<TABLE width=500>
3 z- H/ u" @6 Q0 M, ~ I( k0 P7 C6 B<TBODY>9 T! U1 T0 y8 y# ~$ ^& O" m! j( t3 S
<TR>
- A- t; z r+ Y) T<TD><PRE>Method 01
R% {% Q4 z' U o9 H8 s4 j6 S=========
$ C& u8 s; r c c2 v; Q( c# o( X l: Y2 f
This method of detection of SoftICE (as well as the following one) is/ i6 }' t& B' b+ |9 Z ~
used by the majority of packers/encryptors found on Internet.
7 H; r' N- s/ k3 ~! Z: w0 Q! qIt seeks the signature of BoundsChecker in SoftICE
! g+ U) ]5 {8 m9 \4 H4 q4 t+ k: p$ U9 r, d: B+ q9 w
mov ebp, 04243484Bh ; 'BCHK'
# i0 x5 I: H) `: `% m h/ x mov ax, 04h
6 Y& I" B! r7 K; W# \7 Y int 3 3 y/ e' h Z! ^5 @5 N+ `
cmp al,42 b) b+ _* P( q6 w. e
jnz SoftICE_Detected/ @- |% a; {; n- G- Y5 L/ B' m
2 l' [" P4 D. s/ l3 D1 M
___________________________________________________________________________# _. l- e. I' f
) E! K G& X& v C+ B6 L; @7 j# E5 r W
Method 02
7 W8 N- M# G8 g=========
5 Z$ u- P& s( J' R+ k* P1 q6 j, W& m: C8 C) V
Still a method very much used (perhaps the most frequent one). It is used
# d: F% O- E( m. P# G, R5 @to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 B9 C* k$ m9 X$ R, e7 x/ d
or execute SoftICE commands...: F) M3 P" P$ b% b
It is also used to crash SoftICE and to force it to execute any commands
; Q) x% H4 P; F5 `- Z(HBOOT...) :-((
7 x; C' `4 \3 q4 x
& D' G1 d6 C3 }% n$ A; b$ OHere is a quick description:
& o5 q$ B3 Q' i* o8 U-AX = 0910h (Display string in SIce windows)& K3 N; z$ k8 r0 \' O: @0 r
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); [- ^% P" z5 y* o8 `
-AX = 0912h (Get breakpoint infos)$ `* u* @& ^7 `8 N, I+ L
-AX = 0913h (Set Sice breakpoints)' q$ A1 j4 j) ^7 m( L6 E
-AX = 0914h (Remove SIce breakoints)
8 v9 ?& a: d O$ z( q: T! \' I7 M2 G7 u- J6 M( u" i
Each time you'll meet this trick, you'll see:2 z2 U4 g' r. J
-SI = 4647h
7 W/ [# }0 ^/ u$ _# H2 U-DI = 4A4Dh- Y A" _6 ?, X* {
Which are the 'magic values' used by SoftIce.
1 J, E9 Y4 Y: U% n" K' vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ V/ A& P& T6 E4 N# w! w& c/ J! U
$ p+ ~* a# e ^# B+ }4 KHere is one example from the file "Haspinst.exe" which is the dongle HASP$ `+ T/ `. q, q+ H5 _9 z
Envelope utility use to protect DOS applications:
; @2 ^& o8 W3 B+ }/ h, B' e2 _. q9 @2 N; n2 t, }" c8 R: r
, j' l | }" B ^. q% S/ x/ B, D4C19:0095 MOV AX,0911 ; execute command.
/ i7 R, w, d% u: P4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 B f/ V6 ]0 J4C19:009A MOV SI,4647 ; 1st magic value.
' \2 y$ ^2 E: J% j4C19:009D MOV DI,4A4D ; 2nd magic value.' F% W0 B" I* E3 t5 n/ B+ e6 t5 u
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- B5 E4 i/ U7 c6 B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 W& ~! B8 t3 k y4 P& A
4C19:00A4 INC CX
6 k* ?/ Y4 [# P O# u( Y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 r* O4 m. A& Z9 |# U2 H% |) ]' a7 @) b
4C19:00A8 JB 0095 ; 6 different commands.
