<TABLE width=500>
2 y0 O2 f) G0 C; y: _5 m9 d" o<TBODY>
! A) o5 [2 Z3 E2 F. G8 T/ \<TR>
' _6 G/ E( c5 j$ z# t* Q; _<TD><PRE>Method 01 4 z) p; b, S4 N+ C; l2 y8 a0 _
=========* F. l f# Q, Q X
8 o( j* B% v% r" p$ X' @, q8 |This method of detection of SoftICE (as well as the following one) is0 X0 |* C" N) r+ f9 j$ e
used by the majority of packers/encryptors found on Internet.) {/ a% o# ~: L J" l3 N
It seeks the signature of BoundsChecker in SoftICE, p6 r6 V2 Y1 m& y+ g% o
. X, P* }: g6 U+ Z) T mov ebp, 04243484Bh ; 'BCHK'
: @ V ~! w$ E: |& ~& J; ?, {6 Z mov ax, 04h: O, w. C* l: K
int 3 % F4 _# P3 y! F# ]
cmp al,4
0 G$ J* L( ]' B- ~$ X jnz SoftICE_Detected
" G6 M& g( h. Z* e9 }/ \6 A- y
: w' U( {& V w___________________________________________________________________________! O5 K- C9 W" b& x" H0 a- w+ }6 @
- l# b4 |+ ]& v2 L! ~& I J( UMethod 02
; k0 `1 o" D0 i7 z% f=========
0 R, e8 P, w% j" N2 A4 E. r. s4 f* B
Still a method very much used (perhaps the most frequent one). It is used
. C3 t4 h& W3 ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! F7 f" ^' ~5 d: O* ]or execute SoftICE commands...( A4 c, b, ~& X. Y) z1 O
It is also used to crash SoftICE and to force it to execute any commands, j6 V9 C# w- h7 c* i6 @
(HBOOT...) :-(( " v5 k D2 }# P
3 g! d: Z3 [8 s3 I) \3 r
Here is a quick description:! X( m, ^9 Q- @! C% i8 K
-AX = 0910h (Display string in SIce windows)
r( k7 z: q$ m! [: _-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 b( E7 u( ]8 x7 |+ z& x) Z
-AX = 0912h (Get breakpoint infos)7 C: G) s5 y! W K
-AX = 0913h (Set Sice breakpoints)
/ o: r8 o4 w- ]# z+ Q-AX = 0914h (Remove SIce breakoints)' _# c9 S+ t- b7 N
( t8 l. K4 X8 y& @+ ^) }/ a
Each time you'll meet this trick, you'll see:* J: f& s* Z6 a( L5 O
-SI = 4647h+ W$ o# E, m! k; v
-DI = 4A4Dh3 `9 n& U1 ]* h) ^/ g' s
Which are the 'magic values' used by SoftIce.7 q/ ] p4 O! u f8 Z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
l" P" F" s& R) W7 D
$ b+ h: B/ P- T0 S* h$ F+ gHere is one example from the file "Haspinst.exe" which is the dongle HASP) A M: I3 h1 L! P3 X; l
Envelope utility use to protect DOS applications:8 n% u6 E( E8 y m8 W+ K
- c. R! G! ]6 _! G3 u
: { E$ _5 [5 n: j; C5 d7 L4C19:0095 MOV AX,0911 ; execute command.
, Z4 F8 Z7 R3 R/ n' L4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; _9 Y: `/ M# k, U2 K( c, Q- E, s4C19:009A MOV SI,4647 ; 1st magic value.- O$ l: b; @! k5 B
4C19:009D MOV DI,4A4D ; 2nd magic value.! G+ h( e4 f) I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 t$ W: B7 n5 g( V
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 V- G6 Q- @: d) n# {4C19:00A4 INC CX
! `* [, o; e- s& r4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 q5 k8 M9 E+ q' X& D
4C19:00A8 JB 0095 ; 6 different commands.
