<TABLE width=500>& `: O' [, O% T0 z
<TBODY># G y0 P, \2 c6 }1 D
<TR>% I& v$ A: C- t: y! q6 |! l
<TD><PRE>Method 01 % b9 @. ] R; z+ n1 y. ~0 r! p
=========
4 J7 y% ]& }" b+ z7 w6 s7 s+ X
3 g5 I" i0 k; z6 g! EThis method of detection of SoftICE (as well as the following one) is+ h2 U6 m! F0 q. o- Z$ K0 \# q- y# [
used by the majority of packers/encryptors found on Internet.
W! v' Y, S* u4 O* mIt seeks the signature of BoundsChecker in SoftICE
/ a, u% Z O' H( s3 Q6 `& p4 G
7 Q$ l) m9 C" s mov ebp, 04243484Bh ; 'BCHK'
5 L0 m: U1 |& G2 h/ h( C% f mov ax, 04h+ d3 Y8 l6 I: F( P( N2 `
int 3 ! E1 f( r' G5 ?" V8 K7 K8 \
cmp al,4
( i/ E( |: L+ m* G jnz SoftICE_Detected0 k6 P' V' C+ k
; E' F& y+ I3 w& d0 z; O
___________________________________________________________________________+ j3 K7 |: G% {; Y: v _9 b: Z) P
! }/ C! F/ {3 `/ w5 ^
Method 02
) T. Y( o( }8 {1 G=========. d; {4 P5 R* U @
6 m: [# S& I& n. }1 p, A6 ?# X
Still a method very much used (perhaps the most frequent one). It is used
/ m, P/ z- ^, C) c( M& Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 w. Y2 p0 ~9 m% P4 ^% bor execute SoftICE commands... N* ]) p1 j( f
It is also used to crash SoftICE and to force it to execute any commands
( e0 P8 z6 e. U% t2 ~; K- d(HBOOT...) :-(( : \1 f) ^4 a J9 {
8 Z3 C5 E0 C$ ?Here is a quick description:4 }3 T. w% U7 ^1 y2 x9 F
-AX = 0910h (Display string in SIce windows)) s/ Y4 F$ q' R: n4 d/ |; B, ?
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# B# h2 u' m2 S! ]- {' S7 e* V-AX = 0912h (Get breakpoint infos); G, x# S# v* N0 K3 M
-AX = 0913h (Set Sice breakpoints)% _: z$ A3 C/ Q3 \
-AX = 0914h (Remove SIce breakoints)
: i0 M9 [3 y; S3 X$ P& D1 e
2 _: q) x, X% I6 q1 i+ OEach time you'll meet this trick, you'll see:
" X2 J# g- Q. Q0 I+ ^-SI = 4647h! P7 k( k! V( n7 v- h: N# N
-DI = 4A4Dh& }0 ?/ c, y' p4 }) r
Which are the 'magic values' used by SoftIce.( b3 i$ o$ |9 }, [; \6 C' l5 C
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. _* j3 l& b' y4 ]# T
( i5 E$ a9 V9 T1 cHere is one example from the file "Haspinst.exe" which is the dongle HASP) S' \9 ?. o+ {. O j6 y6 t( E
Envelope utility use to protect DOS applications:
8 {' W3 Y; U! @3 N1 r( ?9 F1 y5 y# b! f6 }% }5 }1 k, Y
# k6 b' x- D3 w4C19:0095 MOV AX,0911 ; execute command.
1 B& ^3 y' [- R" A% w4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). l0 [- V9 |& y* g. W2 u
4C19:009A MOV SI,4647 ; 1st magic value.5 ^0 V5 t# }, F% p. S
4C19:009D MOV DI,4A4D ; 2nd magic value., P5 _- S3 N; {! c- F/ `" D7 @6 \
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: t: }/ E0 m2 J4 ~% M4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. o2 J$ _+ m1 A; Q; J
4C19:00A4 INC CX9 Y1 E5 |! a7 `2 H
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 z' f9 t5 x# q# S% v. ~5 f# Y
4C19:00A8 JB 0095 ; 6 different commands.
