<TABLE width=500>
' T! Q; T7 o8 l<TBODY>
. Y% q7 z. o" O+ b$ }2 d% n1 r<TR>
2 D1 Q" y" U6 H1 f- @7 @" i1 Y<TD><PRE>Method 01
6 z2 b5 W n4 n) f: j j=========
! m3 Z) I2 |% s$ R7 R; Y! M1 ^& S/ n$ l7 Z. A/ h
This method of detection of SoftICE (as well as the following one) is0 H/ p7 S" P; r$ R8 E K# [
used by the majority of packers/encryptors found on Internet.
- e% @& e" a9 e; s4 _% EIt seeks the signature of BoundsChecker in SoftICE( O5 W) M( f- J2 o+ O9 ^; ]
?9 H2 G4 j0 n9 L$ \ s* R9 I mov ebp, 04243484Bh ; 'BCHK'+ `8 s, k. \! O0 z" b) y3 K
mov ax, 04h
F2 s# U# G" K0 N1 z9 [ int 3
8 L/ s5 j+ _6 Z0 r4 Y& O, _+ [ cmp al,46 U- c' O) c5 B+ D% ]* u+ f0 D- x
jnz SoftICE_Detected I) ?# N9 N, J& r* @
3 `1 A* q* I$ K" p
___________________________________________________________________________" \4 I5 `) V+ y) {0 z
0 c2 W7 q3 u' E1 J. E
Method 02; n |" p2 e7 h3 n9 ^/ `2 M
=========
: O P, e* y7 @2 S* ]
/ D. U B- c& S4 O2 uStill a method very much used (perhaps the most frequent one). It is used
$ M r% L& @# lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: T' A! Q. E6 g7 O5 @or execute SoftICE commands...) h0 E, Y* M ?! C! A0 s7 Z" u
It is also used to crash SoftICE and to force it to execute any commands& H6 x! C3 T; ?5 O- N
(HBOOT...) :-((
0 q4 p" r/ A* S6 n
! s" p* X3 Z3 P6 jHere is a quick description:* G9 v& ~6 x3 R% b1 D6 ~* v( M
-AX = 0910h (Display string in SIce windows)
/ Q: g* H* j/ w+ ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 P9 a. v) d, g, q4 B
-AX = 0912h (Get breakpoint infos)
7 o9 k# _4 |) R9 f8 w3 F. t-AX = 0913h (Set Sice breakpoints)3 `( e0 c- V& D! o8 w% d8 y3 N9 F
-AX = 0914h (Remove SIce breakoints)$ [$ O/ _5 S( p, B. l/ c# @, U
- V$ Q6 A P0 j$ {8 F( dEach time you'll meet this trick, you'll see:
* v6 l3 ~7 c5 V& H! Y( j) T-SI = 4647h
0 g1 C% d0 E6 T. A! c9 E7 `$ O1 S-DI = 4A4Dh
8 W" P1 _8 h- j3 EWhich are the 'magic values' used by SoftIce.
: l# w1 D0 l$ G8 P5 K9 R# E" R( KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ r3 B- e. A+ F0 X+ [) n$ o0 u
H( @0 T; H; s# [+ _) O/ ]# GHere is one example from the file "Haspinst.exe" which is the dongle HASP- S( g' i& J2 l5 c4 g
Envelope utility use to protect DOS applications:( l; l2 p" C' a% G( V
/ o, t3 C9 s7 x1 G& o
" m7 M: u# Z2 C: O3 {, B4C19:0095 MOV AX,0911 ; execute command. p6 Z! T* k9 u* V% c+ c
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 q; U, X" e/ n2 @ o5 q# T4C19:009A MOV SI,4647 ; 1st magic value.
! T$ b0 m5 ]4 w5 L4C19:009D MOV DI,4A4D ; 2nd magic value.$ h y+ q0 }* k- A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( D8 `# w* c4 Q* ]5 |
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: `7 m" X7 Z. J9 v _! Z4C19:00A4 INC CX
' t' S" q- Z' ^0 p5 }- a4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 ]0 \1 c$ I3 j- g4C19:00A8 JB 0095 ; 6 different commands., {; j3 P" T: R( p N- y3 P: _+ _
4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 |' V( l3 A$ G2 t, s: ?
