<TABLE width=500>
2 I* x2 R3 s; n* M<TBODY>
: Z& q5 n+ W/ @: h; s$ _<TR>
! i4 v5 a" g$ F% w! g4 U* R<TD><PRE>Method 01 & r6 }' C' G/ a( J, N7 m
=========( Y- z0 j1 k4 O8 P
! Y# k( Q/ N. D7 z; `+ V6 q) LThis method of detection of SoftICE (as well as the following one) is
( \0 W' g" M2 Iused by the majority of packers/encryptors found on Internet.6 I3 Z8 h+ c8 a* m* v' j9 S$ @4 b
It seeks the signature of BoundsChecker in SoftICE
% ?/ B9 U" Z6 _9 G2 U
% H% K3 j( J; i mov ebp, 04243484Bh ; 'BCHK'
N( Q% W2 @; X mov ax, 04h7 d; N8 M% O- Y/ @ |: t3 H
int 3 # J. O h8 d0 _- F4 Q
cmp al,4
2 i c2 {- u$ p3 c jnz SoftICE_Detected1 ]+ ?, u6 T$ H& G! U5 q; K- p
7 t' W' p! t' `+ Y, B* D0 J7 s2 M___________________________________________________________________________8 \1 r( W: H0 H
' U2 d: [& b) B) `& {4 m5 r
Method 02
7 S) H9 B' Q. b+ @9 `+ I=========/ l9 n8 [6 q' e0 S" G
. l# f9 a9 g: G0 x7 z2 DStill a method very much used (perhaps the most frequent one). It is used
) R. @5 N8 T4 y# `; kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# F {$ V8 Q, Jor execute SoftICE commands...
, z& y! W2 D+ C7 l! i/ ~It is also used to crash SoftICE and to force it to execute any commands6 ?5 w' P% l9 B8 q! j/ m
(HBOOT...) :-((
4 `' K @/ [9 ^3 W: z
& P8 ^- e7 i6 mHere is a quick description:0 [6 G! H" z$ {! H+ }
-AX = 0910h (Display string in SIce windows): H- {; }8 }3 ?
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 y3 O8 ?0 P! c K! v4 t-AX = 0912h (Get breakpoint infos)
8 l# t B6 }, o8 U-AX = 0913h (Set Sice breakpoints)4 o5 _) z R7 j# Y0 Q" p9 c
-AX = 0914h (Remove SIce breakoints)
1 m$ Z' B1 Y# U; L2 |2 w! |& x2 q% t: r
Each time you'll meet this trick, you'll see:& |) O% ]4 ]- V) {7 X5 h
-SI = 4647h
1 O* h* z% J# \1 U2 r% t$ z7 {, Y3 e-DI = 4A4Dh
+ h* c% s; C& o2 F' mWhich are the 'magic values' used by SoftIce.* |& D( N* G2 W; s; Z8 U6 C
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 A! H. x$ B, k4 f: v, X3 D/ @
Here is one example from the file "Haspinst.exe" which is the dongle HASP) U: d1 U; ~2 [- w3 ~% l
Envelope utility use to protect DOS applications:0 ~: h6 ^! V, g0 e1 T( M
+ o2 L! T' ~4 a! }8 w. n& q) K* X4 \
4C19:0095 MOV AX,0911 ; execute command.0 d: p% ?, ?$ t5 w6 S9 @
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# ^+ ?' [# e. M4 y. Y) _ P: ?4C19:009A MOV SI,4647 ; 1st magic value.
( G1 {1 r; r" D$ Y! ^4C19:009D MOV DI,4A4D ; 2nd magic value.
& z+ m% Y \5 e$ S$ [, @* m4 r4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 ]" |$ x1 q6 m3 q1 V) M4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 ?/ I6 J1 T" c
4C19:00A4 INC CX3 a1 P* Y# x; l- |( o+ e4 E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ p, A, S8 T# G& k% G4C19:00A8 JB 0095 ; 6 different commands.