- E, g6 ~+ O4 K0 f8 m4C19:00AA JMP 0002 ; Bad_Guy jmp back.; n3 w7 i v2 S8 e
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( b& _6 j4 r9 c$ M: b/ ?7 q# f& ]- b i' K% x- o+ o. D
The program will execute 6 different SIce commands located at ds:dx, which
6 r ]8 ]; d- z! A! Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 I6 W1 N/ N3 @" |& u6 d7 O
8 h, }) C; Z$ s8 g' m' X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. s7 Q2 R" `) E u$ I7 u___________________________________________________________________________
, @" j. G2 e6 M5 U/ l
! _ v( n: U8 ? v
. r, Q, P6 h; p2 xMethod 03
, N' Y) r* m8 X6 F=========( [/ Z2 R5 A, H
/ z5 O8 ?7 v& h8 Y6 Z M# [
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ Q7 C7 s1 T6 a; L# R, l
(API Get entry point)
# F, n8 j7 R) m. w: s4 \ 4 P) w! [+ W7 I; Z1 K
5 q/ M( x* @5 F W$ O* |3 F
xor di,di
8 R' O6 W* B7 C mov es,di5 a3 v; C7 T- i& V8 q! ~6 d
mov ax, 1684h
1 x9 l& `) a3 T$ U, w mov bx, 0202h ; VxD ID of winice! M& M- C9 R- n1 n8 N, J3 k
int 2Fh
+ m, ?9 J' b: f+ X* U mov ax, es ; ES:DI -> VxD API entry point
/ Q o7 V5 a l+ r2 z# h; r; x3 V add ax, di
" X L9 q4 h% Q+ C( r test ax,ax/ f. B5 r9 h; _3 t: S T! v% @- X
jnz SoftICE_Detected
/ E4 `4 g$ |- ?$ J9 o0 J% C" D5 } e9 ~& c- M I9 L3 g6 l
___________________________________________________________________________
j4 K/ Z: B1 Q; v4 b6 c" v& c" H3 h& ^. ?
Method 04
" h' X, g9 O7 P0 C4 ?2 r" l2 f=========
. y( {( d' S; ~6 F. T% p& V8 y# d7 r& n
Method identical to the preceding one except that it seeks the ID of SoftICE
( Q! r' o$ y1 M( U, a" A9 ?GFX VxD.
, ~! G' P' B( D; V1 z
. v7 ~- ~- q3 c4 J- @4 a xor di,di
& I* V% @, @; H, p$ X0 K mov es,di
3 {7 G0 F9 I) Y$ k4 R( r4 d mov ax, 1684h 0 S* }" x8 m7 K) d# ]% k, c
mov bx, 7a5Fh ; VxD ID of SIWVID4 X5 P+ j9 a' f8 p" ] G. v8 V( k
int 2fh
* h6 B! q! a4 }9 A! o9 J2 } mov ax, es ; ES:DI -> VxD API entry point
; |6 }7 V" m. b# v9 _3 f/ p, l add ax, di
0 O Z5 C- y0 z+ M test ax,ax
; g. n8 o# w8 K# f; n8 o1 I2 \! z jnz SoftICE_Detected
5 _6 [0 G% G% e/ R' I% Y
! O0 x' \* F/ ~% R2 p$ w+ D__________________________________________________________________________
i! Q5 ?" g2 u- z8 \6 i: F
& @ u5 W: |+ j; E' z0 D2 O
2 B, q6 }3 Y& CMethod 05
- p0 g3 q5 e2 b' D! z" D4 z" P# R( C3 h=========+ z0 E; Z) H0 `2 R# B; V K& [