4 G) F& p) P2 [$ w1 n# s2 ~4C19:00AA JMP 0002 ; Bad_Guy jmp back.* N. r" e, O8 L' r, J5 c" n( ]: B
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 U) {6 O l/ y/ }" O
! O: A4 `& S3 C0 M, y! ~The program will execute 6 different SIce commands located at ds:dx, which
4 ^: Y! h+ R0 m8 t0 n* rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* D5 ]8 e2 i- x& g+ F: B
- R4 ~) s `: W( d( \: m4 r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# O! S1 }/ a3 `___________________________________________________________________________
/ {# }& _3 Z. Q, X4 V9 o6 b5 L/ T2 t. A' m8 R1 w
% `* \3 N. w7 J' h! C+ `7 v; D3 J
Method 03
/ x# X; y( \6 o3 }6 m1 d=========* H, y( }: C3 n" Y3 Y
2 O- O/ ^* h$ C. e) ^3 v) T# PLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ W, F! y7 d. i& l0 s; {(API Get entry point)
- k5 Z. F [/ a0 x+ p# X! o- S $ Q0 \* {& v% J2 Y
* l$ W4 T/ c) t+ `, I0 M" M. t8 Q( D xor di,di
0 } U7 s6 n0 ^5 G mov es,di
1 k3 Z- e! {. |' i" Z9 {( G mov ax, 1684h
% j! n7 n! }' B! [0 R% @9 | mov bx, 0202h ; VxD ID of winice
5 [ Q$ q* C! {3 R. E5 p% E+ W int 2Fh/ L3 J* N. e" s6 m
mov ax, es ; ES:DI -> VxD API entry point6 D. O, g' l* `( ~4 W8 U
add ax, di
; _1 o4 ?& Z2 q/ Q2 {( o; z test ax,ax8 O* G r, x' G/ X
jnz SoftICE_Detected, e" V, }9 d( b# G
+ k, s. g1 c8 X1 W0 {___________________________________________________________________________
. w% P( J- @1 D- b( @/ r
) p: g( u# d6 a5 v% JMethod 04
4 @4 z8 J( ~" m# R% j$ j/ p6 R=========
8 n# I: b# T, z* Q% {; p
( m. V# R) @( AMethod identical to the preceding one except that it seeks the ID of SoftICE
3 k2 G# U( @9 @) oGFX VxD.
2 F$ |( P% y7 c; L* O( F+ S
M) ~' Z- `9 f4 `7 I% v xor di,di0 B2 } S% g9 t5 i( F0 t( E% ^
mov es,di5 l! }* X5 t- }' y+ }9 n2 \
mov ax, 1684h
p, U1 d% _2 f6 F$ H. B( K mov bx, 7a5Fh ; VxD ID of SIWVID" N8 }, c# Z. i& E$ r
int 2fh' Y3 L1 ^4 v! ?9 s
mov ax, es ; ES:DI -> VxD API entry point3 O! z6 o$ |3 X+ P# B' V9 U, c
add ax, di- E8 G: A8 {3 \4 U! |. `
test ax,ax1 E) h4 t9 [7 @6 c5 c
jnz SoftICE_Detected4 i( Q6 B4 }) w) w9 K J
' D* f1 S) F+ ?7 Z7 S
__________________________________________________________________________
& f( i T, A; e1 K. {" C1 N& G
, i1 c: ^( {; t# O
0 I- b# r g4 z# Z, e( c MMethod 05
9 A' b& m1 ]0 j2 y' ] `=========3 S! V8 R: k1 |5 P8 V1 ~. K
4 [- w0 i7 t& F% w8 j8 y! N9 u
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 U% a/ o' W1 K
debugger. It calls the int 41h, function 4Fh.
: |& P' w, A3 ~) ~There are several alternatives.
