* W! S1 C
WinNT) with the CreateFileA API.
[/ ~0 ~1 d2 A' {, U) T9 @# C) B7 a5 E! L7 Z# I
Here is a sample (checking for 'SICE'):, E1 I! t- Q) F. k2 M$ i; m5 _" i
9 P" z( `% \; t% Y1 q8 g! rBOOL IsSoftIce95Loaded()/ h" K9 o/ t% n7 _+ }# b
{3 X S: E0 L4 s
HANDLE hFile;
: l. |5 R; X/ t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 q' @. ~8 H: S4 Y+ M/ e) N
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 K5 V& U2 {" f+ ?" N NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' c: R$ q9 y) a5 j- y+ V; y if( hFile != INVALID_HANDLE_VALUE )
- O5 Z3 z3 s% j5 u- c! o {- R; |# ?1 |0 g8 p
CloseHandle(hFile);( P- P% Y: X( G4 m
return TRUE;
6 y, _$ E6 w0 w$ P! V/ ?' D7 G }' H; t. O3 @# H
return FALSE;
+ S7 Y% s \: ? f% ?0 v3 X}
; y; H( \1 b* b
9 N( P$ v# ?7 t" _+ oAlthough this trick calls the CreateFileA function, don't even expect to be
( p" b$ K! o1 C, ^4 ~able to intercept it by installing a IFS hook: it will not work, no way!8 t3 O, q. [+ j1 W4 Z2 D) W4 y% t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( {* y- h( A+ `1 F$ ]service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# G0 @6 _7 t. e7 w* T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 C8 t6 f2 [9 ?2 r5 Q: n0 Mfield.4 W/ M4 g3 W0 D" j& w: Q. [
In fact, its purpose is not to load/unload VxDs but only to send a
9 y! j' r1 i2 G) ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% [3 u1 w9 y2 l. F( [1 t( Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try u9 Z: ]( Z5 @8 k; k& B' m
to load/unload a non-dynamically loadable driver such as SoftICE ;-). V) k; _$ @& q" s; M) Q) q
If the VxD is loaded, it will always clear eax and the Carry flag to allow
3 i5 R! M6 s8 ]1 z0 |9 |* ]its handle to be opened and then, will be detected.) l" D; k/ u+ [7 n
You can check that simply by hooking Winice.exe control proc entry point9 j3 Y- K! n5 Z& B3 c- b
while running MeltICE.$ I5 `) H5 b; Y$ C7 [
0 ]0 e; ?- g" q$ _) k5 C0 m0 k$ _% m" u ^, g6 T# R7 F2 B
00401067: push 00402025 ; \\.\SICE
+ }0 y; n6 ^3 \8 Z; |' k, }& O 0040106C: call CreateFileA. k3 M! |8 f' C, z4 P% M
00401071: cmp eax,-001% J" m" f1 H: C5 c, J& A
00401074: je 004010919 Z$ {; W' n, c" O$ g
9 l$ k0 r5 h: Z& b2 `$ m' [$ b. T) t5 u
There could be hundreds of BPX you could use to detect this trick.
0 z* M- R8 I7 [) V& m8 E-The most classical one is:: y5 g3 k6 q0 p. R* Z4 s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 T! [: H4 { o0 o l *(esp->4+4)=='NTIC'+ X& H6 B/ B7 N: Y3 n. x5 Z
4 g6 j1 \/ N* _" T3 X" v
-The most exotic ones (could be very slooooow :-(
. ], [) }; J/ z6 q; X6 | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 W7 d, o9 K, ?% u2 Q ;will break 3 times :-(
' p# L# Z. y3 t: }7 j! x( @0 Q, q
8 }! L; n' m2 |/ h9 \( i& v-or (a bit) faster: . Z! u; Q2 M, x7 y4 S$ `9 R9 W6 Q5 }0 `3 k( F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); t8 D' m$ \+ h6 [/ j% w
p" {/ X: g+ d. ~& E6 J# ~ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 L8 {. D' C) i% S+ x4 B% f5 q: H5 l ;will break 3 times :-(
/ M5 K9 `: ?! a8 c
?" D, ]# T6 i1 Z5 J5 b9 F-Much faster:- h: {# _) v! n6 W6 ?