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- Y( ]# O/ }1 h
$ m/ k& A+ Q5 _- f% K- g( m. M* b" B
The program will execute 6 different SIce commands located at ds:dx, which
; z2 p% G* P! d% S: [7 o( Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 L! z2 j5 x$ U4 e0 e# }
9 l: b' o, N( f o/ |3 q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 X3 }* G- W$ P; _* i# g+ U___________________________________________________________________________
4 [/ J- V2 \ \, B" d0 E& S
; V2 ]! L3 A7 o! _7 `. ]8 T7 E- s9 Z/ ]* K5 _; c9 T0 G
Method 03
- M- W+ M4 Z9 W% Z=========
8 D$ ^& ]8 R% E4 l% q9 s: h. k7 O4 d) X+ `" o3 B# ]! ]1 ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" `3 W& V) E; u4 p
(API Get entry point)
% V8 H; f8 }) ]
+ D- Z; g% i9 }6 U( _ x5 [
- r; ?( q9 l: q' e2 h" l9 d2 s4 Q& Y xor di,di
' @9 C; g2 O6 H; X! ^6 a* n7 L mov es,di
c, P5 ?0 N3 ^4 k" w6 p9 ? mov ax, 1684h - Z' {' C1 r" o
mov bx, 0202h ; VxD ID of winice0 x; q# Y$ l6 i% @9 n
int 2Fh
& Z6 {/ G: z; l V mov ax, es ; ES:DI -> VxD API entry point
; q0 t; i8 H: F) X5 V add ax, di
; Z6 g4 y/ H( o9 s! v" S test ax,ax
/ A+ B- b0 U6 `! Q7 C9 X jnz SoftICE_Detected
, j3 H3 }8 C) T/ s2 y& H: l
8 C8 _5 Y' o' f8 `___________________________________________________________________________6 y6 F( D g. ^& i5 ~
5 T) ^ z8 Z7 N# ZMethod 04
+ ~; o4 |; T2 h=========+ _2 M( m, i/ N* G9 n
# ?# D& D$ z( B! Q( n5 T4 C& @Method identical to the preceding one except that it seeks the ID of SoftICE s7 G' @; t1 E- w9 f$ Q7 X
GFX VxD.9 N" R4 X7 ^, v' t$ b* s
9 Z# R2 \) f8 j# c$ s xor di,di% @; C, \' k. I
mov es,di
5 k! Q) |% e& b mov ax, 1684h " R. ~( U5 l. r- F2 ] o9 C$ K$ t1 @7 f$ s
mov bx, 7a5Fh ; VxD ID of SIWVID+ e/ [1 F; D9 [- D% ]
int 2fh
0 O( Y; }" B! F* `( u1 u+ W1 M mov ax, es ; ES:DI -> VxD API entry point
D2 v n4 @, G add ax, di4 @) `* Q& E. w# x) A2 ?/ s
test ax,ax
- K& d: v% ^: ]6 ^3 q* ` jnz SoftICE_Detected+ l3 h3 `! N. B9 m0 w& @/ n
; }6 k9 }3 Y e v! S
__________________________________________________________________________! r& |6 f; g) s7 m" D. q7 s; j
9 `' D0 i8 y7 ^& C
' [+ k9 C. b5 Z) i( t% J0 ZMethod 05
$ q. j- L( L8 j5 j" W9 [=========
" U9 r3 A. _! W
4 p) O3 T. P3 }Method seeking the 'magic number' 0F386h returned (in ax) by all system( T; d; r2 A# ?: O# {+ t" x
debugger. It calls the int 41h, function 4Fh.
