<TABLE width=500>
* p( B: s2 C( l9 x$ w* a! n! j<TBODY>
! u! f- k1 P+ r. h; p<TR>) o/ j) ^. y' Q, U% v, M
<TD><PRE>Method 01 5 Z& l7 A4 ?! s% a- q
=========
5 X0 U7 Z+ T5 X' z: c& B. ~0 Z9 d6 y
4 G! {$ g$ z: ?) {9 W4 ^3 V e) L+ `This method of detection of SoftICE (as well as the following one) is+ _& f# ]1 f. b9 V
used by the majority of packers/encryptors found on Internet. A. n5 H" x! U' n
It seeks the signature of BoundsChecker in SoftICE
. p& v& V# V+ q) H" r8 t; o* b1 P8 U! y( l0 R$ G
mov ebp, 04243484Bh ; 'BCHK'
! P* d; Y+ {0 p6 ?8 \ z1 x mov ax, 04h
% T/ N8 L8 T z9 x; S' K) g" n$ D int 3
4 x9 I5 J% C. e( L% D: _ E. r cmp al,44 ~+ W0 ]7 z B' Z
jnz SoftICE_Detected1 }1 F1 @5 Y* ^
& d) ^5 }5 h9 [# ^7 S3 w# K* `7 b/ E___________________________________________________________________________
& k% Y: g) c0 k$ J: u* x4 j$ R. K" x9 y8 [2 k
Method 02
6 V) E3 ~$ I# g- l7 y/ U=========) d) d1 a9 ~/ ?3 q$ T5 H" h
0 L! F* w- C) ~, C1 n& O) R! IStill a method very much used (perhaps the most frequent one). It is used0 e: X) _) ~9 V, Y: p. B1 s
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 k' x4 G3 _$ X4 V6 m* w/ ?( Xor execute SoftICE commands...# W7 U* F# h8 V) A) Z
It is also used to crash SoftICE and to force it to execute any commands! L% {1 x _) L% Q. g0 M# L
(HBOOT...) :-(( 6 C. D; H" `2 w2 m
: g! B5 {1 t) d% D2 xHere is a quick description:0 `% z+ L. ~9 @) T" ^ T
-AX = 0910h (Display string in SIce windows)
3 U6 p! ?7 G0 v7 h0 z7 D3 v-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, x( f% n/ f2 Z u8 ]-AX = 0912h (Get breakpoint infos)
* r! \1 k# A& \% ?; K: X1 \( s7 v" G-AX = 0913h (Set Sice breakpoints)& z, g/ w: _% k. k. @: _
-AX = 0914h (Remove SIce breakoints)7 A J' y9 j' ^4 x
) ?' ^( u/ I- f
Each time you'll meet this trick, you'll see:4 v) n# X5 {3 B1 v1 @5 L! q n
-SI = 4647h; @7 R7 A; ^' w6 ^" f
-DI = 4A4Dh5 A5 N0 A! r- Y/ \ @
Which are the 'magic values' used by SoftIce.+ w/ ^( }. _$ e$ C; I1 x$ i/ T2 O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# {6 G: k) z- u4 h! B
9 p# y7 h& w% w2 @6 @Here is one example from the file "Haspinst.exe" which is the dongle HASP7 V. K6 O# x$ |. {! t1 h; N& M( `
Envelope utility use to protect DOS applications:
% p% [: a* k! t; X% ]/ u; T' K( N8 l( B7 H4 K4 Y% ?+ |
# I* \& |+ Y* r6 h0 l+ ^4C19:0095 MOV AX,0911 ; execute command.
4 @& Y9 z$ C3 v; x& m1 B. t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 W6 g- d) V/ h$ p4 r3 l. `
4C19:009A MOV SI,4647 ; 1st magic value.. I* @8 n u/ M
4C19:009D MOV DI,4A4D ; 2nd magic value.) {8 t8 w+ P8 b9 A. l5 `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) }) W8 |" K' e: O% z( b
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 e1 O2 o; } [0 u$ v- ]9 p
4C19:00A4 INC CX
) b7 X/ }6 u* v" w( v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ [( d& c5 }1 _) b% K4C19:00A8 JB 0095 ; 6 different commands.- `- [1 `9 h t
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ r W5 s! e% M k6 v- B3 o4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! E$ `8 r* G4 A3 Z8 p8 m$ P0 }$ c- |& s& F4 t: H- O
The program will execute 6 different SIce commands located at ds:dx, which
1 R: Z) E+ A# Dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, s( z {4 s1 q* ]# n+ D: h7 y$ o- K- S& \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
^5 m- a; _: C5 y8 o% p___________________________________________________________________________
& H( b0 {4 |* d+ m+ ~( H+ `- P
/ z3 c$ \( M# I+ |# o( ^6 o3 }
# G3 u; a9 ~ b2 A) B, MMethod 03' A/ U4 j9 r' O C# s) p- i
=========3 H! J+ I% L. X' A2 v
U5 a, e# f$ t. P0 \9 P. ^
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( e+ q$ t1 T; l; q) w7 B% H$ Q& q: a
(API Get entry point)$ {1 z" w3 Y" h9 {* F9 a) t. \
/ M8 ~% y6 p8 R# o$ N s9 w( c
; e% ?/ m1 z5 o xor di,di/ R5 V4 f" M& F4 ]* N9 f
mov es,di4 v/ L* L* @- F5 v
mov ax, 1684h 6 i. X. A; L: ~+ i
mov bx, 0202h ; VxD ID of winice* n2 c' W9 o, t( m. v; O* W
int 2Fh0 J$ p0 K. h. d3 E! w2 t
mov ax, es ; ES:DI -> VxD API entry point, I. V; g |' ?) f! s
add ax, di+ h. K( N) X6 e% m* Y9 ^8 C
test ax,ax
* V2 A: e- b' b% `; a& n. U jnz SoftICE_Detected7 Y7 H$ c/ t7 W
! Z* s7 |8 n) b9 P% T' I
___________________________________________________________________________
, d9 R9 M* C8 [6 f% a- `& E& B% r6 z7 Q }6 d- h5 L7 x" N8 d
Method 04( `6 l$ K( r. f
=========$ | R# U7 |, T$ \# r* C1 s( R! V! v
4 l- F9 ^# c6 m l
Method identical to the preceding one except that it seeks the ID of SoftICE
# g6 ?% O9 w9 m1 X8 S8 rGFX VxD.
6 d6 F+ f" n2 J# R/ y0 e# N! I) E4 U3 R: m" Z H
xor di,di3 Q2 [# e7 G3 Q- B* s2 M; ?. p
mov es,di" {/ @9 R/ I. x$ O/ T r
mov ax, 1684h & t2 ^1 u( Y t% ^9 I
mov bx, 7a5Fh ; VxD ID of SIWVID
1 R6 T0 F2 w) A9 | int 2fh
6 ~& z: a4 E) ~ S# R, Z mov ax, es ; ES:DI -> VxD API entry point$ w: h2 B6 L* {6 h1 `
add ax, di
# k" k$ D: O9 R+ I. R9 ` test ax,ax, H' l4 ]+ |, G
jnz SoftICE_Detected
; y5 B& S# \( I
* J L. q( g! j+ j+ s0 [__________________________________________________________________________
0 q. y$ {0 Q" W9 _1 P" @/ Z( G3 m
0 k& U# U8 C! d* W% j& C- t- N9 u- [, J* Z
Method 058 S; X# F+ z0 S! G: S( E6 o5 y
=========
2 X5 B9 C2 O5 k/ C* }- o0 `+ q5 b
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- O/ `* J2 J h1 @) hdebugger. It calls the int 41h, function 4Fh.! f. V& h9 W' d3 N+ x( D
There are several alternatives. % J, p3 R* O/ o( ^* r ?