+ W' O, \* a$ D0 @7 Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- N% f* P+ ^+ ]( S- q; bdebugger. It calls the int 41h, function 4Fh.* f9 m( [0 m- a8 W3 r5 D7 j
There are several alternatives. ) A7 f, x" g, e
$ j# |" z/ |# c$ Q7 ^' `The following one is the simplest:
* G* C( \; J, N1 y, r5 y+ {. f. M0 `" v4 X4 y& \0 n' G. ^; E
mov ax,4fh
( m! C- q* P; Q1 @ int 41h' _- n. U$ Q5 x2 W6 l& x# g
cmp ax, 0F3867 p1 J. u, ]- j: y9 D5 c/ C. B" l
jz SoftICE_detected8 i' `9 J( g2 D( w0 H
" e0 T _, _1 B$ v/ j! F
: f, n c3 i9 G; MNext method as well as the following one are 2 examples from Stone's + I" h/ l# L- k/ l4 L& M
"stn-wid.zip" (www.cracking.net):9 L% f0 U% l' v! r' G' H
- t) Q7 I, ~( I; U1 J: r
mov bx, cs- C+ U" q( T/ `& L
lea dx, int41handler2
2 N0 u# D: @: |. k xchg dx, es:[41h*4]
1 p! }& Z) L3 R$ g N7 j xchg bx, es:[41h*4+2]
1 ]1 R |) S/ [5 |) f, ?# @1 Z9 Y mov ax,4fh* @: G' d9 V# m1 e4 B6 L
int 41h' {9 [9 f' l: I: \ ?
xchg dx, es:[41h*4]
v2 P( g* l! C# x, Z9 ? xchg bx, es:[41h*4+2]6 F1 _* V H* o e3 z- Q- w
cmp ax, 0f386h" u+ u) |2 J# J
jz SoftICE_detected
2 P0 j! [% [: _# K0 a' Z
, G1 a) y9 A/ O, D# gint41handler2 PROC
3 m3 T) f5 l9 f* p iret5 z/ X3 z8 W9 x2 y0 L; L a
int41handler2 ENDP
4 v$ b7 \. ]& j7 t4 U7 o
7 h7 z$ @5 y8 l" z1 T1 v E0 w. ]( h" Y9 l9 q
_________________________________________________________________________
/ T" C& ~2 l9 f, Y2 h+ w& Z: b- W
) d8 |* S4 q8 l) [7 D
: s' o# W; r, k1 ~- d# y/ }Method 065 j% N9 A4 L# \' y/ W# G# I' Z
=========
1 ~- c9 y4 ?' ~! U
k, D% Q9 {$ ]6 v* A i9 K$ M9 S" ?% o' W$ B H e6 [7 c
2nd method similar to the preceding one but more difficult to detect:
. e" T2 @( B, {" |- ]
4 \, O6 G$ _( Q" D& u( p2 Q
, T& W- M* L2 `0 ~2 y" Rint41handler PROC
6 P2 B% z2 D& D mov cl,al
( x7 h2 a/ R; u' T2 R: j iret
% ^5 Y, ^% D) r) t' }7 bint41handler ENDP
$ a; J9 h" i" S6 R: h. @" C4 V0 I1 h' l; y
) Y5 \. P9 I, a& @7 K' f* w
xor ax,ax x- k/ s; A7 `5 }% L. {
mov es,ax1 ]6 s3 Q% X3 o1 G
mov bx, cs: [; t9 ^9 c: e" \; t4 W# y
lea dx, int41handler
" h' b: w# m/ Y) Y' \% Q xchg dx, es:[41h*4]
. N, T @5 y1 K7 b xchg bx, es:[41h*4+2]
8 C8 F9 `9 N" P% [# m$ S# a in al, 40h
& S2 L$ g; m2 m) f( E; N S8 J1 M xor cx,cx
) V1 g) S' r( N, R% J( [) g4 Z9 { int 41h
# A8 S: N; s% j& l, o: E xchg dx, es:[41h*4]: o! x6 e a3 ?' V% O. i! H4 d! ]$ d
xchg bx, es:[41h*4+2]+ c) \+ z8 e; Q, b
cmp cl,al1 W( s9 ?+ f. p* E
jnz SoftICE_detected
6 I v- W; r8 {4 Q9 ]! S$ B D& _