, D. a! n' D* k$ ~4 M+ uThere are several alternatives. 3 M. ~: Y$ \; R: H/ @
2 l8 Q0 C+ Y& z6 OThe following one is the simplest:2 r5 F1 E) g4 l5 [8 z" A. U0 d
7 y$ N& t# S% ?8 s
mov ax,4fh
4 f9 H( [2 L7 U5 S int 41h
5 s. ]6 a4 [+ w6 d cmp ax, 0F386
( U9 b- G2 [+ D jz SoftICE_detected
5 r- q$ M$ c& l$ h6 E! p" x( ~9 V: \! D& d
. n6 B" [: n' KNext method as well as the following one are 2 examples from Stone's
; b8 [+ N5 j1 N8 m+ r6 _! u"stn-wid.zip" (www.cracking.net):( y' g! c/ x) y/ [
' J7 D+ o/ f% b, S* X) b$ G
mov bx, cs
& t+ B% T7 Q- f3 W4 k3 f' i lea dx, int41handler26 U9 r" k' _3 F; b* n! ?
xchg dx, es:[41h*4]
; p- m8 i5 `( B* c/ F xchg bx, es:[41h*4+2]' Q% n( H" f1 \- r" m8 m" v
mov ax,4fh
) h3 p+ [# O. c; T: o9 f# m int 41h
5 y$ `) i/ i9 h+ z; y4 }( R8 o xchg dx, es:[41h*4]' o! J0 Z6 G5 W! G9 w: L
xchg bx, es:[41h*4+2] X& s" f# O7 r0 W) H9 G8 }8 g
cmp ax, 0f386h
6 C9 o0 p: T( m, y jz SoftICE_detected3 r% i H) H, z; \. x4 C
- ^2 F9 q% I6 ^! dint41handler2 PROC
; r5 n f' {# J B6 M' X T/ W iret
8 Z5 F4 V( g0 [2 G# j1 Nint41handler2 ENDP
6 p) y! M7 V$ o' M+ J; I( G' [: _& v- F8 z) U7 q. C
* k8 m, F* j0 `: u/ [& s( @ n, o
_________________________________________________________________________
; E5 c# A" J: p+ j7 y6 `7 l
. ^2 }4 t( t4 x6 o) A2 j' X5 e; G7 @9 I) N8 g
Method 06
- W0 Q7 p# j/ X% `0 [0 a( q( Q# r=========) G9 F [! U2 s3 Z( R9 |% J# w
2 Y d! d+ Q: }! l- Q4 P/ [2 o! K0 E. d: S# C+ P& n
2nd method similar to the preceding one but more difficult to detect:; u7 S2 Z0 q5 q
% d& I' @! p2 l: f: ]% d- n
4 M1 y m5 c2 h; w" U4 r. R
int41handler PROC! Z% Q( P! h+ ~) X
mov cl,al8 `9 e0 }' {' j- H. l( g) C
iret2 j+ N! g# R/ L6 c$ W
int41handler ENDP5 v1 T3 r: y6 l8 f W
4 a9 s1 t# L. c" s8 d$ P9 g3 H7 I/ S" [- V3 u
xor ax,ax
: K/ u$ l7 c( V7 ?- f. } mov es,ax
: N( o1 o# i% I2 u7 y: b; A mov bx, cs9 u3 c5 \7 I6 m1 S6 E" v; U& T
lea dx, int41handler0 K: t9 v4 Z4 L g1 T: I
xchg dx, es:[41h*4]2 u% E! t4 s9 ?8 K* r* H+ s5 G# T* c
xchg bx, es:[41h*4+2]
2 l5 P. t$ ?. F. v in al, 40h- B6 K V7 d: I( `( l0 x/ L
xor cx,cx3 R3 O! G& O8 w+ F2 [+ X
int 41h; N2 E9 W$ w; N# C
xchg dx, es:[41h*4]8 r( n3 G, D% _; x3 j
xchg bx, es:[41h*4+2]9 n( T1 @# j3 d
cmp cl,al
/ k3 o( q5 R8 H7 S( Q& Q jnz SoftICE_detected- l8 P7 F# c# o9 o1 G
: V9 J( ]" u1 O2 [+ E
_________________________________________________________________________5 d6 Q5 i, C% S
( g* d$ Q' I/ l/ H: `
Method 07
1 f( L0 _- _# F9 I v=========+ y* A; |4 Y5 L. n
( J# I: v' }" A3 Q( cMethod of detection of the WinICE handler in the int68h (V86)7 \3 T' X4 K3 t$ L0 l
- k0 k( n( E7 C5 J4 ]
mov ah,43h& F1 [! p0 y1 h$ w* n
int 68h* d! j* n: @5 t0 O# q- n; F
cmp ax,0F386h
. ~2 |4 }+ a9 Y. j jz SoftICE_Detected' ^! O1 {: G, _$ A2 [9 s% R
