<TABLE width=500>
% N0 e: c' Z% B4 V" R( D<TBODY>8 x N& i: p/ U+ _- r' q a# e
<TR>
: [$ D/ o. c4 F$ m<TD><PRE>Method 01 Z6 F) Z6 c8 a) k( T7 ?
=========
8 I# {( [; V3 F% b9 ^ ^* I- L
! u6 u" ]: F, ^, GThis method of detection of SoftICE (as well as the following one) is; L7 g# W6 o& m2 m( A- e7 u( K5 D
used by the majority of packers/encryptors found on Internet.
0 u" k' ?$ Z% E+ ^7 o( ^3 mIt seeks the signature of BoundsChecker in SoftICE' p2 T W' }4 R8 B3 v
) e/ y) r- @9 [) k4 K0 Z mov ebp, 04243484Bh ; 'BCHK'
7 o0 X" c$ z: B, i4 Q- A mov ax, 04h) E5 W8 f6 t* I$ o9 H7 J4 ^! a! a
int 3
* A4 d6 F9 S* V t cmp al,4: L& @- O9 F) [- O" [+ v1 G1 u
jnz SoftICE_Detected
/ y6 [! H$ o4 z. j8 w, l+ G0 N2 f4 p- W. E
___________________________________________________________________________
. q' A2 n- V N Z/ ~5 m9 c( @6 k1 C+ u) @" x
Method 02
I7 |8 D. _8 Y$ n! r8 ]2 r, r=========
: A4 a( A; t5 U3 g) F: D3 ~* e% r- r' {6 E( n9 k+ x: s# G) L
Still a method very much used (perhaps the most frequent one). It is used
' Y$ r* [5 h$ [- S( T' ] n9 kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,- _1 {9 }; k- R/ |9 i" T M
or execute SoftICE commands...
9 s( B' H! y7 J% J! x, ~$ _( o3 @It is also used to crash SoftICE and to force it to execute any commands6 l" \0 a& {, T1 N3 m
(HBOOT...) :-(( 1 f T4 G5 h: I9 u
+ |. v% Z! z- X/ H" [' jHere is a quick description:
: F' z4 N6 a2 b4 ?) ^-AX = 0910h (Display string in SIce windows)" Z6 t: g" H" i5 w- H; {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) e' ]3 P, ^- Q, A( ?* C-AX = 0912h (Get breakpoint infos)
& K) n6 S8 T7 ~-AX = 0913h (Set Sice breakpoints)
% G1 H. ^% N4 a' |' ]; S-AX = 0914h (Remove SIce breakoints)1 N8 T9 I+ G; [5 n0 ~6 y
( Z& D/ P8 ?' |% v! b" ?0 E5 j4 MEach time you'll meet this trick, you'll see:
! h5 m) j. O) f-SI = 4647h( \3 L, u! a, ^. K7 k
-DI = 4A4Dh+ u/ ^( J, K( N1 x- ^" r
Which are the 'magic values' used by SoftIce.
% f4 A1 B, [6 i$ ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ D9 E2 g# ]' Q1 M) e" o, m7 L/ J* ~" l h
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& g, D3 s( \' DEnvelope utility use to protect DOS applications:- J0 [$ s J+ \$ d
% u8 V3 k" [0 s3 p4 d0 u* g {, \ |
4C19:0095 MOV AX,0911 ; execute command.
7 r- Q4 f' @1 _# ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; Q+ L3 `& U: F8 Z9 H
4C19:009A MOV SI,4647 ; 1st magic value.. P+ i: k ^, M; _$ d- }0 Z0 L: T
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 {( @2 X. P1 b- o4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 p% g) I z Z" Y5 k8 g f3 ~, \4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* i! V. B( J% o3 x: C l$ W4 n" T
4C19:00A4 INC CX
) u$ @8 d* K7 K$ s- i; r' N; I4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% |5 \+ Q' I& r6 X% a* P4C19:00A8 JB 0095 ; 6 different commands.
