<TABLE width=500>
+ Q1 @ h; I1 ]( p- x! i$ v<TBODY>
3 V% E( k6 }+ S<TR>
7 `( f x1 g* f; ?! ?, v; C<TD><PRE>Method 01 % w+ [- h' w" j' `2 R# b
=========
0 K$ s: _6 x1 _6 ]6 n9 ~* H2 q7 }' p: C1 `5 J* G. T% o l
This method of detection of SoftICE (as well as the following one) is1 \! k% U$ G7 N3 h2 S
used by the majority of packers/encryptors found on Internet.) S; J5 a) W6 W: |0 s! \8 c
It seeks the signature of BoundsChecker in SoftICE
$ j4 I0 N* K+ a9 a! X% e6 P) N1 q6 C
' z4 y' f% k# d1 S5 Q mov ebp, 04243484Bh ; 'BCHK'* T1 e" Y. J3 j6 e$ W& {9 K0 T
mov ax, 04h# L- M s1 O, c u5 h
int 3
8 U* j: W* w- Y' K cmp al,4
' W4 l7 k B' r jnz SoftICE_Detected
- C" J7 p) C+ @/ s. t6 [: l
* ~/ L" t1 K. D___________________________________________________________________________
( z0 |8 u2 }. _6 e$ t
+ J, f8 h0 k( y2 F$ F. j% [Method 02
3 O: f1 d* j2 Z6 O=========
. y' g6 u' C' C+ M9 y# R- O/ Y: W. t: A9 }& a
Still a method very much used (perhaps the most frequent one). It is used
3 D& p- B6 ^) sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# S: _8 o) p' ^# X, zor execute SoftICE commands...
% _# w$ m) U! t3 g2 f- l; c: WIt is also used to crash SoftICE and to force it to execute any commands
- n2 y8 h, n8 |* ]/ r, A6 |(HBOOT...) :-((
s# L2 D0 \' j3 ]9 C) ]
3 H: @. O" i% U" NHere is a quick description:- Z; N; q! V5 q, z6 X7 h
-AX = 0910h (Display string in SIce windows)0 ^- Q8 k3 S6 P) s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 G2 O. ]! S% U: n9 e& M1 O-AX = 0912h (Get breakpoint infos)
* @) N: g% ^- R1 _-AX = 0913h (Set Sice breakpoints)
4 F" [9 e! y" |' Z; g% r-AX = 0914h (Remove SIce breakoints)
: H3 X( V) a% K7 r
, H, f: ?5 b* ^3 T) x. O; V. h% BEach time you'll meet this trick, you'll see:
& N) a) S; ?$ j* q* g) k/ o1 `-SI = 4647h
4 b: E" Y- j8 G6 p9 j* P7 p-DI = 4A4Dh
* |" ]5 o9 v" }1 g- \4 GWhich are the 'magic values' used by SoftIce.
0 H. b% A, u7 r# O# L8 F/ u% iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 ^) D: X* P3 D7 G. H7 K+ N- o, k& v
# }0 P7 v% Z7 T8 b5 w. {Here is one example from the file "Haspinst.exe" which is the dongle HASP- J2 k$ R; _3 ]- n
Envelope utility use to protect DOS applications:
- z2 ?6 F5 i9 R9 e8 g8 U/ J9 i2 d$ p1 O# n
% a+ R/ D8 j4 \# X& s# I+ ]4C19:0095 MOV AX,0911 ; execute command.: x, Z4 v$ T$ d" a
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! `& B5 O) W( Q( t& Q5 y+ U2 ?3 o9 @$ D
4C19:009A MOV SI,4647 ; 1st magic value.
8 C: @- s- t" v. T$ X' b3 M3 V3 S4C19:009D MOV DI,4A4D ; 2nd magic value.
) i% c+ v9 e3 s& I. r9 K4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). b$ L5 `8 v% \. N6 n/ I* G9 Z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; W2 _* u* y7 ^) k1 Q4C19:00A4 INC CX5 x" L$ C% T. J% ~# @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 |9 ]& M6 M( F+ L$ U* [: u4C19:00A8 JB 0095 ; 6 different commands.