! Q$ g( c+ u0 h3 X- b4 Y/ N1 n/ I8 s* D. x; o2 W2 w. _* g, h
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 A0 n% n [7 A7 @9 D6 j app like this:; z# ?' B7 y% S7 |9 `
: j( m2 Q& z( g9 b- r. H# e. U, l( Y
BPX exec_int if ax==68
2 k* a7 s& w6 |* p/ i% E (function called is located at byte ptr [ebp+1Dh] and client eip is
- e" o% I( o$ A located at [ebp+48h] for 32Bit apps)
8 n9 M8 k) j8 V1 ^__________________________________________________________________________
' M- H7 [ o( D7 _% Q8 h1 I+ V* m# }! i* ^( y
; C4 g* k6 v% L e! {Method 082 x/ a# b2 {7 B3 v1 A
=========
2 ?0 ~2 \' @% T1 K, r( @2 j e2 r9 U4 M3 I7 } o
It is not a method of detection of SoftICE but a possibility to crash the: R. v3 n1 x7 O9 n# P
system by intercepting int 01h and int 03h and redirecting them to another
4 }+ R& ]+ x; w+ Q* wroutine.
" ?. O5 d* g1 T! nIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 Z, |+ D0 i5 M8 l* T& Xto the new routine to execute (hangs computer...)/ ^1 P" [" p/ Z) A; I& D- X
4 F) H* M: Y; N2 ]6 |7 m
mov ah, 25h
o x& g( Y" F, ? mov al, Int_Number (01h or 03h)$ p7 U: U9 Q. u- O; i4 R
mov dx, offset New_Int_Routine
! s" c% \/ \2 j. m int 21h
5 w; b+ p6 _' B9 P
' r$ ]$ |4 ?1 C" O3 v0 i9 M2 U__________________________________________________________________________
6 Z# v, f+ v' |1 z; @( l: ]+ C) n. x7 ]8 g" |- O
Method 090 m6 i3 a, f6 W, K) Q8 w( ]
=========
6 N# h/ X! \' w3 \: o
" _7 e- ~% P) r: A0 Q% wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 ~# U, B+ {$ A. J. `% b( w3 M
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ n, ~- y3 r9 dThe Get_DDB service is used to determine whether or not a VxD is installed$ O, }; {; S- p7 ^
for the specified device and returns a Device Description Block (in ecx) for6 c' A( `5 p) S7 P0 T7 y" V& y, }
that device if it is installed.5 Z# w. x, }7 ?9 M
5 e4 S& k7 K. A1 i) q# [7 i F ~
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( O/ u$ q% P% q% e/ l mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& [0 T! R0 Q) [0 y
VMMCall Get_DDB
6 U( S* Q: g, C" \9 P: k- K8 k mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* {" l! R' w, H# o9 |7 i
+ a' |7 z; N5 Y( [+ b
Note as well that you can easily detect this method with SoftICE: c+ Y1 K4 A2 }+ D d
bpx Get_DDB if ax==0202 || ax==7a5fh
3 |4 R2 H; s1 \% |& P1 Q
. Y/ ~( }" l* P9 T__________________________________________________________________________8 A( g4 I }* U$ X3 X2 e+ U
4 A' F* T+ N- b" fMethod 10' u$ a' g/ L$ c% j9 x: ~
=========" W9 _: W) T1 R) h9 w
; t1 q' B/ T2 j" U8 D% y7 y5 s/ z2 Y=>Disable or clear breakpoints before using this feature. DO NOT trace with/ P& Z+ D. m8 d, @: d4 g( l
SoftICE while the option is enable!!