: P7 b5 F8 r: n3 h- o4C19:00AA JMP 0002 ; Bad_Guy jmp back.: j$ E' o5 w2 M) `
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* I: l3 r1 b* E2 T
( y$ _2 }( F7 ?+ G9 q/ F2 k/ Y
The program will execute 6 different SIce commands located at ds:dx, which/ g; {4 ]+ I: `9 R$ ?) j+ c0 s3 t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; P4 V& v& _5 I$ h( B
! ^! f) R. h' q7 \, s; i& }# b* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 L/ h* W' w$ @. _3 a___________________________________________________________________________
; ~# ~. y7 A# t: t3 S7 ` {5 \5 {& v6 l4 g
* y* W; W1 A+ P3 ]. @: C3 lMethod 03& N4 a8 r" P4 a$ v: i- G J; q
=========2 z# k1 ~5 B0 b# Q+ D
% F7 h$ H1 R. y5 z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, o6 I) s/ F* N. M(API Get entry point)
; S. ^. c. b B; E3 R4 A 3 m" ^7 U( ]+ \7 }# J; u
- d& k9 R9 I( G xor di,di
% ^$ M* U% u4 w, }0 ]$ y mov es,di- l! G1 D/ z7 R5 e+ A
mov ax, 1684h
. c% w6 Q7 B* \. M# Z1 `% z; X0 L mov bx, 0202h ; VxD ID of winice
! r" ~( x: ^4 ]7 `4 }$ \( f4 A5 T int 2Fh2 \, ?/ H& o3 l* O* G
mov ax, es ; ES:DI -> VxD API entry point: `4 F- G4 U; {( H' V
add ax, di. d+ p! D3 t. f
test ax,ax
1 {5 M6 Y* w3 u/ l7 }* j) A+ ~ jnz SoftICE_Detected
2 B* P$ ]" [" \
8 E% X( w' K, z0 P2 n___________________________________________________________________________0 l1 J+ o' u, z( [! B
" |1 [$ [: u2 N3 G
Method 043 Z' P+ t, `% \& K2 C' F2 \* A: N
=========
' j5 H* E( H7 @( r. l& ?, L2 s# S4 H
. ~3 ?, G; ~! E) z# aMethod identical to the preceding one except that it seeks the ID of SoftICE1 h: g5 k5 X- |6 ]. \ v
GFX VxD.
9 K8 w( L9 z- a- m* E$ I% y8 ~0 V( Y: |, e5 G
xor di,di8 g# ^2 D. o* V9 Y& o& t
mov es,di( O* v2 l* O+ b4 x c" t
mov ax, 1684h " M9 g9 s% i1 E1 [
mov bx, 7a5Fh ; VxD ID of SIWVID
8 R# V# N' V+ N int 2fh
. T) ~' g0 R( Y+ [% `5 J mov ax, es ; ES:DI -> VxD API entry point+ i/ J) _8 Q# E
add ax, di
" W( |8 O( Y" q! K5 j test ax,ax
7 t/ k) }, x8 l' K A) E jnz SoftICE_Detected2 Q( {; }, S( O5 J1 `8 a' K
" h) ?, X8 ?1 g7 m- M* p
__________________________________________________________________________" k, _ _/ t% o5 \- Y o% n4 ]; x/ w
6 Q% n& k; }# {
( E, T* x4 ] l5 [1 ?7 jMethod 05
+ |9 A* Z9 B+ I. X8 V2 I=========
9 |1 J9 S8 o J5 L
+ |5 ]% b) c6 @" F4 {/ }, hMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 Y4 U& \! G4 ?" |, A
debugger. It calls the int 41h, function 4Fh.
* t5 T0 a$ M' VThere are several alternatives. 0 S4 {8 W+ i' U$ G$ ~% C
$ `6 ?) X, X' lThe following one is the simplest:2 Q# [) X/ R& a8 W0 V4 X' t
2 V! f. b, j9 [5 L2 ^$ d# e& r- u6 J mov ax,4fh: X$ n( E3 B9 W( ~$ n1 F4 N
int 41h
+ l, B1 f3 t6 x0 d/ [, B! J/ D cmp ax, 0F386
5 G7 }' w% f8 L3 Q N jz SoftICE_detected
9 n+ h8 C" W! a( _4 S/ m9 v6 f
, j7 a" e9 m* S4 {5 s" ?1 T
* H8 \0 y3 a8 w, M2 d9 O3 ~+ YNext method as well as the following one are 2 examples from Stone's & H& S& w1 Z! `. e& }! M
"stn-wid.zip" (www.cracking.net):
# \6 \. J! H1 w* x/ C
" d5 X% N. Y' Y' Y5 M7 i% D mov bx, cs
+ U2 s) a: h( L( {; o lea dx, int41handler2/ l9 {3 ^" f( ?3 k1 M
xchg dx, es:[41h*4]
7 z+ c1 R' [6 ^+ q; {1 \ xchg bx, es:[41h*4+2]
: a" r" }0 O% x% h$ u9 d- n mov ax,4fh0 N* ^9 P- @" v2 Y, \9 C
int 41h; d: L0 U; U. O2 s% [* q
xchg dx, es:[41h*4]
% b e3 {& ?& S; C; |: E5 A xchg bx, es:[41h*4+2]
3 S# @" G% g2 C: ` cmp ax, 0f386h) ~+ g' f. ^: u. Y3 V
jz SoftICE_detected! O1 t& m, N: A9 Z
( y3 c$ X5 R( a/ tint41handler2 PROC
: ^/ m$ V0 r; \0 R$ c iret) L+ V- q( h1 K7 G
int41handler2 ENDP
Z( Z( D9 w& l) L
0 x. ]* G5 v" C' `. d+ R" ?. M( L t' `- D% O4 i( d
_________________________________________________________________________
- ^ V q6 @0 W ?