, z/ G! j" {- X( |1 T! U) E4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 E/ u3 V6 u$ m5 q) B0 B8 j4C19:00AD MOV BX,SP ; Good_Guy go ahead :) j- E# F' W6 F8 L9 Y) W' D3 O
( w9 o4 J( a P6 L* z. F9 d
The program will execute 6 different SIce commands located at ds:dx, which
& m. [ D% W! Q% ?- |1 O( s8 ?& Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% `$ O. v; r4 J. T" K K. ^+ k& }. {3 ^7 y3 y8 V0 ?9 I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- J$ C6 V& I7 H___________________________________________________________________________' A; @3 B. Y& K% Z( Z' }! U
5 h1 x0 x1 i2 d" s8 W! g
; _( L% g2 P' R9 R Y) o9 E5 e# |Method 03
3 y/ z6 i% a! H6 u" H. B! w6 i=========
5 z5 g9 L* _8 }: | r# S3 h4 L% H
% x" ^: `: d4 K# I/ ^Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# [3 i/ X/ f9 l' Y0 Y(API Get entry point)+ L4 X; q! U. j
' N6 d9 v+ \3 e! a$ |
7 ^& R% s% R9 j, G xor di,di, W' u' Q: `2 i# z$ L
mov es,di' G& l2 u( W A' ~9 I
mov ax, 1684h
! L/ l* x7 G/ A* v3 G0 c" U mov bx, 0202h ; VxD ID of winice! E8 P* l1 A/ d Q- V( [+ \/ E1 c
int 2Fh
' d0 ~" [) d9 Y. k mov ax, es ; ES:DI -> VxD API entry point
) |: \" Q6 w; ` add ax, di9 J+ Y3 Z2 g2 v5 n% B( q( d0 H/ k
test ax,ax+ K, }( P* k# ]1 w
jnz SoftICE_Detected+ Z6 ` q3 g$ I/ e g$ L, L* x: ]/ r# l
: Y& \$ S0 r) Y+ V% L" ?
___________________________________________________________________________
' c: s- ^( [3 B1 r
/ m2 k1 @8 S% g% a* V. N9 tMethod 04
! R) z9 A0 L! _9 n$ E# d) o$ \=========
5 W' T# D P) ]8 R1 m+ g- g7 N1 Y4 }4 P& B6 V, ~4 U
Method identical to the preceding one except that it seeks the ID of SoftICE
; `# _9 `* W+ X0 jGFX VxD., t9 R# F8 ~5 }5 |3 i$ j
* A8 M* c( n: P xor di,di
/ |/ I/ ?7 m }4 _6 @ mov es,di
/ m) ^/ K" g7 Y D9 B* K5 v mov ax, 1684h
7 \5 F+ A. ^; O- i mov bx, 7a5Fh ; VxD ID of SIWVID
0 P! O- q) Y. s }5 ? int 2fh
6 E+ U. I3 n1 ~6 D$ G% N mov ax, es ; ES:DI -> VxD API entry point5 X/ p5 }! h" w# Y$ E" o6 d
add ax, di( k; h4 o x: u% X: R/ N
test ax,ax: e) e$ v! u9 a# i
jnz SoftICE_Detected
9 q& x1 z: f3 {/ V/ u! I
0 ~1 h" v* e5 w) j( ~5 \- N ~__________________________________________________________________________
8 E% @* \8 B9 P+ m: p: z
, @+ R9 i6 z3 c' E; h6 S% c8 ?5 d. P9 F6 V6 _" L
Method 05
: k+ S. `/ q7 U+ p) P E=========
- r( {# g. E% t- n$ @$ u7 C0 S( {" R6 P$ p7 L0 P5 ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system) _+ J4 R+ ~: u5 h X! ?$ s& Y
debugger. It calls the int 41h, function 4Fh.