0 E1 b/ b' |7 G4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 u/ f# G6 v, y. C- A( \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 H: W8 a" N0 E( q; _; I) j' o: ^' x3 G3 H7 q( n7 a9 U: m
The program will execute 6 different SIce commands located at ds:dx, which3 d, B& X; M4 ?* G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( a8 o3 S, ^( J0 I! V( o# U
7 X# o p! H' w3 o: n/ ~1 z! m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! p* T' {+ \: F! V* B, v: F___________________________________________________________________________8 T$ w4 w! \: M' q3 b* X
2 @& y9 d3 e: x, Z- }4 G- H5 M4 ~# d; I9 R c5 G
Method 03
& |* `$ ^4 z/ t% w5 e=========' H4 O/ {8 N% o) c$ b* ~. M; E
% _# ]% U# U; I* Z( m `Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 N v, C, M, c; v7 \(API Get entry point)' r# h& t+ h7 O
& B7 d# ~/ M, b& e6 n! L
4 u# Z% s( h$ ~ C+ k4 _# u
xor di,di
4 G8 k5 P9 j' D0 |9 w! ~ mov es,di% Y7 G B7 F" w0 p; d l& F! Y
mov ax, 1684h
. ?2 v& Z7 C, K( C0 q mov bx, 0202h ; VxD ID of winice
9 i- q+ P1 k' b+ B6 D0 J int 2Fh' Y5 V: m, n! c1 P. I. k
mov ax, es ; ES:DI -> VxD API entry point9 C; P9 S' K1 r9 w! K
add ax, di
- h; |. ]5 Z+ a9 q- U7 O( w test ax,ax8 [# c+ w$ ^) V @5 [+ X+ h
jnz SoftICE_Detected5 O( n* k$ \( R1 h6 V; { x& `& G
1 T5 ?7 v1 I! B4 K- z- F___________________________________________________________________________
7 u' r+ v; }' Y& u( S! v: M6 A- Z1 x7 l" L" d
Method 04+ P# ^; r7 |8 j+ N4 S3 M
=========
. j; S2 `* M' G# r! w0 w) z! C! B
6 E+ U) u7 C7 K% ~! WMethod identical to the preceding one except that it seeks the ID of SoftICE
b& p1 n" O3 c7 @/ @GFX VxD.
* y! \0 @9 L7 x* l( B% z1 U6 @$ j6 L4 I" o
xor di,di
! a% i0 d& }* b8 x) z b mov es,di) J9 e( p5 L1 ^! g
mov ax, 1684h
; l# j$ Y( Z% N/ V* R% b mov bx, 7a5Fh ; VxD ID of SIWVID9 a. K2 T/ X1 h j* S
int 2fh+ |. b9 x% O0 ?! I! T
mov ax, es ; ES:DI -> VxD API entry point' E' B9 n, \4 e
add ax, di
; G, V i, Y7 X- a& I4 R test ax,ax
9 [6 U3 H, f. Q, ]! J% I* r jnz SoftICE_Detected
f; \( ~: z1 X0 ~0 i4 e" C: c: k) ~, E
__________________________________________________________________________
8 K1 J/ c) L) F" l/ z$ {# G4 O" Q6 u
7 o( M) D( r6 W; A; y' G1 @Method 05
% [8 P8 U \+ {$ Q0 D% r) C! p=========
) x/ `4 D- s# Q1 i
2 x# \+ L# k2 f9 cMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ D0 X9 a' q% Y& a- r
debugger. It calls the int 41h, function 4Fh.5 K! v" a, b: Y" ~! U) T" x8 t
There are several alternatives.