0 j& \2 _+ \: p" V
+ r/ H! `4 k b8 K) M1 Y3 N. vThe following one is the simplest:* R6 ^$ B. Y: Q. H7 }+ L2 P3 m& Z4 c
2 r4 i) e9 E! k a e
mov ax,4fh
' Y: H) o+ l [9 z; [& t5 ?; f int 41h
+ ?4 W( `: l$ P! m5 u5 c cmp ax, 0F386
" y& ]7 y% W6 a ] jz SoftICE_detected
+ r3 n2 G; P: ^
; R+ R! G2 S) x# H2 L( ^' s
# L, t+ m; B; i( JNext method as well as the following one are 2 examples from Stone's 8 a5 s5 W I. e* N% U8 I
"stn-wid.zip" (www.cracking.net):
+ R4 m& w* y0 _/ T+ r3 s- u2 F# A: E7 T# N1 q
mov bx, cs
. y8 k3 [, U# p4 E lea dx, int41handler2
) B; f! ]2 Q) y7 K! C xchg dx, es:[41h*4]6 v' _) S' Z, B0 X& G b Q
xchg bx, es:[41h*4+2]
! T" U* x g( ~/ T' ^( @5 Y mov ax,4fh/ v+ {' F% G m' Z+ {- z
int 41h
% O1 P5 K% N) |0 H/ h# D3 x xchg dx, es:[41h*4]1 V' }, a% [& L+ R3 |3 O7 Z; f
xchg bx, es:[41h*4+2]! P& |' L6 u" p5 M7 `; u& I6 c
cmp ax, 0f386h8 i+ i. L I5 J' p
jz SoftICE_detected
- t+ X! w: _2 ^. S* @* p# j) s# ], H, B& G! W' K7 i% @. y/ h$ C
int41handler2 PROC' Q4 i; K. X6 {0 y7 {) A6 F" @
iret, a, ^8 O1 W" s# ]$ y0 c
int41handler2 ENDP
2 _6 H- S0 [) a* x% J- e
& u* v# A0 t1 ~
; B! W: m0 p/ |; d2 }, L/ @$ w% V$ {% _( t_________________________________________________________________________
; r0 y" s5 T1 e
2 A8 }3 i2 q; G0 }. y2 d& s t5 {* y; P* g2 @
Method 06$ Z2 x9 A6 f1 L( `) j6 A
=========
( j$ G3 z; ~: U1 M0 n3 D* j/ Q' i. E- D. n2 g: L7 B( p6 Y1 a* o
8 \9 m2 _% r8 b
2nd method similar to the preceding one but more difficult to detect:' [9 C& z6 m6 S. h( ] j
$ @/ c, m4 g& m& t/ S# q! U. }- | h/ Z) G" t7 {. d3 ]) Q- P- c( P
int41handler PROC- `& l% Y4 T3 J
mov cl,al$ |1 k8 m6 e w
iret
N! L1 G. i, I% w9 a, bint41handler ENDP% x5 h; W" d- U' q3 q
" t3 G; G& E6 e
) Q# O* C+ O- F: E% j* }8 t+ R xor ax,ax5 W- y/ ?2 z) x& o+ Q
mov es,ax
" ?6 i( ?$ r5 K1 Q mov bx, cs
0 r. \9 Q& r, e% Q lea dx, int41handler
1 i' k0 F4 O& |2 j% l7 `2 x xchg dx, es:[41h*4]& T; Q" Y5 M8 H: u
xchg bx, es:[41h*4+2], M2 s5 l) V) x0 P! `# p5 C! P
in al, 40h8 X% F4 ^6 V- ?" N- @5 Y
xor cx,cx
$ k7 r' R! w" @( n0 Z1 Q0 k: M int 41h& j$ V4 S4 ^# Z& o3 [
xchg dx, es:[41h*4]% Y! F# T9 a2 X7 f: B- e Q
xchg bx, es:[41h*4+2]) @0 C/ y& u4 T3 A% E
cmp cl,al- O! V3 s; }3 m; f1 N
jnz SoftICE_detected' w. j6 d- c, @( E9 _7 D$ W. h
) B& |, b, S% R) N3 J7 d7 @
_________________________________________________________________________! {0 }7 Q- l. @% G( `
% ^" i9 e' ^: V2 r1 p
Method 07
* k6 a1 v, t3 @/ i+ R=========( W1 N% V: e5 w; D& h7 [: E; W5 |
! U4 N I, P7 m9 t( D" ^& B- n! M3 H
Method of detection of the WinICE handler in the int68h (V86). B5 @/ p3 |" \" M8 ]+ M" u9 v
* X, p# l. z- d. `. _! U+ k mov ah,43h
+ _+ J8 O# x/ l- J; R int 68h
/ q$ f4 `6 v- ?4 u& f- D. X, f cmp ax,0F386h. X: q7 M& u& e0 E( k) m: d
jz SoftICE_Detected0 `! _6 |+ D. L) O" x
: p6 X8 v) Q5 X, C
1 E5 M$ y8 `" g* |2 _/ C4 S9 m=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 } w, _* N' X4 a, z- |( `3 _; ^