9 S$ I. B$ T3 ?. jThe following one is the simplest:/ p: B6 O, _& h* T1 e; n
+ c ^: C( S. B- B
mov ax,4fh
1 C8 N4 E. p) c; D int 41h
9 N) X. u: S4 ^ ]$ V- C) S$ V cmp ax, 0F386
# r$ Q8 C+ N/ j# ~: Y/ ?' Z jz SoftICE_detected) _ T: b6 Q5 \" g
" I! z3 i# A8 O8 i8 }6 _ B% H9 |6 d: Z# ~/ Y
Next method as well as the following one are 2 examples from Stone's
5 y8 i( t) X0 X! D2 a2 m7 v"stn-wid.zip" (www.cracking.net):0 j, z) R5 T1 D4 A8 U
8 P$ g. h" W4 s9 U$ x
mov bx, cs! m; G5 f, [2 e4 m
lea dx, int41handler2' c; i H' I) x' {: M$ ]5 w5 F
xchg dx, es:[41h*4]
6 k4 R6 W5 d, U: F- | xchg bx, es:[41h*4+2]
, Z( d# a: [) o! F* p5 p, v mov ax,4fh
: I2 V" D: l( I% c int 41h; Y j3 O: E' P
xchg dx, es:[41h*4]
, r- n6 }; A( y4 f" z xchg bx, es:[41h*4+2]8 Z$ E2 U2 P8 }
cmp ax, 0f386h9 M2 F' [: b+ J8 @; B: [
jz SoftICE_detected
) n. S% x$ C& L$ `. F& M3 S" H$ I- A# v6 h. d% p9 S3 f0 U! s0 Q
int41handler2 PROC
/ G% u- f* U8 b& _) ~ iret1 t* [2 ^' B4 C% o) _: i5 I
int41handler2 ENDP" a: k, h3 b: e
. f+ |6 @4 ?% g% B0 {2 D
! K% E' |4 a4 l: F3 c- `
_________________________________________________________________________
p# N+ o: \& q! R1 _ D
) ]3 K! @4 i2 o: ^1 k/ ]& M5 ?9 N2 _
Method 06
" D0 u. @$ S7 f- K' L=========0 Q7 P! l5 S4 m1 D" r' \( L/ ^
% f, U! G" q/ N% i. R& {
8 C( @8 S/ a7 _; p; E+ F f2nd method similar to the preceding one but more difficult to detect:
* U1 g( h5 m. M
9 U A1 c) J3 P6 J" J3 `
8 e. R X( q* d" ]! Uint41handler PROC8 @; Q; |, R1 w# _8 m- c, V
mov cl,al
$ c; ]0 G$ r; j0 `# q iret
9 F/ N& c5 @% e) pint41handler ENDP
8 |6 O0 V5 I" K7 c
' |( K( ]+ W/ n5 T' c% L0 I4 Z$ ^3 e }* `
xor ax,ax f" V7 p6 U8 {+ u4 r- E
mov es,ax: I: F: ?0 f8 B* R& _# |
mov bx, cs s4 R: g" m5 @' e% M2 g
lea dx, int41handler) g6 B0 X) B" j! T [: O# t4 _
xchg dx, es:[41h*4]
! s' l5 Z4 W& U/ l# A' F- m7 K7 X6 H xchg bx, es:[41h*4+2]( y! ~( x' L6 `9 B4 k! D1 q2 m# J8 r
in al, 40h( d9 c: B h* v4 p
xor cx,cx
0 r; n j8 N/ n+ [8 {6 o' g9 t0 p, n int 41h7 L7 \" h5 ~4 A3 T8 O
xchg dx, es:[41h*4]
, V. W" w. l: E/ Q* K& N xchg bx, es:[41h*4+2]
" e9 }% I5 Y% q" H! ^ cmp cl,al S! n) E3 H1 J+ p( |, ]7 }
jnz SoftICE_detected
! N9 T1 w, b& B/ n& r/ g, s* v- ?4 L9 `: B- U4 B: m) @
_________________________________________________________________________2 Z9 Y9 Y5 ? p, c, ?7 z3 ?* F
, V4 c! L( m# m. |1 P" `Method 07
% g$ [* y( F. I* f=========2 z6 m% O2 E: Q- G4 H5 N, B) Q
- p4 d2 E4 C; _2 uMethod of detection of the WinICE handler in the int68h (V86)( c7 A4 y9 d" J3 n' D
; k, p! m, P, a, |( |; V* Z6 ^0 ? mov ah,43h
& _8 J2 W+ r1 H0 b int 68h
/ g7 N M0 V6 B! Y# r" ]. S2 [- Y! t4 j cmp ax,0F386h i8 z- j, |$ o5 e/ ]0 z/ E
jz SoftICE_Detected
$ X& r9 D% \6 r6 ?) _. L. P( m. t3 `) u# d. A, ^2 \; F