9 ^9 m6 @% `" `: m* `6 f; ^2 p4 q I) x4 y
This trick is very efficient:/ Z3 a1 c/ x5 n+ ^8 A3 n0 f6 M, ~( N- ^
by checking the Debug Registers, you can detect if SoftICE is loaded1 S2 m% ?9 Z/ q, [# E& \: S
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ J0 R( ]* |6 C2 C s) u* P( Q" {there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 A3 S" G9 x2 c9 ivalue (in ring0 only). Values can be manipulated and or changed as well" R2 k; J+ o3 B" P& `
(clearing BPMs for instance)
i3 w. M0 U6 r: B3 \& j0 `8 Z, Q) s: J2 P; F; F2 M8 M' x2 a
__________________________________________________________________________& s- G7 U2 r/ z8 P, e7 L9 a
0 J/ P ]/ c! L5 y8 N# ^
Method 11 g$ w: S' ?6 N8 }/ i
=========! R: u" D/ ~9 o3 [5 [- `
, F1 S0 l) _ r- p# s$ z
This method is most known as 'MeltICE' because it has been freely distributed
7 v: p; S( r: d1 B2 l8 C7 Xvia www.winfiles.com. However it was first used by NuMega people to allow# ~* I( ?5 n* Q& e" Z- ]* T7 B0 v' I; U
Symbol Loader to check if SoftICE was active or not (the code is located
0 X$ D4 W0 Z6 ?inside nmtrans.dll)., c- P$ f+ C! k
& G+ Q" S) S' n5 zThe way it works is very simple:6 Q \4 F% }" _% ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 |- b9 b! g+ V2 o" m9 v3 pWinNT) with the CreateFileA API.
6 k$ {; F' L) j0 c/ n$ B L* O1 A5 j5 r/ y" C8 z, Q
Here is a sample (checking for 'SICE'):
& h4 [* C1 x/ [
. V/ O5 ]- D, ]$ X# j! JBOOL IsSoftIce95Loaded()
" e& m, ?$ _9 a s) @{
! g% }3 G3 P% h, t. J, k HANDLE hFile;
$ c/ k/ i0 x2 j% k$ Y5 | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# I. Q. `" L3 R9 g4 L
FILE_SHARE_READ | FILE_SHARE_WRITE,: S4 f6 j! k7 E; W3 v
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, D4 z6 V- E/ c' L
if( hFile != INVALID_HANDLE_VALUE )
0 S% N X% f/ y- l9 o {
' R1 N4 ?" {9 P+ b CloseHandle(hFile);$ p5 O4 m0 ]; D! ^4 @4 Z- ^
return TRUE;
' [9 l$ U, o& V7 l+ e" _4 y. _ }% Y& ~+ S; B/ j" r3 l
return FALSE;. d5 W! p/ u0 S" g4 T
}9 w& g5 n/ j/ w
# J! p) g4 c. M+ y8 Q, c, z1 }2 c
Although this trick calls the CreateFileA function, don't even expect to be
1 \/ v! ^0 h( d4 ^9 ~, e- N( mable to intercept it by installing a IFS hook: it will not work, no way!8 c/ }, L2 J) z; H
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# I z5 U. Q" i. p/ P9 j; G5 Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 D3 Z. w( \8 o0 {and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) [6 Q4 f& V& c6 H" Z, t( hfield.
) I+ x& R. w/ y& C0 g5 A, tIn fact, its purpose is not to load/unload VxDs but only to send a ; E, [1 T- A6 j O0 p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 y: O% S) B& _) }/ |$ N# yto the VxD Control_Dispatch proc (how the hell a shareware soft could try4 a8 H) i1 U# v7 j, [
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- o; O; x" [2 D9 e: b# }
If the VxD is loaded, it will always clear eax and the Carry flag to allow- U: g Z: i! G: ]- k
its handle to be opened and then, will be detected.