3 ` i8 \/ P& d4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 z$ d/ i8 G( d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' Y E' I5 n; e" j. K1 s
4 E, q- P6 F; A0 f) @. ]/ j
The program will execute 6 different SIce commands located at ds:dx, which
6 g) W5 m. ^0 ^. N! ?9 vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& a# V' f1 O/ q+ \5 H: ?; N0 i% ~. \* s5 x, N) N$ F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& N# k5 h: J! [" S
___________________________________________________________________________
4 B6 j0 ~ @7 H0 e) k4 v9 T5 |- z, d1 P" u. I
& O* y$ f& V3 w) f& @ VMethod 03+ ?$ s. j* Y8 B, _& M |
=========& t& D0 E+ _( |( R- G ]& H, c
% @+ ?. p/ @; {3 K' x
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 ~3 G% G% j( M1 k- L! a& R2 O
(API Get entry point); F7 \8 i& x; y+ L4 Z C" q7 R5 @/ ~# k+ @
% H0 g) k5 f- _3 ~. V! a }( H! X' S# ?" Z+ d) P1 e9 y
xor di,di
: e( s& a$ b2 ^" z$ w+ w& p mov es,di- {- h" W: ], R7 c1 }
mov ax, 1684h 7 }0 _* W. |$ H9 P, B/ C& N! a
mov bx, 0202h ; VxD ID of winice
& b( C/ }4 g! [) ]& b9 ? int 2Fh0 N: J5 R( f9 K9 A( }$ l2 o
mov ax, es ; ES:DI -> VxD API entry point: x8 ^ {0 C0 D7 C. S
add ax, di
5 z% e7 p$ _- x T4 r! j6 T test ax,ax
( x; i8 z7 C* ]! t" ?7 o jnz SoftICE_Detected- e8 O+ O" |" ~7 V7 t8 P
2 X! @" g# |8 T* U# m$ n: E___________________________________________________________________________! X; B, K, d9 j
C. G1 w8 ^+ X7 c, iMethod 04
2 r8 @8 ?$ x4 }" W& V=========* d% G0 k: i9 x+ o; g* b. }
* h Q& _1 Z" }8 M. SMethod identical to the preceding one except that it seeks the ID of SoftICE) f/ A( f0 N6 l- J& ~/ k
GFX VxD.
3 s$ D, U, ~1 n1 T8 J' j
: J2 ]0 e4 z4 B7 `0 I% I2 W xor di,di p' A" v% h$ h& m
mov es,di- G S7 I# f5 E" H" U$ q+ ~
mov ax, 1684h
R& m5 B9 i L3 b# W/ d' L/ _ mov bx, 7a5Fh ; VxD ID of SIWVID
3 ^3 n! v+ F" f; X0 f5 I' W int 2fh
0 e3 l2 y- q4 N7 @5 w" L mov ax, es ; ES:DI -> VxD API entry point. t+ C9 }) f5 k: P0 w/ a0 |
add ax, di) s9 k8 @% e3 z9 p* P
test ax,ax
- |: W1 ]/ @; G0 ~0 l' e/ C/ r jnz SoftICE_Detected# C0 ~' `; W2 j
( n9 q% V1 [% U
__________________________________________________________________________/ a/ v6 u$ J& A a4 H
: f) }' s# a* I5 h( S# d9 L
6 Q/ d9 q* e9 Z+ T# [- i. RMethod 05
' A2 X6 o. p* _0 T% g=========
X1 R8 {7 ^/ i. P; s3 _/ y6 }4 z3 _2 Q3 ~2 U# {' ]5 V' ~; N
Method seeking the 'magic number' 0F386h returned (in ax) by all system. ]7 g6 C" u1 q* H c# k
debugger. It calls the int 41h, function 4Fh.
) X* y7 T5 d& b4 XThere are several alternatives.