7 }8 T: u) M8 c: a* X_________________________________________________________________________/ q1 d6 r* ?/ O E3 d- p) S1 r
: n, Y* \* S) a& f: E" ?+ ^Method 075 X4 E) M9 V2 Q$ \# m" y1 \* {) D% W
=========) X7 k: X! L- P2 b: t- y3 Q1 `
* Z+ r7 t, o- G# s( K, |) e+ y+ r
Method of detection of the WinICE handler in the int68h (V86) i, a& @7 [! `0 n
* |* u3 G, e' B- g& u1 R# \
mov ah,43h
8 I8 X9 l* h% p5 ~" }) N& W int 68h6 T" d& x+ E; t1 U
cmp ax,0F386h
$ E0 K, H8 v& Y0 x& a | jz SoftICE_Detected, @" v- f6 h' y6 z3 H1 w
4 N# F' E5 f4 m6 f k" ]
k+ H. a/ F+ A0 I
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' s! e& n* t5 o1 Y; K app like this:
5 E4 ~9 K( [( q- ~3 y3 q* @% O3 [3 g8 d5 S& S
BPX exec_int if ax==68, n; V l9 u( Y- s. r3 r
(function called is located at byte ptr [ebp+1Dh] and client eip is6 J7 }5 W- V1 d) C0 _. G( w
located at [ebp+48h] for 32Bit apps)/ ^2 P, g4 q8 o$ X0 i
__________________________________________________________________________: [2 U' L" z) g$ D
& m7 U% K5 H2 p a. f6 |. T' x' s, t1 u; n9 l$ L
Method 08
. X! X* q9 n3 v1 c7 [9 x0 W=========
G4 y) B9 P: L4 y# w
. `7 f9 S) u) h- R7 @' u: \It is not a method of detection of SoftICE but a possibility to crash the/ M) q# q' T( ^* }& C
system by intercepting int 01h and int 03h and redirecting them to another/ q {9 o6 ~6 C: W
routine.
7 n' }8 f5 y8 l; xIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 ?, E0 x7 o8 o6 Oto the new routine to execute (hangs computer...)) d4 I% |% x6 l/ X; b
: _+ D% p" V1 u2 p# X" `7 k# W mov ah, 25h
9 n Q$ G1 n' B5 S: A mov al, Int_Number (01h or 03h)
0 p: h+ Z9 Z( C& Z% `( J! A mov dx, offset New_Int_Routine
8 W# { Y$ \: Z1 D/ e int 21h0 g; v+ [9 k. Q
0 j* p' j: F! z
__________________________________________________________________________
$ H8 A4 O! S' W) c! {2 f. P5 r$ P2 f
! r9 k! ^* w* N$ G. P+ n# d1 wMethod 096 \9 e; B8 o$ y
=========
1 j' d; ~6 p) q$ F! Y. P
2 C2 q* E& K) t2 ZThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. S) C' _1 z+ p2 J( uperformed in ring0 (VxD or a ring3 app using the VxdCall).& p& F5 Q, M4 R6 F% F: m/ A3 r( e
The Get_DDB service is used to determine whether or not a VxD is installed
* q2 B9 O% s8 w6 s) ]3 U: l) Lfor the specified device and returns a Device Description Block (in ecx) for& V2 Y8 A( i+ ~9 p. A+ o0 r: }
that device if it is installed.
) ^' L9 f- b' ~' ?