! J3 S0 E0 L2 n( y3 U- f6 V/ z( T$ L
The following one is the simplest:
) t, V# F% b4 G, }
: j% S" X9 G" \$ A mov ax,4fh8 h( @" |9 K- |- ^- v. n
int 41h7 @/ L+ ?+ a. H% o! V+ V0 A& e9 `
cmp ax, 0F386
- ^' a1 m, ~! y' ]" G8 s4 X jz SoftICE_detected; S% H& R( G5 R3 @, D! Y7 \
1 p7 U. h* w k4 P, N0 W2 ]
# s! e% R7 a/ U2 G- ZNext method as well as the following one are 2 examples from Stone's
& E; @1 D! x% _& E: a! S"stn-wid.zip" (www.cracking.net):3 L) `' ?' v- t* b
/ Y4 _$ ^+ W0 X' C9 K mov bx, cs
+ s. V% l$ D) `( b7 m. E- N( O' [ lea dx, int41handler2# G, b3 T- E2 `% q- m E
xchg dx, es:[41h*4]
: i0 c1 F; ^+ q. Q& u xchg bx, es:[41h*4+2]8 V7 G: m! h3 d" \+ ?" f$ X
mov ax,4fh4 }. N5 V% s- \" J! O( W) t
int 41h, W) q5 `$ Q) j/ H0 F
xchg dx, es:[41h*4]+ k) F; o- b0 B
xchg bx, es:[41h*4+2]
3 @! V. m" n! ^4 R% J8 l; Q5 I8 a cmp ax, 0f386h8 i: U3 B4 q a2 O
jz SoftICE_detected% \0 p* v1 o! d1 Z( n$ H
5 v& c% d3 j/ B, M% Q1 `6 Z7 V
int41handler2 PROC% e" A9 }4 ?; [, U1 p5 z( H
iret
2 i/ r6 M5 u- b2 U. W' eint41handler2 ENDP
' ?: Z) o4 o9 t; M
; }. ]( i$ d* ?9 R9 @- j* {' e2 v: D5 [" M! M( d8 w" Q/ B2 q3 ~
_________________________________________________________________________
9 g: q, h# g5 w+ [" j% a
5 x; |9 M$ h# h; V1 J1 a
3 v, G+ I% g* bMethod 06
$ ^/ I* H/ c0 ?=========
z/ o& F% {& A( C; D# {8 e8 o) m; {# X: P
3 h, A1 ]9 T+ A& B& U3 ~2nd method similar to the preceding one but more difficult to detect:( \ a& ~& ~' A7 ]0 U
* V2 R( |! \1 F9 d2 [+ e( d# O' I. c+ a, ] J5 w7 l1 ~0 s7 r* g
int41handler PROC+ z0 G- V* V- e5 j0 `+ R' |
mov cl,al5 M1 x& X, n' G( @& U* d3 `/ Y% X5 O
iret
1 y! N' Z; T* L" Y% \5 Jint41handler ENDP0 W8 B6 _( _7 T: D$ m: [4 W4 n2 R
: [9 o+ @0 R2 O' v
% E- Y" H4 l" J! ?' l5 w/ j xor ax,ax
& R- q5 u) N, _8 ]$ t: O mov es,ax
& b. V* z7 S3 n mov bx, cs
1 J1 B2 g$ V) t' F: X+ M lea dx, int41handler6 Z% \6 X( I! E. A. ^
xchg dx, es:[41h*4]5 T2 V4 K2 D$ G) F
xchg bx, es:[41h*4+2]) s. l/ L4 c9 A. z# n
in al, 40h
* ]* O, v8 m( m! Y8 y xor cx,cx
9 Y: q) u8 U4 \* B! }* D# w0 [6 V6 @ int 41h
; d- g# ?) ^4 F/ B8 f: F xchg dx, es:[41h*4], _. y" ~; K- H9 Y, v1 |& o
xchg bx, es:[41h*4+2]
# l R% `9 j% D8 a: O cmp cl,al z3 I9 L& @* G2 {: Z! ]
jnz SoftICE_detected* z, I- E7 _6 S: |# a
4 z# z: \/ T9 w# |/ y2 a: ?; E- E+ O6 E
_________________________________________________________________________
; w# S5 D& G1 s$ f. S5 Y9 V* A" E8 V6 h
Method 073 j' z! C7 F+ s% x
=========
- p, D: f; x( K, |1 J5 B
8 Q1 x4 I- ?+ R! hMethod of detection of the WinICE handler in the int68h (V86)
& u6 ]! }- }0 k1 \+ d2 h9 Q0 D7 F, o8 Q( ~5 l# f; y+ [; E
mov ah,43h% a. q/ q$ F3 [0 R0 l
int 68h& r) M& v2 F# f% y* _
cmp ax,0F386h# n: L! [( m3 V0 H8 C
jz SoftICE_Detected) `) T; i% k" |2 O* @& c- d% ~