0 H) B4 Y I! {5 e# u
) F; w9 v) }! m- F3 @( D: kThe following one is the simplest:
- j4 \4 D. k$ s S" }6 o' \5 {& w! U, v7 I/ k Z
mov ax,4fh& w* N6 X7 T& i3 _; S# {
int 41h
: _$ f D0 ~0 _1 z5 s. y cmp ax, 0F386/ H. p. ?& W# P
jz SoftICE_detected
' l$ h# q' ?- b
0 ]1 H' F3 q- V# B' H. {- ^+ m+ x
: h I. l: i; K4 ^Next method as well as the following one are 2 examples from Stone's 3 ^/ v0 n n1 m& a( p3 R5 `
"stn-wid.zip" (www.cracking.net):
* y) R6 j8 N! L% L9 t( U
* P( O1 S8 V2 B( e$ @, E mov bx, cs
6 [% V9 c! a, c, i% J9 H9 _, N lea dx, int41handler2
3 s+ Q+ f7 y+ H( Y xchg dx, es:[41h*4]
7 @7 d. B/ M; _; G1 J% H7 O* { xchg bx, es:[41h*4+2]
2 `- z3 d* e5 A& Z! i5 @9 y" N/ C mov ax,4fh
2 X- w0 \8 c' ?5 D8 _0 S int 41h
0 }8 n5 {9 y: k; H" j) Q$ A/ _ xchg dx, es:[41h*4]
1 g) E: o$ U1 Z% H xchg bx, es:[41h*4+2]
2 ~6 u; k: b7 ~, { cmp ax, 0f386h4 @: W6 r+ Z* f. m6 q! K5 P
jz SoftICE_detected
/ W# w# N. e' U& D/ n& x2 b/ ~$ a( O. i* Q) r% n, B- J& d
int41handler2 PROC& V: @- z: p' Z @4 [
iret
" a+ c( x5 b, @! ~, oint41handler2 ENDP' d$ P' c+ ^" c/ T
2 j3 }& m( g! o0 ]: X( e; M" ?, H2 Y" y
, c% `! s% v- _, B% @5 e g& `. X( F_________________________________________________________________________' G2 d2 p. E+ s$ ?& v/ S# {5 {: D
- I4 ^# w9 H0 y3 l% O
& B2 E. l& Z+ G# rMethod 06
) l. ~- q8 B- O2 Y3 G0 n=========
$ U; @! b( u0 V$ t( J2 m
* P) R' I t/ u6 h
+ K2 m% `1 E1 H2 O# Y2nd method similar to the preceding one but more difficult to detect:
c2 A9 S% ^+ C4 ~2 k
1 G) _" M% ^/ [. A6 [4 i( m. Z: C/ V6 E& d) w
int41handler PROC* Y' R: [4 y8 O# ~
mov cl,al. `; z# ?+ x E* L. `
iret. K2 Y! }$ Y9 X) i& D2 S- M
int41handler ENDP
4 Y! I, p* ~5 T1 A
! q4 t8 N9 B+ x6 k+ ~& ?$ w* x9 C n4 V. n
xor ax,ax( I3 d1 S* s! E2 L- N
mov es,ax9 ^, j+ _! S% z) @) X0 a( s; Y
mov bx, cs' j# P- [* U5 J7 d$ _1 |
lea dx, int41handler
% o( |8 c+ S2 t# F/ A xchg dx, es:[41h*4]0 r1 h2 }3 J" D. E9 p( @: b# R6 W
xchg bx, es:[41h*4+2]
% o8 L( ?' h# j1 a in al, 40h
- A, `( x2 @7 A8 l xor cx,cx
& Y- V; ~8 P: h* M int 41h
+ y, C7 _6 t; C8 l: p4 } xchg dx, es:[41h*4]! v U2 D/ h9 F8 o
xchg bx, es:[41h*4+2]
k& \( e4 H' F5 k/ D9 L$ } cmp cl,al
0 E6 \$ K8 k* n1 x8 w' h$ b. V jnz SoftICE_detected
! f7 r' b; T1 w: N# @6 W X% w$ ]' a, U0 p- y/ d