/ |5 F( ^- m* Z' XThere are several alternatives.
; D5 i& X2 q h* ~4 L1 P! e, y8 e! X8 M0 e; |9 D0 W* s. g9 O
The following one is the simplest:) Q- a+ F% e- E1 t7 ?' S; w5 j
8 O: ^2 |5 L8 B! S8 m {
mov ax,4fh2 x4 Y- y& ^9 h1 `
int 41h1 w$ n# R- k) c* q- E
cmp ax, 0F3867 k/ Y3 x0 w, T( c' n2 g
jz SoftICE_detected
1 w7 o7 ^9 s2 g: m- G& S3 m! f2 s5 ]# @
4 H4 n( P/ V. V* {2 CNext method as well as the following one are 2 examples from Stone's ! D* Y0 h4 q* U9 a. n1 [8 |
"stn-wid.zip" (www.cracking.net):7 x3 C( L2 V. C5 L1 A4 \: ]1 C( h
& ]3 o1 O, p* s0 J3 t
mov bx, cs3 b P: O9 G7 r) o! n
lea dx, int41handler2: B7 s6 m! K+ o! j7 w
xchg dx, es:[41h*4]
+ L( G/ P% x4 F0 ~8 g1 E. B8 n xchg bx, es:[41h*4+2]. C, C; f6 ]) C7 y8 ~
mov ax,4fh. z" R7 C/ e: c+ ]( ?2 K7 |3 j
int 41h
2 w5 i" Z6 P* u: E! c xchg dx, es:[41h*4]
! B! G! E5 l6 ^' I O9 q# ? xchg bx, es:[41h*4+2]
' n) H& k* j& S, S. h cmp ax, 0f386h2 ? ~3 U5 q. T
jz SoftICE_detected. t6 j" b: G+ D* `
4 s$ a! L4 ~$ A- F" C4 }' I2 `
int41handler2 PROC( t$ _: P+ A9 B1 y# S) l- b
iret1 X' i. ^9 [: r' V+ B; d# n
int41handler2 ENDP
8 V. w6 X D8 Q1 Z
) A, [8 K9 z! i) t T: y! k1 q3 ~: n/ v% U
_________________________________________________________________________
( h& E* E* x! P- V- j% F) j( z% t: Z) }. @
/ ~0 N$ m: a% w8 y# g1 ~5 NMethod 06
9 l" G* m. l) C# i. w4 L y=========9 M. y+ o3 R5 Y; D7 F
1 t6 M! J" h. e9 ^
& M6 W, }6 |- d# L; W6 j# m0 u8 `
2nd method similar to the preceding one but more difficult to detect:: z6 s5 t4 p* s0 W- @9 n. j
9 z6 Q9 v* M9 E: t6 d' l6 X* a
6 x; b) a- T: G4 r( U! j. C. m0 uint41handler PROC6 l6 F. r5 T2 U' D1 _1 m
mov cl,al
$ G% _2 m! T. @5 F- r# [0 J/ k iret
5 G x7 q. `; ^2 Y2 h, O f( Mint41handler ENDP
7 @: [' B' @; T. \ \# `+ {- {2 z( h1 m3 V' D& D( _. d/ x* G. ]5 m
3 b5 f8 ?2 K0 O1 X; v
xor ax,ax
6 x4 ?% E s- Q: [2 X mov es,ax! t! Z! x8 ^$ ?: c2 h' L% U x; m& p
mov bx, cs- k- V- M- l1 v/ s; I' I
lea dx, int41handler* n- J5 Z! {, P" f4 v, {9 H9 b, Y
xchg dx, es:[41h*4]) I. f% K& d- u1 b
xchg bx, es:[41h*4+2]
8 G {) O0 a# q) r7 Y" g! F- }0 k in al, 40h
3 k# M5 o1 p" x' Y/ B xor cx,cx* a4 |9 Z) T& t9 s4 }