q/ P% q5 w: _ l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 _6 y' `4 b% h* h, A6 Y app like this:( l+ q8 R; O+ q4 `( M( W" y2 |
0 r k; U6 E8 Y4 Q$ i: I BPX exec_int if ax==68
4 K3 y o5 a \0 X9 Q2 G (function called is located at byte ptr [ebp+1Dh] and client eip is
) N u1 f4 `' A+ k located at [ebp+48h] for 32Bit apps)/ L# T, X8 z0 g; S% i
__________________________________________________________________________
( C J' v$ v# H, K$ N4 W, i$ C0 p( a2 v
4 o# R. O+ F Z/ r) x! G5 bMethod 08+ O' y N/ O( m6 q5 b! Y
=========
8 n: @3 ]) D' X- P B, G
/ r4 o$ l/ o5 G; c; R& S& h. A$ XIt is not a method of detection of SoftICE but a possibility to crash the
* z4 P& p& {0 ]. Q2 f' Ksystem by intercepting int 01h and int 03h and redirecting them to another
) w* @6 E# c0 v! \# P" u8 B7 wroutine.
9 o5 S* T( C) |+ |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" r5 k" x5 ?% L" u
to the new routine to execute (hangs computer...)8 t% V: x( w; `4 p. n* ]& {1 {; [
3 ?; s* H+ h1 K3 I" f' ~ mov ah, 25h q& A9 {% k" _; q E
mov al, Int_Number (01h or 03h). j2 G3 F3 z1 D+ f2 S
mov dx, offset New_Int_Routine
- V* Z* P' D" ]/ q4 D int 21h
' U# m' C. G* F) s5 t- Y7 s2 S0 J& S! C8 g# _9 W
__________________________________________________________________________* W( l9 u+ _- C- a
# s0 ^3 A$ t; f. V. RMethod 09$ Q5 e1 v4 K K5 z( u5 r5 V0 c. F- Y( y
=========
5 T4 o: T: x2 L1 k( d- B
" }8 z9 w' m9 u! T+ o. R, YThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! v* v4 N. t a
performed in ring0 (VxD or a ring3 app using the VxdCall).- t. A( ]. E+ B' q; P
The Get_DDB service is used to determine whether or not a VxD is installed
2 a2 j; C2 ^2 m, p% Y. b7 m; xfor the specified device and returns a Device Description Block (in ecx) for
- u) K7 Y$ D0 n$ Z* Y$ o# }that device if it is installed.
8 _) j+ _( t. B! F K5 A [) E4 y
- Y- m- `* l) ?+ y8 K mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* L' Z+ Y3 q/ |3 [
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 Q; J+ M1 D' @$ P: _5 V& v
VMMCall Get_DDB8 _; O$ i1 f b1 z+ @- \
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: x6 ? E0 m' G8 K, m5 x. L& V* n8 E: n, R' D
Note as well that you can easily detect this method with SoftICE:0 r U" V! _, B5 a6 X
bpx Get_DDB if ax==0202 || ax==7a5fh
4 U$ @2 j: m9 `/ B& b9 k ^& V$ _5 ~
__________________________________________________________________________6 z3 z3 u( K* j4 R/ K6 f
4 m! [* p3 m. n5 w/ ~
Method 101 t* x }, I, Q% `; `0 t. @* y
=========
( O! V, C- N8 m8 L& h: m( T5 X* \- v' W- J* Z2 C
=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 w4 x# }! S& z P* A" ~3 K SoftICE while the option is enable!!