_________________________________________________________________________) c* z6 s" N! |# l' @2 N
+ s" q" n4 j" a- G& T. s
Method 07; f2 {% p, [5 C& G6 G& C
=========& }* E7 s4 U, T* W
" ~5 _6 B4 P! m9 t. G
Method of detection of the WinICE handler in the int68h (V86)
" A U! N' S$ F) ] j/ ~% ~/ ~
4 w5 ~# r' j+ v mov ah,43h) u+ F# p$ i6 ?3 ]- w
int 68h' R% L( \9 I0 x% C! _! B/ e* K
cmp ax,0F386h, m) P) s) z3 G2 b7 h) E
jz SoftICE_Detected
! G$ y( O- c7 c1 X5 k: W s E* d8 ]6 g' f; m0 j$ \
/ i& s Z* s$ F) x: }/ H- C2 Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 g b3 n0 g/ s2 X5 K0 V0 g app like this:7 _" O9 f7 k2 s. K4 l" B$ t
9 ]4 E9 f- e! [; ]: h% i: G3 o
BPX exec_int if ax==68
4 P9 Q2 ~& R. S0 o (function called is located at byte ptr [ebp+1Dh] and client eip is+ U4 w) \# @* Y/ J! i4 Z- y" t! O1 E/ [5 a
located at [ebp+48h] for 32Bit apps)
1 J/ a0 r& W, ~0 B' {& U__________________________________________________________________________+ h- A+ f6 Z" Y1 O/ B) e
9 o$ q b6 B' P- D5 _ z6 [: ?/ r- N4 d% y9 A0 g
Method 086 y3 o' r& w5 |/ U _! M3 ?
=========
* [4 A0 p, ]4 `" `6 L- w: ]$ g! T, m, s- ?
It is not a method of detection of SoftICE but a possibility to crash the$ I! F# [$ ]- H6 @, @
system by intercepting int 01h and int 03h and redirecting them to another& f" r3 d; P. B
routine.' Y1 F$ u K- ^
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ @+ [3 [6 S+ v) v
to the new routine to execute (hangs computer...)9 r1 J( ^, ^6 r( T
: I3 _" r& |4 b9 j mov ah, 25h8 g5 [3 u8 B2 ?0 O! f
mov al, Int_Number (01h or 03h)
% u* X9 J+ f3 @) E' l. x mov dx, offset New_Int_Routine
+ V# ?7 C% t/ L int 21h* A% Z2 A' h9 Q; K( x/ C4 u( R: ?/ k
, r' G$ _$ B8 M/ }- h, U% m9 z/ L__________________________________________________________________________
% K4 N8 `1 M) }$ @7 s: l$ V! `9 j
7 E: @ f4 |" I8 W0 q+ HMethod 09
$ U, r9 Z+ g+ M1 K3 W& D( {' F0 M- J=========
! z$ B9 c4 D+ B7 e. ^
$ L& [# s; x; tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; U' k& ~# Y4 t2 z
performed in ring0 (VxD or a ring3 app using the VxdCall).2 m) r* E0 @. p. O5 X! B
The Get_DDB service is used to determine whether or not a VxD is installed @4 y2 V& b" M2 E" }$ F2 H
for the specified device and returns a Device Description Block (in ecx) for
8 g( I; t7 c" b7 athat device if it is installed.