app like this:8 m ~% o# `9 z/ F
! O/ |8 r4 W4 g8 ^8 } BPX exec_int if ax==68! n" p, V; t1 P3 I/ h
(function called is located at byte ptr [ebp+1Dh] and client eip is
% c! d6 Y0 x# R; j! ~; Y located at [ebp+48h] for 32Bit apps)
, N* L w; i" D1 Z0 n, W" e__________________________________________________________________________0 \% K' o9 J( H% [! X
/ p& e% M5 J4 ]0 s: j+ s, b
1 @8 e% q6 S4 P- h3 v. DMethod 08
5 q- c* x3 \( n7 q8 y- O* X=========
6 r7 L% g i, q; Y" W' q
4 r( H" @0 n9 ^- ]* N' A- R' VIt is not a method of detection of SoftICE but a possibility to crash the, [* B. _; ~) l
system by intercepting int 01h and int 03h and redirecting them to another8 n9 r' u* G0 |1 P/ A- l2 T" Z* p
routine.
* p- |& J7 _! \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! Q, x, G' T; j" e% ], e3 u1 G
to the new routine to execute (hangs computer...)
0 a3 N- k7 ^, ^: S3 u! ~7 T: y! P% ~* L2 p& s1 G+ b
mov ah, 25h D, I) M; E+ R7 A9 m$ o
mov al, Int_Number (01h or 03h)
6 I# l& x. O2 M X4 a6 x- ` mov dx, offset New_Int_Routine
/ N( n5 ]. n1 Q2 z4 w( e& M int 21h
: ~; L# k& W( U! _6 a; K" P0 F7 Y0 G @
__________________________________________________________________________( t% R- i+ v9 V5 }
& H* ^0 t! q4 n' _9 u
Method 09
: @7 Z' M; u$ I7 b=========
' K" b: p, a6 b3 Q: O, v5 h5 e+ J/ G* a7 u; R8 R% F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) K# q1 n, L& r% j! h% A8 gperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 e4 K# ~! d: Q$ @5 z$ QThe Get_DDB service is used to determine whether or not a VxD is installed
% w, y3 s) L7 e }5 f) Kfor the specified device and returns a Device Description Block (in ecx) for/ N/ u! f# t* ` `. l7 d
that device if it is installed.0 |4 @: \4 _% l0 R1 |
$ f( w, T" c, K/ A& J- ]9 E+ e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" Z h1 k. Y' @% K* \# g: w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& H& p; I1 Y/ v3 u6 |7 b1 Y$ U
VMMCall Get_DDB
) K8 J% O3 g) ~/ J( E mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 w& p0 o* J: |; Y C4 L) `# v0 F& p# ~2 m# ]
Note as well that you can easily detect this method with SoftICE:- C: B+ g4 k7 B. J/ Q: E
bpx Get_DDB if ax==0202 || ax==7a5fh
* q, @ t5 A) T- ~
0 {: g# h) ~6 ^8 ~$ |__________________________________________________________________________
6 q9 K# i' G- J' [, P) b( Y: d- [) l. b+ x- }& d5 c, G" t
Method 10
`! @& Z# D: J% X" B+ \=========' O9 B& T. [; m$ z. i
5 O6 O" I) \ R% A% R. \1 _6 }=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 A5 O1 _4 L$ \+ ]" M6 m- h SoftICE while the option is enable!!" E, Q# J7 v" J+ I, _6 t
3 r, H9 K% g) E- A$ [8 GThis trick is very efficient:
" V6 U; l! q; k* N9 M2 nby checking the Debug Registers, you can detect if SoftICE is loaded1 j+ A9 w# ^) @" y3 l5 M. c* [, a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ t* H8 Z& [+ G& T/ A' e; ^7 ]6 u