+ M( U( ]( e1 S2 ]& ~; W5 Y* b7 ?$ E, s0 P! }3 v4 @! ?
This trick is very efficient:
" | v+ ^; U9 A% D* G& bby checking the Debug Registers, you can detect if SoftICE is loaded/ i, e7 J, r- q$ a1 `5 i4 ~
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 z n6 ]3 {4 D& r+ Kthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 f' M% p. R& T! i
value (in ring0 only). Values can be manipulated and or changed as well
& E$ o/ J, {( d' i( H x" P9 F$ }(clearing BPMs for instance)1 \! E6 i# c9 u8 D
; b+ |, t$ G' S
__________________________________________________________________________
1 d% y( G- K" B" S* \. N
& O/ U6 A$ n* W" _Method 116 [- |% ^# G" |' T0 E7 o2 |
=========
* t- x( ~( U s1 Z, g% u
8 g5 s. P. f# Q. eThis method is most known as 'MeltICE' because it has been freely distributed( I" K/ K. _8 a" I. U/ T
via www.winfiles.com. However it was first used by NuMega people to allow, i; |% R, j+ d7 x0 H
Symbol Loader to check if SoftICE was active or not (the code is located
0 m9 w V$ j% _) Iinside nmtrans.dll).
~" e5 e; q8 t+ T5 [# B
& S0 a* z! A' e# ]" z9 }The way it works is very simple:- ~( U+ l2 h& I% N9 |% p% g* {
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 t7 j) z0 q: F6 o, ]
WinNT) with the CreateFileA API.3 D' R, p# ]& q3 z# p$ G
( A! o/ K0 w, x" |- k" |Here is a sample (checking for 'SICE'):
8 t9 b1 D, ?3 M' ` A' B9 H6 ^4 U: d& R* j* i8 S# u( _7 y
BOOL IsSoftIce95Loaded()1 U2 L, r- F- Y6 Y* B' ]2 o3 c
{
- s# m( Z0 p- a5 W4 `5 s& m8 k5 d HANDLE hFile;
) D' V& P) g* a! t) B. N hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! {7 |6 s" D* N FILE_SHARE_READ | FILE_SHARE_WRITE,
+ l* [( t% I7 a* ^# y- n/ o NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 R+ C9 ]7 \; F if( hFile != INVALID_HANDLE_VALUE )
! S" Z/ f% J% F! y1 U% o) w' ` {, c' g$ {+ L9 x4 W2 h3 k" m, _5 y: k
CloseHandle(hFile);/ l2 u* c! z4 r6 m1 _ u) ?' w
return TRUE;
" q/ m6 R9 U b' q' A& w$ @ }
8 F" ~1 p& e( V8 @ return FALSE;
0 q- Z' U- E7 ~/ r) x, d. A, r9 p}
. P8 @8 |* U2 i# r: y) Q. O
, i: ^2 g1 G8 AAlthough this trick calls the CreateFileA function, don't even expect to be( @6 G/ k9 N" Y9 P, q% K* ~4 J
able to intercept it by installing a IFS hook: it will not work, no way!- r D' ^- m" U, h# ]1 n) g$ z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 k# G" K: z1 Z' K( {" |4 L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 t! u+ p0 [1 v, w. {+ q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 [& R8 X2 y) g; [- }
field.; o& t$ y; e2 u) F5 O2 E
In fact, its purpose is not to load/unload VxDs but only to send a
; q7 z( `, ~( ]W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& X$ C3 e' _$ Y7 P' C. tto the VxD Control_Dispatch proc (how the hell a shareware soft could try- M' L' A& s! f' z W7 B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) O( t* O' S! P0 l: H: h. B
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 Y. R5 a( [' A' P: K6 M0 Wits handle to be opened and then, will be detected.* O: U. c e( w4 Y; a: M
You can check that simply by hooking Winice.exe control proc entry point
5 |/ I" [ l* d* @% e' U- \: Iwhile running MeltICE.' E7 _- Y4 P! ?( }) O1 m
! D- W( ]. X8 a( j( B0 T: [3 d, Q
9 I! g2 p. e+ D" I9 c& w 00401067: push 00402025 ; \\.\SICE& w+ `/ B0 f1 k" g; C- h; U$ n1 G4 s
0040106C: call CreateFileA
% Z/ v, k7 E/ u 00401071: cmp eax,-001
' ^" z9 }% `# X3 t6 M/ B9 @ 00401074: je 004010910 P/ ~. A6 \5 X
' C4 x, E* h$ t( f- [0 A. q
7 b& p! R; ?! G/ b
There could be hundreds of BPX you could use to detect this trick.