* T- l$ w. \. N/ M' u% Y- v% T& q4 }. j5 W& u6 E" n( v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 h3 n* d6 ?# { t) Y& I9 I mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( S& I: r( m$ @8 t8 t+ l" ~
VMMCall Get_DDB
: g8 o2 o- Q u$ u1 C( O mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
g4 x' J2 S7 m9 Z4 E& o, W' o7 S$ a3 E5 e ]
Note as well that you can easily detect this method with SoftICE:% p' T9 O9 o( F- D/ h
bpx Get_DDB if ax==0202 || ax==7a5fh
) ?7 Z$ i9 L) h6 q) \7 Q {% `& Y7 i$ |2 E6 S$ W l9 c2 j
__________________________________________________________________________
% Y/ J3 {# a9 y' U0 A. ?2 @. q+ Q) U1 p+ s
Method 10
; J( A( Q) u- k7 \=========7 Y9 C( |" U& n! ]& A
0 F$ @0 n- _7 i
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* p* [3 Y7 z. X# B; _" u' a SoftICE while the option is enable!!
4 _# }7 f: t. I# F: z" c! p% u0 K% [& x* m* @ t: k
This trick is very efficient:
9 w2 b2 n# A* L0 [: Z8 [by checking the Debug Registers, you can detect if SoftICE is loaded' o5 Q9 o0 N; S( g7 c+ q1 }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; u9 q# p5 A/ ~/ B0 @$ z$ Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
# w1 }0 L+ L% l4 B2 \( Vvalue (in ring0 only). Values can be manipulated and or changed as well( U* I+ q0 `6 Z) F) y. c
(clearing BPMs for instance)8 L }1 C- r: Q* X& e- }6 U
- a/ L0 T- C h' D
__________________________________________________________________________- I3 V9 L! v% a8 d* B; t- P
% E% f2 \; m( z/ T- P( Z, \Method 11# L1 h. l+ |$ [% j' k; ]7 I" c/ n$ g
=========6 j- `8 z, |7 `8 b' g7 r% \9 `
! `. g8 N G, X* ~This method is most known as 'MeltICE' because it has been freely distributed
* }5 T( ]9 _, c3 Nvia www.winfiles.com. However it was first used by NuMega people to allow2 T/ g% Q2 _* j6 i" y" f; ?
Symbol Loader to check if SoftICE was active or not (the code is located% f) e% V7 x5 i$ n6 x; P
inside nmtrans.dll).
2 m6 E1 H5 R1 ~
/ J, L; u- k: h7 P/ W/ v1 oThe way it works is very simple:& r3 K' s, s/ N' w# u" i
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, d8 k; l6 X) U* l& w' UWinNT) with the CreateFileA API., f9 ^ W) g' l Q
4 t, A+ J) `5 y7 d+ Y! _
Here is a sample (checking for 'SICE'):
2 h2 i" p1 x( S1 l8 ` X& y9 Q8 \) S4 Q( Z2 O
BOOL IsSoftIce95Loaded()
6 i; j% E' e1 H. T. R{
* I2 g+ Q8 {" e HANDLE hFile; + Q. W- ]% J# [$ U. T. J
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- U/ ? v0 x! n7 I: X FILE_SHARE_READ | FILE_SHARE_WRITE,$ W: L: c9 f% L3 l. R
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); {. y3 v8 Q3 B0 Y6 \3 r4 J0 K
if( hFile != INVALID_HANDLE_VALUE )
, E9 L. l5 B, v7 o1 ^2 h {
% \& L$ o3 |+ W0 E( _2 a CloseHandle(hFile);, m" _8 y; @6 b9 [- V S i
return TRUE;8 P4 I, q3 @) w
}/ l% ?: D2 [6 }8 N2 v& ?5 L
return FALSE;* ^" ?8 z6 _5 I% T
}
' X: P6 z v7 U0 F7 o$ D
6 D% Q+ D7 {6 F9 u+ W& i! Q; oAlthough this trick calls the CreateFileA function, don't even expect to be
3 n$ h$ ]9 ]/ a" }able to intercept it by installing a IFS hook: it will not work, no way!' G, U/ m; k: A; k$ s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 w, l+ }! @3 _6 n* y1 N' J
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% r, c3 k2 u: ?/ ]) R/ W; \4 {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 b M$ }9 u" a: d: U; G0 b" ^" Kfield.' E0 r7 D0 u6 b( h# i. K5 g- v- Y
In fact, its purpose is not to load/unload VxDs but only to send a
$ Y0 l% k. C2 N$ v$ LW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* A% @) n M- e" }* i; |3 Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 i1 a4 Q! T) S8 H. V% j# _to load/unload a non-dynamically loadable driver such as SoftICE ;-).