there are some memory breakpoints set (dr0 to dr3) simply by reading their) W* J7 R9 T! y6 } `
value (in ring0 only). Values can be manipulated and or changed as well
/ Q& d- v; w! [(clearing BPMs for instance)+ R! J$ P9 B& I6 n+ K/ z
d, @( L) Y9 [. V8 E1 Q
__________________________________________________________________________0 [* N! s; Y3 B' X# k
% T& F( H! g! P% l- HMethod 11
8 j- \) M9 N) Q! `. H6 U1 n=========5 \9 w3 m1 M6 L L% ]
) g8 z1 W0 e! \8 u! A7 U* l1 ?
This method is most known as 'MeltICE' because it has been freely distributed4 U1 y5 P) z, R& v7 M y9 V
via www.winfiles.com. However it was first used by NuMega people to allow/ c+ y; a# p% ], b8 I8 z
Symbol Loader to check if SoftICE was active or not (the code is located
# n/ n5 H3 v1 b. |: O( d$ Finside nmtrans.dll).
3 X4 U4 @1 j6 v& r; Y
* C1 K. ^; J: b! l0 @! @The way it works is very simple:
: h( a# ?( z# W* OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# ]1 p) Y4 w0 G& z0 ?
WinNT) with the CreateFileA API.
4 v m* Q: }5 D' A* g4 V9 ^* B5 k e0 `. R, p/ V2 W
Here is a sample (checking for 'SICE'):
0 R9 ] _8 k0 @8 O' d' n# s* m2 W) G6 a- h, u, v
BOOL IsSoftIce95Loaded()
! |, }2 F6 q5 O2 ~- k* i{$ ^- U% {: z) Q. Y& ^, ^
HANDLE hFile; 0 G' Y* Z; x$ ?* K( |# H
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- `& g$ O3 O- }* K2 T* c3 b# C) V FILE_SHARE_READ | FILE_SHARE_WRITE,$ v/ }* l$ Y$ [0 C9 H
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: I- g+ R' W) Y5 z
if( hFile != INVALID_HANDLE_VALUE )* k& ^' m" p3 Y& y' I1 c
{
I2 u% b$ z8 u CloseHandle(hFile);" g0 c6 ]- n9 o: E1 r. b2 B/ m/ K
return TRUE;5 D) T( o/ a' w6 D- \
}0 A8 S$ t6 y; G
return FALSE;
$ V2 Z( A1 v9 N+ y' n$ {; s7 M1 V0 b}
6 |4 v* \7 C. A- f( U; d, r* h
4 i* a3 `/ h5 t7 B5 G9 q1 P# ^, {Although this trick calls the CreateFileA function, don't even expect to be' }9 h+ O1 |9 ]. {- P
able to intercept it by installing a IFS hook: it will not work, no way!3 h: F8 n3 ~+ o0 q& l7 Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- q l9 J. }9 Y8 }! K! fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- v' f# r: u$ k9 i) `9 ~# Q8 H8 _( rand then browse the DDB list until it find the VxD and its DDB_Control_Proc) E6 f+ h2 z7 P9 S! V/ i/ ^! s+ x
field.% K$ I6 I: |8 U6 f
In fact, its purpose is not to load/unload VxDs but only to send a
; p( P, R0 {) r/ _! ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! _& W2 J/ `; R6 T% p3 Dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: Z. D4 e/ s" Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 q8 N1 y, _7 IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& H# J3 T; ?9 P: O, e* Gits handle to be opened and then, will be detected.6 r6 g) G) N. ^* J1 g$ [9 p5 [0 Y
You can check that simply by hooking Winice.exe control proc entry point! q, W1 k( }0 e! a1 @. Q
while running MeltICE.