9 z% R( m3 k4 f
4 t0 Q! z7 N( ?6 F) N0 E=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# ?5 h- q' i/ b9 L7 S app like this:
, ]' ~7 M R) ^! I
3 M( ?# j9 t5 a! k6 u+ a! J BPX exec_int if ax==68% E* Z: |$ t: @ j
(function called is located at byte ptr [ebp+1Dh] and client eip is+ K2 A3 g. ^- A f' }$ a1 y1 q
located at [ebp+48h] for 32Bit apps)9 k9 e) }/ n0 q3 E/ O4 i1 u S. s! W9 O
__________________________________________________________________________
. `; o; E# `/ K& {
$ j$ `3 k$ ~! y0 O6 }3 ~ q4 D/ [4 E
Method 08
" @8 M4 I5 W5 G=========
# v8 p" `7 _7 @/ I2 _
/ F% h; a. R9 o# e" { q7 [& u3 UIt is not a method of detection of SoftICE but a possibility to crash the3 D, S; N5 a4 ?' I. K0 P# K
system by intercepting int 01h and int 03h and redirecting them to another) K6 [/ n- l0 L& W
routine.
7 K4 O7 R# d, Q6 G- S* H7 PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) G2 B! R& [" t1 u% Z
to the new routine to execute (hangs computer...)
$ ~" o. f+ Z- [% @- t4 {0 h
/ p* N' E, |1 j" |0 ?0 ^1 a mov ah, 25h
& P$ e1 A9 F4 b- {4 Q mov al, Int_Number (01h or 03h)5 }' ]3 Z% g3 y
mov dx, offset New_Int_Routine3 t5 w% l3 S8 }+ e- _
int 21h
" C. Z4 e- h, R/ m/ j; G6 a+ ~$ W# f, S! V
__________________________________________________________________________8 i8 z0 X2 L; w4 ~6 P; z5 @( n' n& l$ X( C
% n) w; U$ t0 A% m& b4 zMethod 09
. w8 J! t, S; c9 F6 n& q=========' _5 U. ?- n% ~* L p, @5 ^- O) ?
3 o$ [3 |* `3 K; { P7 j+ Z5 |4 b3 O
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. K7 ~6 `; x- |$ ^$ [6 }
performed in ring0 (VxD or a ring3 app using the VxdCall).: e) w* x- O& g/ M) Z( @ }
The Get_DDB service is used to determine whether or not a VxD is installed
& ], T% \! C/ f9 H$ y" j4 gfor the specified device and returns a Device Description Block (in ecx) for/ `0 ?! Y; ]) ?& T& a
that device if it is installed. s9 O/ h$ S6 W
0 a4 h" U3 V$ M8 \ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 s* u7 V j0 M8 b6 {2 b7 \: \, `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! O0 G1 h$ g9 k- x VMMCall Get_DDB. k# ]- i, m2 O: _( J0 r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 j, `8 t( c6 Q- J
( s2 M# N! X& N3 ~
Note as well that you can easily detect this method with SoftICE:; `1 s6 Q7 \; T% g3 E+ f t8 C& E6 {; r
bpx Get_DDB if ax==0202 || ax==7a5fh: Y D4 d! H* [4 f8 ~" U" ~0 O
8 y: _" z' S# R8 q1 r* o__________________________________________________________________________
8 ]+ x% j7 g; y/ M
' ^* f4 j. z/ l/ a& [Method 10+ a( t5 E/ c0 _$ j
=========
% u* M) q0 T8 G& n# l5 j, z, E; M# `3 [. D
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 y- Q" K( J, M4 a+ b* `# U7 D# N
SoftICE while the option is enable!!