* \0 D; X: Z- R2 N/ CIf the VxD is loaded, it will always clear eax and the Carry flag to allow
/ y6 d2 w8 }! H' Wits handle to be opened and then, will be detected.# ?% M, ~ O# a2 a, g
You can check that simply by hooking Winice.exe control proc entry point
& R0 Q3 d* t2 \while running MeltICE.7 L7 i2 V/ M/ ^
5 O3 n' f, o2 D8 V6 V* K: ], k+ y
! D0 K5 b2 h" F* w D3 N6 P 00401067: push 00402025 ; \\.\SICE
$ }) l- a5 L0 d; s2 Y# D 0040106C: call CreateFileA/ x6 d/ u- a$ K8 k, _
00401071: cmp eax,-001: J& `) g; o) p
00401074: je 00401091
) d( p/ T& L6 K! A! `; M I }7 k1 R1 _2 \
* K+ u2 e+ f) T1 d. _, j
There could be hundreds of BPX you could use to detect this trick.
7 E4 Y1 u1 y7 w/ q' B8 z-The most classical one is:
/ N+ D3 Z* W8 ^* Y4 a8 z! V BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 |0 S2 Q% G% Q7 v# l# }2 T+ j( r! l
*(esp->4+4)=='NTIC'" D- r" T; O9 q; L; d
* A6 L6 W! z0 ]$ P. {-The most exotic ones (could be very slooooow :-(! h! f, Q7 h w }% f. c# Y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 c1 ^ t3 X6 }# H0 \) P* Q! ~
;will break 3 times :-(' W3 W. Y9 I6 _' o; Y' |' Q
5 m9 a, O) a# I0 l
-or (a bit) faster:
8 Y n S3 B. [* D BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! {- p0 a' n8 O' c' Y$ ?- K7 M! l8 V" s$ [
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' O) j/ o$ ?: a ^% g- n
;will break 3 times :-(
0 d: D- D+ U9 `6 E
/ A/ Z' {4 r {1 L: \-Much faster:
$ D8 H, K' b3 {- T% M' X BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', f0 I' Q& m! k# r: I2 O/ B
: P2 q" [1 N( u2 tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" ?, @9 n! x# U: ^6 M( _ Nfunction to do the same job:
5 H; s7 I: @1 K7 @* a) R. ^4 e! Z2 _0 {2 ? w7 y1 D
push 00 ; OF_READ
3 L0 R! U# A; Q. V5 ^' k g1 n: q mov eax,[00656634] ; '\\.\SICE',0
( u4 {) L k( f+ S& J push eax+ l: k! P# D/ |# u4 v0 ^# @3 m
call KERNEL32!_lopen8 `0 r) H3 N* v# u- x0 y
inc eax
( c8 X$ c) e0 u: Q jnz 00650589 ; detected
% w" V9 a. P4 r z- b/ \ push 00 ; OF_READ) k7 V) l$ j6 J: ?