; L$ r- d' i4 h) y# S/ D4 z# ~, D: Z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- M7 \+ W" ?9 R, \: h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% x6 {0 Z2 K; w/ A VMMCall Get_DDB7 b: N% V) D! G8 b! v: |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! K' C& z& \1 @4 p: m/ @9 d
' g7 S7 m/ Q& K' b
Note as well that you can easily detect this method with SoftICE:. ] O' M! E1 F
bpx Get_DDB if ax==0202 || ax==7a5fh F8 D7 H6 ~' y* U, v: F: |
\" K- ?' l* w
__________________________________________________________________________; q& c' S9 E8 S3 _7 J7 V! i
) L8 R, @: `! }, nMethod 10
) v5 D3 l% H; s. y=========8 b: L4 B# y8 c O$ K" m
- [% W% W% p& H7 u- o) i! U
=>Disable or clear breakpoints before using this feature. DO NOT trace with8 Z* Z/ Z. [2 T
SoftICE while the option is enable!!
! z* z) a( Y# y7 \$ ~( J. S0 k8 p& X1 R7 z8 Q
This trick is very efficient:) L8 ^7 L$ [3 c' y
by checking the Debug Registers, you can detect if SoftICE is loaded
& q+ v: u0 y0 F( s9 x- B$ m* B8 c q7 V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 r7 O# V; R. p
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" j1 _. ^, U" w2 Q) kvalue (in ring0 only). Values can be manipulated and or changed as well1 b* U( @- R' H! \! o' W
(clearing BPMs for instance)# o# R" Q0 ^2 e" ^+ v+ Q3 C
* q) o( g1 ?0 K6 K: q* z
__________________________________________________________________________5 c4 {5 j+ T. }# N: F
T; c' g6 J/ G/ P9 ?
Method 11$ W7 C8 L8 G$ m/ x
=========; W( x" S4 H, p: v5 a
{% B! l# s0 H/ B0 P, ]This method is most known as 'MeltICE' because it has been freely distributed
& o( J: y8 v1 f- `' S, E/ |$ }via www.winfiles.com. However it was first used by NuMega people to allow
# I: k+ D4 H% B0 {9 z, \Symbol Loader to check if SoftICE was active or not (the code is located
: e- A( w; H0 r/ l0 ]* e' l2 n4 Winside nmtrans.dll).
" \5 D+ D3 P- E) M2 Z4 {$ r6 A
2 E+ M9 h( |3 |- Z" t- rThe way it works is very simple:( n- k9 C, z- z1 A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% Z7 h' A- z7 ~
WinNT) with the CreateFileA API. i0 y- O I( [* U
( ?8 U Q3 D) f
Here is a sample (checking for 'SICE'):
6 I5 b2 u9 H. k v9 F5 ~! }3 B: `, ?9 [7 x8 L4 ]
BOOL IsSoftIce95Loaded()( q" w: a6 a) r3 u: a7 Z# K
{7 C" o) g, ^. j1 Q
HANDLE hFile;
9 Q1 A% m/ W9 t# o4 K. Y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& K! \) }: U# Z& q FILE_SHARE_READ | FILE_SHARE_WRITE,% `: q7 j% g9 H1 |/ T
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; G1 o$ G5 ^3 Y# S8 z; I% f8 n if( hFile != INVALID_HANDLE_VALUE )2 f3 q3 m, U1 g
{5 t& U5 E+ H( K( h2 p0 M# ?. Z$ S
CloseHandle(hFile);
. y* K( J6 N; j3 r return TRUE;
* I5 d7 G# k. T; k8 ]" h }
5 l: T, ]" y( j2 T4 J" T return FALSE;
$ n1 U! z$ ]2 K- P) E}
: G5 _5 p$ g4 ~' X8 o! n) E# ]! P
; C5 M" V: M4 Q) yAlthough this trick calls the CreateFileA function, don't even expect to be8 k( Z( o# [+ [) p0 R0 v
able to intercept it by installing a IFS hook: it will not work, no way!
/ E, q+ `! {" U8 M+ a$ UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F* g. n6 i5 O8 f5 I6 B% ?; u3 E! S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 a7 a8 J" L9 U, U u0 `) pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) w- n, a1 q+ X# O2 wfield.