6 |& W! G" l9 p9 u) U0 ~$ FYou can check that simply by hooking Winice.exe control proc entry point, o# V: L6 d3 ]$ ?+ X+ }
while running MeltICE.
0 F; g( ~9 x: Z- ~* z) j, r! d8 I; l: z1 u
x k& G; M7 X! o% N7 ? 00401067: push 00402025 ; \\.\SICE
3 t7 Y: _9 O" ]( |8 u* {0 e! ~ 0040106C: call CreateFileA
" G* d$ X& f( l2 x; b* ^* J 00401071: cmp eax,-001
/ I2 ]7 @/ u& v4 l( l3 A 00401074: je 00401091
5 j. G6 v( c# {8 G" m' e- f. ~: _9 V" t" _4 l: k
: D$ e+ ]& S6 p1 D+ R9 zThere could be hundreds of BPX you could use to detect this trick.
% B. J; n. T1 w1 }* S# S-The most classical one is:
+ K; ?- g7 c( t7 b4 b BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || W, m# o- T4 x+ T
*(esp->4+4)=='NTIC'
# M. |( ^. d* K( `% A, F
8 m7 o0 g1 s4 O5 b7 ^' U- L) W-The most exotic ones (could be very slooooow :-(
- ^+ `7 |1 W* n" ~* F' M3 \ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! s' t4 D; U; |( ?) `
;will break 3 times :-(
3 z( i. S' L6 v0 g4 i- }1 L: J; I) H! d$ D% b
-or (a bit) faster:
2 K+ ?) d+ G) c( C& D0 |7 [ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! m1 ~ x* U& J5 L) [# R. Z) g9 H+ U5 ]: L! i$ @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 i& j7 w$ v6 w4 T ;will break 3 times :-(
$ P/ J: b' s, h3 X, D
# x9 U5 I# t6 p$ C! I1 N8 R-Much faster:
6 q) u9 S# z/ f- h* B3 M# U7 {/ L BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; G, i, {6 M9 Z) O: G
, `7 k$ C1 [; n# F1 S* hNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 X- h1 b" f2 r4 D8 A1 @: A3 ^: jfunction to do the same job:$ u3 a$ N" P5 [! | V
0 [7 a6 S: V. m7 a" @5 `( {9 S push 00 ; OF_READ6 i9 L8 n' n+ X4 G
mov eax,[00656634] ; '\\.\SICE',0
+ _$ I, V4 `; y, {8 l/ a push eax
' n5 m0 G& ]; r call KERNEL32!_lopen
0 x8 ~) X- F1 J4 J5 X# O# @) P inc eax
+ p0 @2 C& ~" f- D! ?, v jnz 00650589 ; detected
' f! N$ i0 e2 E0 k$ i( w push 00 ; OF_READ9 \" g6 p6 f; h1 [9 u9 v+ g
mov eax,[00656638] ; '\\.\SICE'& f/ h) b- A; B9 I- f4 Z
push eax* X6 l/ h3 r D( \
call KERNEL32!_lopen
5 |/ L& n9 }6 q6 t" ^0 v p" g inc eax8 x- V/ L' w% z! [$ M7 O2 b- L
jz 006505ae ; not detected
. b3 T$ B& M Z# X4 ?