4 S3 F8 G5 p& D7 V# y- }6 L6 W% e8 J, I
This trick is very efficient:' Y; }( p2 J9 y# O4 x' L
by checking the Debug Registers, you can detect if SoftICE is loaded
& l4 S6 P. ? F1 A( h(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if w% w0 a% c* p9 {7 Q
there are some memory breakpoints set (dr0 to dr3) simply by reading their: ]" @4 `) E( U
value (in ring0 only). Values can be manipulated and or changed as well) c1 C6 ~; _3 j
(clearing BPMs for instance)
% W7 t! d @6 d5 t) {7 d/ c$ }8 E: j) q3 [, i1 M+ }
__________________________________________________________________________2 k) {2 M) B) d$ j
0 }4 H. ~" I6 ^" tMethod 11
; `( M1 f; M: l" f/ L=========/ ?) v( J, [1 h( Z' Q" S
% S9 ]/ e, \' o1 aThis method is most known as 'MeltICE' because it has been freely distributed5 ~9 D! Z1 @2 ~& I H
via www.winfiles.com. However it was first used by NuMega people to allow" S' R% g, M3 p( x
Symbol Loader to check if SoftICE was active or not (the code is located
& u' O. M* P/ _6 N. l9 g$ P, [inside nmtrans.dll).0 h; r% ^" y3 V: [' e/ L5 x& J& A
f/ h- {6 v/ e1 L$ SThe way it works is very simple:# ~; M8 \* E' E6 ?+ T& b- P
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ t$ y Y7 ]7 F" A& W
WinNT) with the CreateFileA API.
4 b2 R# o- d( @/ ^
+ c3 K" i3 T: \; `& {! @7 ~Here is a sample (checking for 'SICE'):
. g& f$ G* h; e7 j5 j& X
9 d& A* A+ \, l: W! n( hBOOL IsSoftIce95Loaded()6 z. a3 A2 s- F4 x( G7 L
{
7 E e# R, i8 j, y b0 j( o9 k HANDLE hFile; 9 y' K6 F" ?2 r2 j
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 I1 T3 ?0 Z) @7 J FILE_SHARE_READ | FILE_SHARE_WRITE,: V; H- m/ x* W
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- a6 F( H# M% t8 ]* N6 g
if( hFile != INVALID_HANDLE_VALUE )% Q% g+ {$ u) G$ I% n
{
6 v$ C" p' ~( B& k" x) I# q CloseHandle(hFile);
. F9 g+ [# h. v9 ^, u" e6 f return TRUE;+ s2 |: l) u" G& p+ ~/ v
}& O9 p0 S- p/ D3 |7 W+ ~
return FALSE;
- N% q+ H$ m( ]) A4 @+ w8 @ ~}( Z- f6 `) Y5 _' b) F# ~4 |
4 T/ o/ e/ U" B1 { n- M& BAlthough this trick calls the CreateFileA function, don't even expect to be7 n& V) k% Z$ w0 h1 g$ I6 q2 o9 z
able to intercept it by installing a IFS hook: it will not work, no way!
" d& N+ }% p4 \( v* i" `In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; \0 Z! M3 G$ O, z8 t1 K ^service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* [, R1 z4 @3 T) p6 `
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( g3 T/ F: j3 s. L7 G# U% \% s
field., o" ^5 ^+ S6 h+ p
In fact, its purpose is not to load/unload VxDs but only to send a
- ] U. Y. {* S7 y$ D E' a; y; RW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 I1 ~+ H6 c! ]; a1 f Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try5 x- g% G7 c' v) \" C$ L
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 Z7 n, Y5 \ o3 _5 |) JIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 X( N4 U) d% j1 j" p/ I
its handle to be opened and then, will be detected.' C4 B, S# t3 v2 J+ b7 `: x
You can check that simply by hooking Winice.exe control proc entry point
. r( Y. r5 J& Pwhile running MeltICE.