int 41h$ e; Z3 u w& U1 e
xchg dx, es:[41h*4]( _8 W/ E6 f) T9 J" @. q
xchg bx, es:[41h*4+2]
4 x! n( ~1 h8 V: R* Q& V' w2 c' e cmp cl,al
- K: q" L$ c4 Y f b4 q jnz SoftICE_detected1 }, E1 i5 o( L" c( b3 h; p
$ Y: B6 t) r( o. U8 ~_________________________________________________________________________, L/ L4 Q) r* z2 W( \
; U2 M4 J2 x0 b2 B% KMethod 07
3 H" B/ o6 |+ Q. b) X8 Y0 h=========, k/ d/ A9 i. L8 M5 V5 M' s5 h
6 _ ^% V3 G7 u" ]( A) d- `
Method of detection of the WinICE handler in the int68h (V86)
) h5 L" L5 d( a6 Q1 \2 u
, T6 d" Z: ?) e, ]: L/ X mov ah,43h" W! K W: p6 z1 r* a% J
int 68h
0 h2 o" d5 `; z' D0 _ cmp ax,0F386h; L. @$ k5 V. f' ]
jz SoftICE_Detected
5 }( S3 O4 _0 `9 M2 A- r
5 S5 j7 @) A( z5 w
; @0 O2 f; {& b: R=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 ]# i" A) O8 n# B6 Y* u app like this:
3 E. w+ u7 h- {+ f( h: Y: A. u
# ?! e- J: V7 R; N4 `. d BPX exec_int if ax==689 [. u1 r# i/ R7 n
(function called is located at byte ptr [ebp+1Dh] and client eip is h7 {% A2 C- L& {' e
located at [ebp+48h] for 32Bit apps)4 J) \1 P0 B9 I
__________________________________________________________________________* _& z W" h: O9 d0 J
8 @- A3 @7 [7 ]- Q8 m6 }
, G6 ?7 ]( X5 _
Method 08
3 f2 W8 u" u1 K8 }7 s=========
3 ]1 q. G: S; r! i, y- a3 b4 J) V( Y& H0 v) A
It is not a method of detection of SoftICE but a possibility to crash the/ e* O+ b' u5 ]$ P9 M2 V, H
system by intercepting int 01h and int 03h and redirecting them to another; o7 r0 B% Q% C' j* n# m
routine." L2 `( i+ K3 l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& O4 r. s- j; g+ S) ?3 E. @to the new routine to execute (hangs computer...)+ {$ O* U% i9 |2 K' W
( } a% J% P2 `' [5 O
mov ah, 25h. i; c$ k) I, i M
mov al, Int_Number (01h or 03h) K' u$ j9 t3 Q# L" p* e5 T
mov dx, offset New_Int_Routine
: P% @- ^# n/ l4 d" t int 21h7 h' c) V) y! V; L2 m, J, q
! v) ~) P0 D0 y& Q. o& J/ ?__________________________________________________________________________
0 f- e+ N2 R( T3 J' L% k9 ]: g9 e' {5 c B) Z1 m& C' \
Method 09
@8 K) \3 c" R/ l- M+ K1 U=========8 t1 @1 q% N3 q2 l5 ?