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. L/ n" ] I, F. g3 I0 s
8 `1 \9 h3 K" B, a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" {% N* W" {: f: w
function to do the same job:
% ]5 [, E/ M' B* \) P2 l4 c1 r
/ T" L* h1 X5 D$ w' D" `# R& R$ ?+ M E push 00 ; OF_READ% i% ~9 c. Y5 i5 E+ A5 z) A
mov eax,[00656634] ; '\\.\SICE',0
- K! e& w& P5 R z: C; i( m' m push eax
' m$ b9 C4 |- ]% C; O0 y call KERNEL32!_lopen
0 W& h! q1 t k2 `; W& ] inc eax0 _, e7 M1 r) Q1 h. j1 E# C% T
jnz 00650589 ; detected: w2 {* j* a/ j( a
push 00 ; OF_READ1 R/ p( c& w. e
mov eax,[00656638] ; '\\.\SICE', y, k+ {$ g$ {, _; ]5 q" g5 v
push eax
, ~( w/ z0 }9 `6 A) p# h- d call KERNEL32!_lopen. Z% x S2 z& Z' w6 l* b$ d
inc eax6 Y* u' ~5 {. V9 A' s( W1 S6 H
jz 006505ae ; not detected
& ~+ |; ]0 f' F# W8 D, w$ J4 {- k6 w" F7 \! o2 u& k# C: v
: y) H$ U0 I* F4 S6 E* c. g2 ~
__________________________________________________________________________
3 r5 Q- O7 i+ b: R- d" q: ]
2 }3 Q- ]; m7 uMethod 12
% A) e; o* X0 R1 W( t X=========1 _, r* o# g# ~0 A7 Q
/ I5 ~) v5 `5 ~4 G4 c8 w' i
This trick is similar to int41h/4fh Debugger installation check (code 05
9 i; s" V- o9 o& 06) but very limited because it's only available for Win95/98 (not NT)
+ W2 P# R3 H6 _( Q& C' Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 l+ J8 _/ y" Z4 a( I
$ ]" I+ R! E" C. |
push 0000004fh ; function 4fh
$ [% x9 n' e$ V; ^$ u5 b7 m& E0 z push 002a002ah ; high word specifies which VxD (VWIN32)
; o* S) F5 N: m- R& I9 Q1 n ; low word specifies which service! m3 c! M0 |8 w- r( n, \$ g3 I9 g+ u
(VWIN32_Int41Dispatch)
: {% ?) I( m0 R4 B call Kernel32!ORD_001 ; VxdCall
2 p5 n: a" B3 w# o# ^ cmp ax, 0f386h ; magic number returned by system debuggers& }0 I0 `3 i4 [) p6 m
jz SoftICE_detected4 i" o- @0 e5 o1 p2 A: B6 m& G
+ s+ a) I/ E* Z2 z- i2 q
Here again, several ways to detect it:
; g7 k4 |9 R+ F; d" |2 \0 m8 p5 f2 s b w0 L f }- f; M
BPINT 41 if ax==4f
9 u3 G& `( Q. z+ T2 P) ` z/ a' C+ d
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& _5 A4 f/ ~# k
3 Z0 R- \/ O: k- } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 ^7 V8 j1 {2 J) L# D0 z$ F
0 s/ ~8 v, c( ~0 z: @5 K+ \ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! a/ ?3 ~4 \% a# F0 H3 J% C. G
6 {2 L* W$ Y! m$ v8 _
__________________________________________________________________________
' P4 ?. A* }$ a
8 I G( \+ m2 [5 e5 w/ TMethod 13
5 o$ q/ t" O9 H' y1 X=========
- C. S) n4 S j! Q
8 \2 k+ t. u3 m$ H N1 NNot a real method of detection, but a good way to know if SoftICE is7 h' J1 p% s' o' F' [1 r
installed on a computer and to locate its installation directory.
1 o) Y( ?& j; W. j* jIt is used by few softs which access the following registry keys (usually #2) :
9 G. E7 y/ x& q* m2 ?+ e! S) f0 H: W! h3 b7 W. i9 U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. C/ R( O: N5 E# U1 U; d
\Uninstall\SoftICE( c D7 A M4 E" f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 `+ c S$ w( \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 N9 E$ Z5 ~; `( T( i. s\App Paths\Loader32.Exe
2 l. {2 q+ A# A
* u- t( A m5 E# K( j5 G7 p# `- @; o, h6 w# Y
Note that some nasty apps could then erase all files from SoftICE directory4 D- I9 L! \! X Y. A
(I faced that once :-() H) z0 y2 d7 v& v" S
; b7 J4 S/ i$ u1 i4 uUseful breakpoint to detect it:- b- a+ P& Q* A) J6 j
% T- h: w: ^. E" K BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( l' ?. R8 D1 f$ z, W3 `, N
m0 s) C- R9 Q8 O' Q__________________________________________________________________________
& M: F, e% D! a5 e( M- i, d# `
" q- s+ a5 z4 ~% p0 S
$ W* K: b1 f, [2 b$ t% o- RMethod 14 # {. W( |6 U( q) h0 h
=========
4 [! d+ K; z8 c5 l6 G. D+ z' g6 H/ P9 g; ]8 S9 N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 @" c) K0 l9 x9 W4 g9 S$ w: T
is to determines whether a debugger is running on your system (ring0 only).; x# Y8 V, Y7 f: L( s5 I. n
3 E( s. C8 z5 Z9 e$ P( X, Z( n VMMCall Test_Debug_Installed
% {: g+ a4 X* C. @) X6 T je not_installed
9 D w% M' X' \$ o% E: q! U, Q
' z, J4 i, I* d3 c# @0 B' U( ?$ ^This service just checks a flag.) R" ]1 G Z( d5 Y, B( ?, i
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