mov eax,[00656638] ; '\\.\SICE'# P: J+ {) p$ [2 U9 F
push eax
. c; L$ u" E9 b/ i call KERNEL32!_lopen
4 {6 E" u7 f- t; V inc eax
+ f/ p! Q5 h" ? jz 006505ae ; not detected1 Y- D4 E T0 x8 i/ l
K5 Q& `; }, b2 s1 T8 E1 ^/ v( Q, \' y( X
__________________________________________________________________________( o/ B' T; p3 M) s
8 x3 q! z; B* i
Method 12
( ~$ s# H* u& K=========
: { ?; S1 T; Z: A! E# L
" w( \7 s( k7 C% W: m2 T7 cThis trick is similar to int41h/4fh Debugger installation check (code 05
2 x8 ?' B# w" i6 K1 N; v' M' h& 06) but very limited because it's only available for Win95/98 (not NT); A4 o, F9 C S0 z9 T0 H
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 z y4 W0 {( M6 R( |
7 @% _6 ]5 Q5 @+ _ push 0000004fh ; function 4fh5 @, i" w* n4 B& f
push 002a002ah ; high word specifies which VxD (VWIN32)
6 ]0 ^6 z0 d, x( Y8 V0 m3 E ; low word specifies which service
0 P5 T$ g+ W w (VWIN32_Int41Dispatch)2 b$ [8 j5 |% K& m' J
call Kernel32!ORD_001 ; VxdCall
/ ?7 ~0 y; @- Z$ W cmp ax, 0f386h ; magic number returned by system debuggers
- l+ t A" a* f) V! V) |2 u jz SoftICE_detected$ n& Y2 d1 ~% ~
, w& R# f9 D: Z7 A; U9 AHere again, several ways to detect it:
# v% Q4 c2 j7 [# A$ A7 [* t* l4 A$ ]0 i$ G7 a8 S
BPINT 41 if ax==4f
3 C4 c) t0 t* |. f7 J9 h6 j0 J; q* ?& N) d4 w& M
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; c9 [; s( T) s, Y" B
: k7 U* [; Y" w" l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
{! T: U" [; ?1 n3 V- z7 b6 J
+ G3 `6 P7 ^, @% B1 {: e BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( u( J! f! }2 r/ Z. O# y
* E& D+ n0 b! ^__________________________________________________________________________
) F3 ?2 ^* T6 p l( K7 g
' r8 c B F; |, p4 vMethod 137 _- a7 p2 v9 z1 ?5 [. y
=========
% k0 i' p l; B1 B5 |4 a
2 @' ^4 {" ~. v; x2 hNot a real method of detection, but a good way to know if SoftICE is- C& Q% P- W) }5 n) V" a7 I/ h
installed on a computer and to locate its installation directory.
8 d1 }$ j6 r' O: v& Y' UIt is used by few softs which access the following registry keys (usually #2) :! g& {& g4 ~& C y
9 C& o0 B. O! a& @; Z2 B. K9 C" v-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 o6 i2 e5 r" M1 _6 d8 D. f\Uninstall\SoftICE
% K" n1 E8 t7 V% K6 Y3 |4 F- L: }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 i8 h J& B1 A1 w! H9 k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 I0 b' ~ a) Y) y* B
\App Paths\Loader32.Exe/ J. p4 _3 V" q
[+ Q1 n. Z+ m& v( r! j
8 r5 [8 v/ P7 Q4 {Note that some nasty apps could then erase all files from SoftICE directory$ ]' q) z& ?; h9 S
(I faced that once :-(+ F0 d5 b4 q) ?4 U
- h7 d* o+ F% n4 Z. M
Useful breakpoint to detect it:
7 T5 O4 U% l. a2 h- N! Z k4 W
" i' y, D! c* L5 b* H BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. r3 s9 _$ u* w/ l9 w+ i. _# W2 X- h6 Z( \
__________________________________________________________________________
4 e# O2 O" X. x
. S/ d0 r: ^1 Y, k2 A; R0 ?. p- E# S( t$ J8 z* G
Method 14 7 D# _+ L/ G* T
=========3 b5 C/ e8 i6 ?0 z1 A1 e
" K; W% |% |6 @
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 N0 r5 [% @" O V" R, j% b) Jis to determines whether a debugger is running on your system (ring0 only).
& T3 F: k" R" Q0 {' \) F5 Q( O, L3 K
VMMCall Test_Debug_Installed
! D/ E; \. {; @ je not_installed
3 Y3 q* F+ d: p3 r+ ?
! |& F) F% v5 C o2 yThis service just checks a flag.
. z7 M( i2 x& ?/ T3 T- k1 @</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