1 a: \3 I2 }* h0 J8 V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, \4 a5 Y3 m5 b c; Y; ?0 }2 k* ^
performed in ring0 (VxD or a ring3 app using the VxdCall).2 H7 E9 N! I6 A4 }" {+ T" I
The Get_DDB service is used to determine whether or not a VxD is installed2 T- t: |3 }) D; D$ {
for the specified device and returns a Device Description Block (in ecx) for
8 l+ f0 T4 E$ }/ O( J! v6 X7 Pthat device if it is installed./ s ^$ \ `/ j$ |% R/ x' A9 s
+ z/ G, }6 @$ d3 z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: t2 r/ G* S% r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 D D# W2 }9 M, I/ a) s( s+ a" O VMMCall Get_DDB7 _2 |* s- \+ |/ ]% f
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 l- P. D% l$ r: y
$ t& X# r7 p! p* C. P0 o% mNote as well that you can easily detect this method with SoftICE:& M& m K- ]. |
bpx Get_DDB if ax==0202 || ax==7a5fh3 u2 B& F z7 j7 x
. k" x, c0 T# N) G# ^__________________________________________________________________________
. i+ f% m4 d: l, _* |
, c( H- g$ t+ ]8 P) J" qMethod 10
: W* `# ]% A- \- `! J1 _=========
7 k( o7 q7 Y" p- z! g [5 u" m+ k# V" {- ?: Y7 ~! |/ m
=>Disable or clear breakpoints before using this feature. DO NOT trace with# e0 S/ W( I6 s' l& W% @3 E
SoftICE while the option is enable!!, R/ O7 W+ D. H8 c4 H6 T) m
; [0 D6 l4 n w+ A: D' I4 J7 m
This trick is very efficient:
: n z1 h- H/ Q! z6 d: _by checking the Debug Registers, you can detect if SoftICE is loaded1 [ L8 }3 N# N: c* C0 }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! c5 @) C4 Q/ Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
( \, {2 \2 E; @' Tvalue (in ring0 only). Values can be manipulated and or changed as well
, k; F- C( d/ Y" @/ O" T, Y8 r(clearing BPMs for instance)
$ f6 w2 C T9 |: Q6 O+ f7 _! o
. Z* m) S3 \5 l- f8 c6 j, r__________________________________________________________________________
+ s: q7 k# m+ A! h: {' r$ C% N$ \. ~% A. U0 Y. S8 G5 A8 Y
Method 11
) s+ k+ o9 G& T: O3 U" o=========* w6 @ M! l8 Q* t% V
1 L2 a. a; c* j% JThis method is most known as 'MeltICE' because it has been freely distributed
4 q# G2 g2 r% dvia www.winfiles.com. However it was first used by NuMega people to allow% O, Q8 J0 z$ i$ Y2 Q/ S
Symbol Loader to check if SoftICE was active or not (the code is located) q- n: T! W# O$ J: x. N7 s$ \
inside nmtrans.dll).% D! f& c$ j% W, }0 h1 W8 K
. J) @4 l1 [; v# w6 D
The way it works is very simple:/ c1 M8 e& S$ J4 A' q3 P
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) ?# V- r2 W0 [4 vWinNT) with the CreateFileA API.# L, } ~' ?& W5 W; _- O6 l) \2 I
9 _! S/ `9 F, v. M0 I" ~" U
Here is a sample (checking for 'SICE'):! }4 ]" x" Z4 |/ [+ i2 h
& x3 U2 O, @2 k2 X% p* K S
BOOL IsSoftIce95Loaded()
% h/ X# W' H7 l" R{. d% R( }. s1 Q% E' @
HANDLE hFile; 9 c) {! u# H$ T m' l
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, ^) ]7 R% E- k" v
FILE_SHARE_READ | FILE_SHARE_WRITE,
) n) t, A7 m" f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# \, D& o. ^, J* v3 W4 t
if( hFile != INVALID_HANDLE_VALUE )
5 B9 d6 @) c9 C5 }! i5 P {
5 ?# m+ Q9 z! G$ V1 Y CloseHandle(hFile);
! F+ P7 |# j4 d return TRUE;
3 }' B1 `2 E" S3 V9 _5 l }" r4 A9 x0 P. i$ e, t; s4 X
return FALSE;6 w D8 B7 }! f" B2 J3 p1 m
}$ p( C, ^1 f8 E% v6 v
% m- c7 J3 u/ x: a# \& r
Although this trick calls the CreateFileA function, don't even expect to be9 x% O# C4 X! M1 u2 ^
able to intercept it by installing a IFS hook: it will not work, no way!" \+ H# M( O- r' K V6 E
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& R: v8 w3 H. I/ U6 t, R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% F* C% `& F+ ^' z$ u. L: u7 }and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 M- ~! }: r% ~$ L D# n
field.