3 |3 Y" n0 W. J* W; K-The most classical one is:% ^+ Z% }+ f3 U5 o
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' `1 I9 o3 B { *(esp->4+4)=='NTIC'; n' T' O; @, \0 c7 p+ e/ ]4 I
1 V$ k) {' z3 |& a4 ^7 W( v. W3 |-The most exotic ones (could be very slooooow :-() f; j# N* ~- j/ j8 |' c8 A7 ]
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . K. @( j0 X' N& a( Y E
;will break 3 times :-(8 t8 G* |( I/ A
2 K# h; [ X; Y- l-or (a bit) faster:
o9 \1 \8 x0 x5 T: h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; F2 u8 }3 L5 v$ H* I' f3 ^9 c4 T) ?3 h. P% U( A9 ], q7 ^
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 U+ k1 f4 O1 \& m# G
;will break 3 times :-(
7 R: `* d d/ s; \8 H3 _& ?2 i2 K4 Q
-Much faster:
4 x V D5 G1 X$ S1 e BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 [, U0 k2 d0 E y' r( t( n# v4 h! \7 ^
& @1 |- P8 Q" n# o4 f* N% b: ]7 bNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
, J/ W7 [) ?- B/ C4 [+ ~$ i: Ufunction to do the same job: Y, u1 p, H2 R4 s' l! V4 _
( J3 Z0 M. i, `& u- I: B6 j r4 ]: C6 g push 00 ; OF_READ
/ Q7 ^& X. A" v' }" J mov eax,[00656634] ; '\\.\SICE',04 w/ w% B+ I+ U( K$ V# ]
push eax+ C. ^8 \6 B+ ]4 D/ W0 t: j' l4 C
call KERNEL32!_lopen
2 B9 U9 L C; O2 L! j inc eax
3 O8 C/ K% n- |- s. P% o jnz 00650589 ; detected
' `3 W! Y% f4 U8 L push 00 ; OF_READ
9 W9 ~; T! g8 X( L3 y4 v mov eax,[00656638] ; '\\.\SICE'
- Q, ] s" M' y/ h push eax
5 _# q: ~2 l7 d7 {. B call KERNEL32!_lopen& n0 C" t: m' N% K9 ^: @
inc eax0 |$ k6 W$ H4 R8 r5 ?+ H: F- t* S
jz 006505ae ; not detected* y0 ~4 a( S" I+ W1 O R, P
* i. J* u( Y: R" @: W, k% a4 u
D& z- I) d, A Y2 _# s! ^( i
__________________________________________________________________________+ f+ k) J1 f8 S- X* W
& l5 i! @5 i" t9 b& HMethod 12
) N' z5 w5 Z( h L6 G=========8 p# f D* P0 O
4 E4 m" L* Q8 g d2 C& D( p
This trick is similar to int41h/4fh Debugger installation check (code 05
! \ Q; m. t" b4 ?& 06) but very limited because it's only available for Win95/98 (not NT)" U, ]0 h ~0 A! y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' q" Z! U) i7 u3 z; [
6 X; H1 S8 I6 j# N# u) B' i push 0000004fh ; function 4fh
6 Q4 b J3 k8 t4 m push 002a002ah ; high word specifies which VxD (VWIN32)
, R& M+ L- c& L" G0 K ; low word specifies which service1 t/ `* J( ^5 P; ?' \1 T; t; T$ V) y
(VWIN32_Int41Dispatch)+ H+ k+ W9 T% y; M: e
call Kernel32!ORD_001 ; VxdCall4 L2 A5 F* R0 `: z! W$ G' B
cmp ax, 0f386h ; magic number returned by system debuggers& m2 R) o* H. i: }1 u, G9 m4 z% {