% b, U* B4 w, w4 {In fact, its purpose is not to load/unload VxDs but only to send a
% K2 s( o( q. W+ ~' WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ i& a* n( P. w, d* ]1 Hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
; f- b2 _5 m2 S) S* j! H0 Bto load/unload a non-dynamically loadable driver such as SoftICE ;-)." m3 K) t" {1 V6 u9 |6 ^1 W U9 X& e
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 h$ [$ B. X& Iits handle to be opened and then, will be detected.+ T" W* z( _" S+ P; ?' c
You can check that simply by hooking Winice.exe control proc entry point
9 |6 Z, P, `& T4 Mwhile running MeltICE.
% K! A+ ?( a K" u. c9 o, \
, `/ G& ]& |5 @$ g
8 L5 ~: e3 |1 ]0 s4 h 00401067: push 00402025 ; \\.\SICE( y O3 C" m8 W
0040106C: call CreateFileA5 C: ]6 @; B/ Q4 I5 ?
00401071: cmp eax,-001( V0 N0 P; a W' l
00401074: je 00401091
% d- |6 d8 C: R3 C5 V% R
; _! T; q6 X/ m% w* | `* V3 t7 G) ^/ _ g" u8 ~
There could be hundreds of BPX you could use to detect this trick.
% Z( |' F. _1 m5 _6 G B-The most classical one is:3 j% B! p, r' B i5 q+ p. k+ }9 w
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ x" ~% ~9 B5 M" u& S; w" w
*(esp->4+4)=='NTIC'2 |: s) U0 Y9 ]3 ^ |9 c+ i" V b
/ F/ t" g$ n- E: w6 C-The most exotic ones (could be very slooooow :-(3 W+ p. c" v, n# k- t0 `, [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% v$ w8 @% _/ a6 K ;will break 3 times :-(+ c. ^8 j1 N7 F
* C( L( O, t8 C& \ o' ?8 [-or (a bit) faster: # G4 t6 Z: L8 f. G: G0 s
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% p: h5 `# y/ A* o
& ~1 D8 d# c ?7 U0 Z5 v. T
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 ^( N% \/ ?( \5 _1 Y# N7 R) |' ?
;will break 3 times :-() @' ^( p5 W! E8 F# d5 ~. A
4 y n0 J# o3 ?9 | {2 @6 g) F- S
-Much faster:8 Z. H$ ^+ u; F
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& A# E g2 O) z% ^8 {+ T9 A1 f
/ B. d( i9 q. Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 K% m% L& S. ]7 o- H% _
function to do the same job:4 N) g% K U: V" ?$ x
2 d+ w6 f1 O) `
push 00 ; OF_READ g3 U$ s% y- |' y4 k' ?
mov eax,[00656634] ; '\\.\SICE',0. E& @6 o3 J+ Y4 R6 c- j
push eax
4 R2 z u, o, Q7 r call KERNEL32!_lopen
B, q$ O: `/ l* k inc eax3 y0 S# |/ ? R
jnz 00650589 ; detected# u4 J( i) `$ u" ^% s2 l0 K
push 00 ; OF_READ
' x5 B4 a$ b0 Q8 ~/ j8 D mov eax,[00656638] ; '\\.\SICE'+ I9 y! n4 K- F
push eax+ w9 Q! o% m3 z' k$ z3 l
call KERNEL32!_lopen
8 g# {8 K. y" ]& V2 Z) d inc eax4 R5 p3 [' n! l* O" Y
jz 006505ae ; not detected- f$ I% L1 ^1 w9 K" k
3 O+ i: V T) Y5 D4 ~% O4 v
0 L$ c# \9 I* a
__________________________________________________________________________& Z: ` w5 w' P+ o) P+ z* T
2 Z! P" n' r7 F& r. ?7 LMethod 12
2 f1 d( Q. R' m& e4 O* S b8 t% D=========
% M- O$ }* f9 J3 s. q. `1 I6 B
. S8 f4 Y3 V& B( v) cThis trick is similar to int41h/4fh Debugger installation check (code 05
# Z( y- b2 Z' a/ a1 k& 06) but very limited because it's only available for Win95/98 (not NT)
3 j8 g6 l: Q7 t Pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.) }3 P( |! u1 z! q