( P) F0 Z( X3 AIn fact, its purpose is not to load/unload VxDs but only to send a 4 _9 p* x& Z. ~8 M4 ^0 j( F
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' O- A# l) C3 Z$ Y7 w& W; ?
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. q. E6 G) F$ i/ s( ~4 G
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. W5 R* @& _% {6 | P+ B& E; oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 M0 U: U7 Y" h; X mits handle to be opened and then, will be detected.* O6 O$ ^5 B1 P4 s9 A
You can check that simply by hooking Winice.exe control proc entry point' f. E$ `& h0 k
while running MeltICE.
" g! {, n& j) V+ ~+ J
. d u2 _ Y1 V% T; M& q. {; d
00401067: push 00402025 ; \\.\SICE
/ e3 `( f1 c. X0 [ 0040106C: call CreateFileA+ J/ ~0 x2 L. K* r+ `3 s
00401071: cmp eax,-001
: a* Y; o; D' d% z: E# m 00401074: je 00401091
7 @; j5 H6 j! E+ c: Y
5 s4 a( r( |& R9 T/ e' T; U: |) l/ I& i
There could be hundreds of BPX you could use to detect this trick.
/ V+ Z$ A' g" v' p$ `1 t5 W4 e-The most classical one is:
. z" b, I; l5 i, Z2 p BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; Z* {# A/ C4 m5 A8 a6 T, o *(esp->4+4)=='NTIC'
5 s$ N# S7 J' L& u' c* S* L8 m& t- D
-The most exotic ones (could be very slooooow :-(8 l' v {: S* f: r |5 c
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: m; H7 U9 w# z. C; @ ;will break 3 times :-(. m. s* R$ t! ?1 k' `
" v J0 D) ^* q' T4 x7 y% k
-or (a bit) faster:
' u0 D, S; Y4 k# I& G z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# Z1 {/ c n4 G/ Y h
5 V f: g' j& a+ r) a9 [ t
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % x' \3 U- b, j3 [1 B
;will break 3 times :-(
3 d8 R; X; u& v- y( c, I% e
7 ]- K4 n0 `! f6 Z( W6 K-Much faster:
' ?6 h3 O* ?- y. D/ ] BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- H) x0 g6 `2 J) y& c0 q# E, |
5 v2 A& j1 h+ G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% u) B" M4 h( L" v
function to do the same job:
; B* x! A1 |- X" B+ Y5 f& o2 l& r+ k# N9 e' G7 l
push 00 ; OF_READ3 g, X/ V7 g6 c, u/ f; T
mov eax,[00656634] ; '\\.\SICE',04 I6 y; Y* v9 w) q, P6 j
push eax
$ G( N9 i n& I call KERNEL32!_lopen
9 j$ M2 J* L' Y4 f9 G inc eax4 w8 b; T$ y- q) q7 [0 r" x$ @- K
jnz 00650589 ; detected3 [( D9 h7 W8 g
push 00 ; OF_READ3 a* M) k' a( V- l+ {" }4 `: i3 h
mov eax,[00656638] ; '\\.\SICE'" z/ ^! _7 H" g
push eax
0 A+ }1 y- i0 k, Y call KERNEL32!_lopen6 l, R; O/ S3 O
inc eax
- _3 \8 l% |0 R$ N5 j% v2 l jz 006505ae ; not detected
' r6 ]( `' }% a' D' h0 R" f6 z& z5 K' @$ Z% Q1 a
A3 X6 C6 s, z2 h( Z0 h' g__________________________________________________________________________! j* S7 E3 T. ?% p
" [0 i* k+ F* @2 L% L* p
Method 12) W2 r- y# J" E$ H H- i8 ]
=========
6 P' Y1 m) r* q- H* f+ p2 H5 t- x3 x$ I& W, h( h- @0 [
This trick is similar to int41h/4fh Debugger installation check (code 05
8 V' ?. V* P) z& 06) but very limited because it's only available for Win95/98 (not NT)