{$ j/ s0 ?) t6 S- B" h$ x) R6 L# `2 B5 \ E
__________________________________________________________________________2 e$ g" K) D/ `6 U( R5 b _- x
! ?$ M! e q5 v2 uMethod 12
; `' k# p3 x7 k2 l- v, r; U9 S6 J" X# K=========7 M) j) C2 S) E9 J# l+ {& l
8 V/ y- l, A* ]5 c0 W
This trick is similar to int41h/4fh Debugger installation check (code 05
z' H* q. ~% m* k: _3 t3 z) k& 06) but very limited because it's only available for Win95/98 (not NT)
* ]! E& U% m' y. E5 I8 D" g4 b0 Pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. b" P& I; ~7 w
* X7 Z: ~- z7 n push 0000004fh ; function 4fh
, z2 d% q: A0 ^' C push 002a002ah ; high word specifies which VxD (VWIN32)6 ?4 D* V( n/ J# U" a0 o5 o( \
; low word specifies which service8 P3 ^7 d) K" \! K" f
(VWIN32_Int41Dispatch): d1 N1 d6 Q1 ~
call Kernel32!ORD_001 ; VxdCall
; [/ `) m4 P. Q0 \& b* V cmp ax, 0f386h ; magic number returned by system debuggers9 y1 N) @2 O6 ~2 z8 e6 |
jz SoftICE_detected" ?% J& e7 t! I3 @
$ _# A0 r" c# k! {Here again, several ways to detect it:; S3 U5 u0 h; O' Q( Q' p
- q9 h( Q* x% u2 S- T
BPINT 41 if ax==4f3 k* a) _/ }9 k3 \; u/ G
$ k1 B2 K3 @4 k% S" L' } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& ?, b+ W9 j1 j- U2 |; r1 Q
. O% E. } Q; b; R# f BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) y3 D+ G0 u2 y2 w
* ]) b2 [# H- d( E BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 E- \: B; d# r, n
: o4 H! n4 L7 ]& D0 J9 q% x
__________________________________________________________________________* i9 O+ W' y7 s2 x: Z+ H
: f; ]1 c1 P& a( c/ tMethod 131 k Y+ \( C0 d3 _" r
=========
2 y9 r1 o1 ^1 f' L0 N! x& l: z1 N$ @, ?' G$ k5 V9 [" z0 i5 D
Not a real method of detection, but a good way to know if SoftICE is9 b1 d2 }- C# {' p( Z }
installed on a computer and to locate its installation directory." {7 D0 G/ [& s+ X& h% H
It is used by few softs which access the following registry keys (usually #2) :
- M/ L' ~- w) @% G# @9 a4 L* L' a" [+ E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; X6 P& ]2 O$ f& [; F# P0 S# B# j5 L
\Uninstall\SoftICE
5 H" j H+ J5 q9 T' \# T; S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 m, |8 p$ @2 N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 v) u1 Y* J. c8 m! E* D8 E8 H
\App Paths\Loader32.Exe( ?" a5 J% g, N
x3 o8 u m+ K. B+ s' v, V" L
5 n0 U) I; T+ P3 X
Note that some nasty apps could then erase all files from SoftICE directory
& r9 n- M- r& x0 W! x( U$ {* n(I faced that once :-(+ K N2 @2 t, h3 R, i
& r7 h0 _6 b( N) n& uUseful breakpoint to detect it:
+ s; _& k; s7 G0 t: k" }1 }8 n& Y7 w2 {- J9 s% n: J# r U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 F) t, G7 h4 Z$ C/ X: `# t9 r; ?
7 w( ?3 a* x! z' T8 E+ E__________________________________________________________________________- A' I0 _ [2 V% l- m
" R# J' \ L. x0 F
# \, r5 |' F( k+ EMethod 14 . ?8 `* N+ o. z4 v
=========
3 K- u0 |" e0 _% \: Z9 H: {6 y- a/ l& i- \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- L/ b8 ~3 L1 S* C0 \5 [% r
is to determines whether a debugger is running on your system (ring0 only).
, J, f( S1 F2 N [0 o2 k# a) N s! T+ g0 e4 t' C2 k5 V; A
VMMCall Test_Debug_Installed3 J4 w* q$ y( N) S m3 u% b/ c/ l) `
je not_installed4 K% X1 j- F4 } b2 u5 d
0 A5 D1 d+ c2 G! i9 m5 WThis service just checks a flag.
3 z* J- O/ z& \" b1 n/ `</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