# S1 `* n5 F- U( H! ^5 H
* P& ]1 W. J c; ^# m" V
: W! T* P' e2 t) s5 ?* Q5 | 00401067: push 00402025 ; \\.\SICE M9 Q) E2 G$ B3 ?
0040106C: call CreateFileA
- n$ \5 {; F j 00401071: cmp eax,-0019 E! ^' ]& d5 w" L
00401074: je 00401091
$ ?& I; {: l8 ^6 D9 M. x" I% f) H4 F" q8 q' U
' R4 w3 s; N- [% p( r- [& DThere could be hundreds of BPX you could use to detect this trick.
5 ` L- ]7 _ P& D) W. l-The most classical one is:9 h2 v6 r6 f/ ^+ W+ @
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 c0 v' A% c( n& V *(esp->4+4)=='NTIC'
- u9 j% e }. N3 A! i/ j3 b
2 Z o/ D x* o! m; i-The most exotic ones (could be very slooooow :-(8 r: g. ?% t: L' d; P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 D8 e+ i" }0 E% e! f* ~5 ` ;will break 3 times :-(
& Q" S& X) e- j# b, d1 v& a' k/ Z m, a$ U- o* z& e( I
-or (a bit) faster: 0 a8 i! }' l- n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: a. P. x7 d& s3 h. a; c6 T, h- U
6 j! S. E8 y& G" R% \6 K0 m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& ~) C7 W3 e! b# a7 r ;will break 3 times :-(
1 K4 R6 a% I$ Y, A9 f! P' s3 T
3 i$ Y8 p) }' [5 X3 P7 J4 W5 x' ^: }, w- `-Much faster:% f0 i# G8 B Z" R% q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 K5 c/ E' B& {$ Y: Z+ Y$ M/ Z
1 w! M0 m0 m0 J( V, ]* ANote also that some programs (like AZPR3.00) use de old 16-bit _lopen. f( S' U, n) e: h$ S6 @
function to do the same job:
* X% W# a3 U4 O: e
; B5 E0 N1 S8 t$ v3 M$ X push 00 ; OF_READ
8 u4 |7 N8 E/ m. @9 Q/ T mov eax,[00656634] ; '\\.\SICE',0
' @7 H5 S* I9 J$ r% U push eax
0 I$ ]2 K) D/ D! M- o call KERNEL32!_lopen b0 N' u& E( I) w2 K" J& `
inc eax6 n$ i C1 E( u. ~6 M+ H- A9 n- G
jnz 00650589 ; detected
! T6 t6 b$ H' i' ^5 d# Y# _" n% v- o push 00 ; OF_READ
- y" ^# o% {; ^; M& h mov eax,[00656638] ; '\\.\SICE'3 u+ f* w- X, u* G! P
push eax. n" d A3 }1 q4 _/ e
call KERNEL32!_lopen
' U6 U5 m$ J! S5 ?4 |* q" B5 y1 q inc eax3 e& m4 A2 X! N8 V
jz 006505ae ; not detected* }, X0 l# y9 P" s8 S
# u7 q! {- C0 ~5 Q
& C. v7 B5 l3 l__________________________________________________________________________
$ P( \# X1 `; C' k! x9 l
& C/ }! C/ P+ w6 qMethod 12
" p1 C" v9 p' z5 R=========
& }9 C' h: R7 R# k- _2 N1 B$ u4 l. k
This trick is similar to int41h/4fh Debugger installation check (code 05
" T/ Y8 G9 d5 x& 06) but very limited because it's only available for Win95/98 (not NT)
7 Z, z$ I) I7 P+ ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: n% D! y2 G3 Q/ K8 `6 f. }' N5 q% j; p5 {8 t
push 0000004fh ; function 4fh: w+ l$ K; r. `$ F: c
push 002a002ah ; high word specifies which VxD (VWIN32)
5 \' w& C6 `6 m& M( f: T ; low word specifies which service' [ M3 ^; H. p; U- p; t