0 @' ?1 b8 r4 s( X: O/ Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ N; J9 x: F; d% C
% m/ A3 `# ]. w* ^1 L i push 0000004fh ; function 4fh W' z& \( F {. J6 a4 `; F
push 002a002ah ; high word specifies which VxD (VWIN32)
' \* e) [4 `7 l6 W" d" x ; low word specifies which service j1 l- D; r) c
(VWIN32_Int41Dispatch)5 D. y% p; u3 A' o
call Kernel32!ORD_001 ; VxdCall& d6 f% B0 o1 E( D" R
cmp ax, 0f386h ; magic number returned by system debuggers
+ j. \* _4 y3 v1 {" B. [* @ jz SoftICE_detected
' n6 l7 E6 S1 S/ e! @+ x6 g2 v |+ K
Here again, several ways to detect it:
6 p$ m2 [7 |& O/ U3 J: U. G+ s1 e# n ~; g
BPINT 41 if ax==4f8 Z- F- `2 ?7 S9 I1 ?; C2 |3 k* d+ K- A
0 O8 h( Q) E- H* G( G) v BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: P* \! @7 n6 R/ _6 v( _
/ t8 Q$ a' a5 A, [) O
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: X3 P6 f2 }8 U1 E
+ l8 k. P s6 f, q4 a
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 c/ Z% b! ?4 ^' ?% \8 s& l
! f7 }" \& v% ~: ?9 \__________________________________________________________________________0 {& j" A5 p) a8 R
6 Y2 t7 [/ A: AMethod 13
8 R: Z3 M' q' B/ L=========
O# I) n$ v5 F! v7 c: A3 C0 R. R
, ?0 A% b6 t8 Q+ HNot a real method of detection, but a good way to know if SoftICE is3 T5 \% x, r1 p9 r/ A; t
installed on a computer and to locate its installation directory.
4 ^' {! q4 c' u6 x# F: iIt is used by few softs which access the following registry keys (usually #2) :
; w2 l: T- H- w& ?! W# _' F4 ^2 |! o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 Q8 O9 c u! P$ M/ i- s
\Uninstall\SoftICE
* c" I6 f# x3 N- y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! j/ b+ [# a7 \4 `6 I-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) {; L4 ^3 V3 U, T1 C) f
\App Paths\Loader32.Exe
0 W \7 h8 M: I7 X' C9 ^$ q( O
& [" |" O3 E4 b( v; K! c5 @4 z; m; W0 z" b6 I; O2 z* ]5 \
Note that some nasty apps could then erase all files from SoftICE directory% k K3 ^0 T0 z7 u8 M3 r( s: G
(I faced that once :-(
) e- e2 p! M; |# p. |- t& I
G" K6 O( J: e" Y1 n( k v3 N, lUseful breakpoint to detect it:
: c) p: H4 B. V+ v- ]8 g: d4 u( L6 D% c i) j6 I+ G
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- U, w7 T$ Z- M6 H# k. }4 [' ?+ J* M9 k/ o. w
__________________________________________________________________________
_" K& U, N8 Y- N2 P# D
* \- w! E& m# ]3 c1 n' ?2 x0 P1 a; ^6 I8 {" X' m- H! D
Method 14 + G/ S7 d& V2 p- J3 ?) H
=========
6 M4 m9 L, J! u' `( E v& l: w' u' v5 \. N4 ?( Y- Y! o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& E+ _& V' c* U# X) h9 [6 xis to determines whether a debugger is running on your system (ring0 only).
; V5 g7 T+ p( S* X9 B" ~/ [; w5 M, d W* ]
VMMCall Test_Debug_Installed7 f9 `) ~' {* v( x" @0 M
je not_installed
" r: X& M# S" b `( @9 [& U* S e4 C' t
This service just checks a flag.
7 ?4 S& |- D4 f</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