% {( T) ], Y- g) w# b8 N# ~0 b S) T push 0000004fh ; function 4fh( I5 U5 ~! @3 B! Q. R* Q, K6 a+ m
push 002a002ah ; high word specifies which VxD (VWIN32)
5 J0 \' \* o2 |4 ~' s$ Y d9 T) Y/ M e ; low word specifies which service( B! s" @. W% Q# j) ?; `" ~ |1 U
(VWIN32_Int41Dispatch): K# @1 N, ?, e9 P. d
call Kernel32!ORD_001 ; VxdCall, l m E1 [) f# v! @8 x6 ^7 B
cmp ax, 0f386h ; magic number returned by system debuggers Q0 q. _) a$ x; ?. J3 j7 V! S
jz SoftICE_detected( \* u1 W$ a5 o+ ]0 Y
' P' Z, S6 T2 A9 G9 O
Here again, several ways to detect it:
: e( N3 e% {% X/ t5 e; S9 x% Z, G) ~; b$ r2 ? s7 e' C7 q
BPINT 41 if ax==4f5 Q) r% g6 h0 `( C- u4 p. S
: P" ^9 \3 u: i* S) k6 s7 \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 ]/ N- M0 [: V/ G0 x2 G
# i$ t1 a, k, O' I7 b a1 M' E BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 O0 j! O# _' N" y. y1 G3 G& a! P/ T0 M" L @/ E+ c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 g+ i- K' I/ h2 |. q
: m% s! s/ z" P( n! o3 a N__________________________________________________________________________! `" R- D9 {1 K; W
5 r4 \( \3 \3 Z& J1 P BMethod 13& r+ P( S9 t3 M: C
=========7 g: X9 s6 q, B
7 `+ J+ H+ ]" R2 f2 w" iNot a real method of detection, but a good way to know if SoftICE is
& O% V' ~# o: ]installed on a computer and to locate its installation directory.6 M3 q: ~; p7 G1 O6 ^0 p
It is used by few softs which access the following registry keys (usually #2) :
# L1 s# r/ l# r, U) R+ I! Q! Q8 H ~# L1 C. `) g1 y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) ?; T5 A* ~; `; L" F4 x% \
\Uninstall\SoftICE3 M2 z/ Z4 Z: ]9 ]3 C2 J
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) q; d; i1 ~" i$ P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# x/ E. o( j8 V6 o" g) A0 u- g\App Paths\Loader32.Exe
- L" C# M& [1 Y) f/ v, u+ Y6 s7 L9 [
1 u$ F! X0 z$ _4 q& m
Note that some nasty apps could then erase all files from SoftICE directory
+ ]+ N3 l; T, } |" z5 W$ {6 {9 m(I faced that once :-(
8 q; ]6 ?! ?% p% b! `: a, u& v/ c" T
Useful breakpoint to detect it:
5 e/ n5 U- @( n5 u' O/ ]! h
- n0 f2 i' n* X w/ @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 N& l. V) T- m0 i5 J( `
6 j" _6 j# Z: t# f__________________________________________________________________________) v: E0 K; O i1 C
. e, g7 P3 Z ?0 h0 M2 n, y
8 s4 j7 t: f; p# a, S& GMethod 14
+ ?# j, C7 D! ^6 n; |=========
' x( N6 j' c: [7 s7 R8 J2 i
) ^# [+ H, S/ t+ x+ rA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 {, D' n. |$ g- j- ?
is to determines whether a debugger is running on your system (ring0 only).
5 b: N5 \8 Y$ w: _! m8 h% F# d- m9 p1 \8 z5 D5 X4 k: ]7 O
VMMCall Test_Debug_Installed: Z, ]; k& @: U; `/ C {$ p; b6 F
je not_installed u+ H& j) t5 G; P- O
1 O( g( `; a5 vThis service just checks a flag.6 t$ \) S! s$ e. V
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