jz SoftICE_detected x$ s: ^8 c9 D$ r. @
* v' }8 W; F( O: \! A8 t4 O7 UHere again, several ways to detect it:
7 h1 s( N8 Q/ ]- M$ A' j$ L
& w$ t7 B. {, z! l. v BPINT 41 if ax==4f
! b) c, I9 B' r2 `0 m) b' A1 Q) i% S! u" E% Z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 o6 E5 u9 ]6 g0 ?+ Z
; ?5 S& e# U) \
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 J& Y. G! T9 N$ B; g
& K$ Y7 r7 N! I$ D; I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# ?8 U; o0 {# r) ^& k+ e8 h V( a
! {7 Q5 C0 l5 }5 C P__________________________________________________________________________. x4 |) d% ~: S) u8 U# G% H' _
0 ~, R' C3 W* i- S6 l6 {
Method 13$ t# u8 M% C! E
=========, l4 L* M. M& ]0 w0 K1 w
3 F2 [0 }% T- }3 |6 g) ?3 iNot a real method of detection, but a good way to know if SoftICE is
& L# v' g: X$ ^7 Vinstalled on a computer and to locate its installation directory.9 Z. y1 @, e: Y- C% F
It is used by few softs which access the following registry keys (usually #2) :4 H, R( K: z7 d
: u% Z' @ H1 a! _0 q: |$ j3 N
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% w" A4 T+ ^4 n9 A2 Q6 }\Uninstall\SoftICE
" O: P2 u( s+ y( h% w-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. x( r1 w6 T2 m+ S; i" l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# H0 ^! Y/ S1 C\App Paths\Loader32.Exe; Z5 ~. N' {; h% t1 N2 W$ }, }
$ n2 u/ z# C4 V! `. i: z3 w. g$ l7 ]3 ]$ p) [% h
Note that some nasty apps could then erase all files from SoftICE directory0 S) ^* @2 I/ p. G
(I faced that once :-(
& B% J, S5 i4 N& i; E; T) c, f* ~3 l" N
Useful breakpoint to detect it:/ e: F/ K0 Y# e9 }
! y& G2 p' V' V0 r1 V
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% ^* L( f" F8 \4 \
/ T2 \0 j7 A. i; K- H: w__________________________________________________________________________0 x5 S5 K0 U( @3 ?0 k$ k; `' N
3 c3 O/ m5 |9 y+ |, p; E' x6 i) u6 w
; f1 D/ Z, }" X! F0 I G! v! ^Method 14 9 S7 Z* F1 A! c# o7 k
=========8 U% ~' z9 w3 k: \& h1 S
' L' Q. O! X$ Y) UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# K4 A: G6 ]; F Y9 N3 A" N
is to determines whether a debugger is running on your system (ring0 only).1 N$ i- x2 a7 P& f+ q/ b
$ G! Y# r- ~1 J; U. b VMMCall Test_Debug_Installed. n \3 t4 s: @2 o7 X' T7 F
je not_installed
! E" Z- Q- I( ?- G# D b! ]- {
+ G7 C$ U. V; V7 C0 M" W. VThis service just checks a flag.
; v, U( | L9 k0 H% n/ M) @</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