& S9 e9 [' f- C% O. q
6 C3 y" E7 \: J7 z0 I7 S+ S# d3 B3 z' |9 ~9 G' f/ G
00401067: push 00402025 ; \\.\SICE
! P% i' n4 O- i( u& } 0040106C: call CreateFileA! s& [, t% y7 n' }. l" y
00401071: cmp eax,-001
. U. D0 [2 s% f6 l* Y& ~) @! A2 q8 X 00401074: je 00401091, ^' {+ I$ V) O
! G& p$ O* {" Y: x2 z4 B, I3 ]% ~: s* k* T) c; G
There could be hundreds of BPX you could use to detect this trick./ H: ]0 K6 |" b3 F* n
-The most classical one is:
8 p8 ?: X) a2 }( v7 _& c9 g: ~ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 y( c6 s- N* W4 w *(esp->4+4)=='NTIC'
$ j: m1 T& N; Z( [1 C" |5 f2 f2 [/ J! O7 R( P c
-The most exotic ones (could be very slooooow :-(* L4 s x+ b0 {; H- s
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% w" c/ i' X% N: p5 M ;will break 3 times :-(
* n! o9 E" F o' F7 n D; k# M r$ l: G" x1 `! q
-or (a bit) faster:
6 h h) [# S" u( X' \3 z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 v" O8 _! y! l, ]& z, F: `
7 n/ ~* @6 X, E8 A7 ?; b BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 ^+ u+ `; R) J
;will break 3 times :-(* _& E3 G$ x% G
5 K1 R# k4 |8 Y# W/ }- J3 U-Much faster:4 `3 P* c: f \$ N" t% c
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 S0 ^& d \; o) y% |
0 x" R y& ]$ z8 }6 X, `' lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
& F, g4 U9 L/ Dfunction to do the same job:
. a$ C( U* b9 v: C. h6 x
0 \; _( P* w- [+ {& j) _ push 00 ; OF_READ
$ L/ }$ w) q$ f. L: R mov eax,[00656634] ; '\\.\SICE',0/ i: d ?4 a, J' c1 [3 N- k
push eax% k! l( q3 J; ^- y" p6 c$ f) J, G
call KERNEL32!_lopen
- N+ c) ^+ h6 p5 ^ inc eax
, C' v6 G* f. C% M4 Q jnz 00650589 ; detected4 O: K. x) s" p* r* @0 j
push 00 ; OF_READ
1 v( W# d! L j7 o4 _, M/ h mov eax,[00656638] ; '\\.\SICE'
8 x9 ?" ^6 @# N5 l% J( N push eax7 {% E8 i9 g1 ]: f
call KERNEL32!_lopen
9 R1 e0 C0 m& C) l3 t inc eax
4 M) m r8 z6 { jz 006505ae ; not detected2 C2 I: Y. D6 v q" e5 ?+ v
$ P3 u5 S8 m/ C2 `1 y
7 q9 B7 G) ^& \+ \1 D
__________________________________________________________________________
+ y& W+ H0 D2 v y4 J9 V3 D) u+ A# t8 v J1 q% K
Method 12$ n: F. K6 o7 z( N
=========/ l7 k& ^- @5 y
- s) H6 _7 m5 q6 o, g' I* ^4 s! t8 N
This trick is similar to int41h/4fh Debugger installation check (code 05
# ?) g7 v7 V& i' A! P8 o& 06) but very limited because it's only available for Win95/98 (not NT)$ k% c6 B8 f, d" d# E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 p6 ~/ O$ Y% s' S
) f3 i- R I0 _1 n& O
push 0000004fh ; function 4fh' S! L: i! m' W6 I5 f$ K$ l/ S+ t
push 002a002ah ; high word specifies which VxD (VWIN32)
5 q0 e* [" q! z' i% K& T ; low word specifies which service' T1 Y) [3 Q8 d# }: b- }/ [4 h