(VWIN32_Int41Dispatch)
3 K3 D0 `" _2 E" V call Kernel32!ORD_001 ; VxdCall
# R- m( g( K/ ]4 h; Q9 d cmp ax, 0f386h ; magic number returned by system debuggers' ^0 I" i) b1 R" \- K' A
jz SoftICE_detected
- _9 }( @! k& `. u* a; @4 G- g$ z" X7 H4 {9 Y4 S2 Z5 O1 v
Here again, several ways to detect it:
, A, a/ U9 j7 T9 }" j1 [3 D' z' @" d( e; K2 Z
BPINT 41 if ax==4f* P, Q! e) V6 ~3 H) p: ]: X
" i0 L+ s. K7 G2 h. x* Q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ O, S' Z. w, ~% o% Q
3 P; M% `3 e- \6 p9 {3 |; k* k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# W$ Y( F7 b9 N/ u. [ p( i& `0 z
- ?. x# V/ A# d, O0 E
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 j( a w5 F" E
8 u' O. h6 x( z$ u__________________________________________________________________________
7 B {5 u- P* N8 z) M$ v% s6 @$ ~
" g2 |0 ?: K; B5 M; k! \, w+ hMethod 13
( Q/ z4 F+ j% Z8 X e9 O=========
# b1 V9 e* F- J
/ r5 V: ]& w: R) N" RNot a real method of detection, but a good way to know if SoftICE is7 d- ^3 A u _% z( z
installed on a computer and to locate its installation directory.
( Y I) i* }9 }* ^( dIt is used by few softs which access the following registry keys (usually #2) :
: s3 e$ A; p7 ^" b. t& v0 ?+ Y/ M" b3 M" F+ y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 ^5 T" P- m4 \, A0 }
\Uninstall\SoftICE
' `/ s& F$ ?& C7 X2 m e-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' z, k) S7 v3 I+ r, A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% \# l4 d+ }+ {# i, L2 a) `0 F
\App Paths\Loader32.Exe
$ x8 d$ ]/ b- Z6 Y8 E6 @
! d7 B8 f3 Z# J2 b b! f1 @
% X8 R8 ~/ b: v; K6 eNote that some nasty apps could then erase all files from SoftICE directory
9 S( K( a% Y6 P+ O2 ]) P- T9 s" E(I faced that once :-(: X6 a1 Z+ b2 R; ?3 \1 I
1 T* e; G4 H5 w0 Y& p! U' eUseful breakpoint to detect it:4 c7 S0 @& T4 W- a
9 j6 m8 {% b. x$ R8 V; f& D BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
\) O% o& e' [/ |% Z$ e/ ?! L: q% q) u" {4 [) M; a2 e! d" Q
__________________________________________________________________________& Y# M: q9 K( z o/ I! F7 _8 D
! b5 g+ z; b9 o. a, S* Y3 S- K: J, o3 j D3 C5 V& n
Method 14 8 @! H$ u( x7 p- d5 n# a" e
=========
7 H% f, C9 j2 M+ B- q
7 u) e( l, w" d' Y, FA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ G& i. R$ v) D5 m' c
is to determines whether a debugger is running on your system (ring0 only).
& ]$ D) V& I0 ^* o i: ?7 A, P8 [1 I2 f! L" a
VMMCall Test_Debug_Installed
6 J5 ]+ ^ |8 _5 O: K6 y je not_installed
' t, X4 X8 a R: m: ^) G! D6 X- G
7 M- u' l/ }- {6 v* aThis service just checks a flag.8 V, C3 v; \6 a- c5 r9 M
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