(VWIN32_Int41Dispatch)
4 W. k% Y! {! o6 U( T; Y! X call Kernel32!ORD_001 ; VxdCall
8 h1 j( o% B" R cmp ax, 0f386h ; magic number returned by system debuggers
0 |/ T' N% `% Y" ]# u8 X jz SoftICE_detected) T" @2 p& T7 w% w+ f
! I/ G. ~, v o/ ^1 EHere again, several ways to detect it:$ q5 k' B& @8 r5 k
) Y+ E, K2 i9 O. U
BPINT 41 if ax==4f% N0 J: h# I* x J1 V: |0 o! [
0 K5 b' j% [0 Z/ K! X, r/ @
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# ]9 a& T, U6 [) y' D! ]2 R( a9 f0 j0 D0 p8 p \: x
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ [" ^8 O- D; o; k, N
8 f8 x( n1 D( i z2 p
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! j7 C7 j$ ~+ }+ U7 m1 U5 ^" z, o0 z7 @9 Y* o1 V1 ~! t! E; O* j {
__________________________________________________________________________
8 V; x' J' z) @" a" S! N" d3 P2 f
Method 132 w* ^5 Q8 ]4 |
=========
0 H$ Y l4 w: p
+ q9 Y; W+ S1 i. _* Z4 }* J# qNot a real method of detection, but a good way to know if SoftICE is [$ S3 p! o. s+ r. x( n& c! {
installed on a computer and to locate its installation directory.
+ w+ f$ m* |5 B$ `% g' H8 sIt is used by few softs which access the following registry keys (usually #2) :/ E4 C; z( o! z: D( U4 W
* p) c6 {3 Y8 k4 ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' L7 u$ m1 @, r
\Uninstall\SoftICE! g6 {, E& r& u+ V3 `" |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 \' ]+ }- [5 l$ W3 k! ?; [) B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 p% h0 m9 M9 S8 W: j
\App Paths\Loader32.Exe$ ]7 I4 W# U3 T; y9 M- B
) S- h; w& S9 q% c& ~3 ~5 x3 H
( K2 I: B' Z& r4 CNote that some nasty apps could then erase all files from SoftICE directory3 Z3 n* M) _# I% b( f+ h( V3 I
(I faced that once :-(
9 |+ z% u! N2 H3 S4 w" U3 L
5 l$ l$ d! C: t n5 Y" aUseful breakpoint to detect it:$ a) R* p* S- I% W" l0 T
: g: F, k( o+ q+ { BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" K# Q1 E! f3 D% d, |+ f
# s4 w$ v% W6 ]+ l6 _
__________________________________________________________________________5 W. H" }7 X+ @
& b- L# {- z/ W S. R% f" x
' o2 u0 }% ]4 z' s7 [- n
Method 14
+ \, O* Q) E3 Z0 Z7 g; e=========
: I6 p8 c! K1 I- M+ E8 y0 }
# [; B# c4 L0 _$ a, ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. L) u& p! b0 K6 ~7 y5 mis to determines whether a debugger is running on your system (ring0 only).4 A. O* X0 j5 {( }: m; a' I, w
9 j* Q' g) a; U( ^) ]8 u) @3 | VMMCall Test_Debug_Installed
, C* B8 M- q9 t2 t% X2 U3 p je not_installed. ?( r z( R0 y; c$ S
( P n" _/ l9 N; g: S* c, \This service just checks a flag.8 y+ A- [) n. E; _4 h
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