# T; I2 e% Z6 p% H/ R" r# o( U! P; \* x( y; ~% t7 V9 [" @
Method 06
3 o1 V4 ` a/ j8 U! N1 \( c: Q& \=========& C& ~0 K/ }+ ]2 {* y
# W# |/ \4 }2 q2 o5 l0 v6 p4 ]/ E2 A0 T' F* {) q' `
2nd method similar to the preceding one but more difficult to detect:; x: x1 v- r8 O* j) @
* v: o" _5 v" B
5 l3 J! N' Y* [: Q. p8 p9 s8 E
int41handler PROC
. o, Y0 K0 X) q$ a mov cl,al
. w) I6 |6 [5 s+ p6 h7 d { iret( Z2 D: @; o7 S3 f. Z9 K
int41handler ENDP
6 e, L( C4 ^: E$ `" x* X# y
' [# x6 w9 H" N. b) ~( t: W# X/ C2 a4 \4 E8 Q' Z' p! w* I9 X
xor ax,ax
& L9 o$ K7 F7 h4 l mov es,ax0 K: m" z5 ?! `( H* A8 m6 U6 D
mov bx, cs
4 z7 r+ {! Q4 x" Q Z! n2 n& B6 W lea dx, int41handler
; Z0 F6 a, U% A1 Y# ^7 f% Q xchg dx, es:[41h*4]- t' ]' m7 F! B/ o, Y
xchg bx, es:[41h*4+2]
" W" s2 r" C4 C1 o in al, 40h
! @& m0 V& J! K1 l7 x- ^' h' C* Q xor cx,cx8 m+ J0 D- ?* s
int 41h S( n$ N" e/ v r9 F( a( l( N
xchg dx, es:[41h*4]9 d: W8 H7 n" Q+ H
xchg bx, es:[41h*4+2]
. k: b( _9 N2 K5 N cmp cl,al
8 _* U' W h: L2 l jnz SoftICE_detected! ]2 _6 s6 K# j. i: e! v
1 S$ ~4 _! {6 q0 A t0 W5 Q" B_________________________________________________________________________
& A' I6 f, I# l( s/ ] o2 Q7 M& ~2 M5 H6 R9 W! d/ Q5 z( d+ P
Method 07
: {9 `/ H1 ]; a! `# R! r4 R4 F; T=========
- a# e3 z4 s/ ` G
' @3 k# D6 X( _ e: W# k8 c) }Method of detection of the WinICE handler in the int68h (V86)
% }4 R0 r9 d! H' u/ Q" ]* v& q5 j* G! O6 D# g
mov ah,43h
+ ~( V1 D+ @1 U int 68h
! ]7 N. q. h: o: U9 e v cmp ax,0F386h- v6 G9 Y. L' s# x$ ~* S1 ~, e
jz SoftICE_Detected. b$ f6 o: u, K; X5 K' H& p i4 @+ }; |. B1 D
8 E! J+ _; Y( O9 ]( {: S8 N
% k( k) U% E& }) m=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ T c" x- s- X1 a' L" @ app like this:
e& R) t% T" [0 w6 q" Q! R# x
2 n! A# w" j0 z1 n9 m4 b# v, x BPX exec_int if ax==68
3 W% |# ]6 M! r9 @ V (function called is located at byte ptr [ebp+1Dh] and client eip is3 p4 ]% F' F1 _6 ~! o- m
located at [ebp+48h] for 32Bit apps)
% G* N4 S# u' b* c. }1 `* C__________________________________________________________________________/ @8 ]7 N: h: f+ H C( H" l% p
7 {) a( p# o! S6 ^2 T+ d! l4 M% U! _
Method 088 G/ ]1 K$ K4 R# N* Q; \4 H+ e
=========
* Q2 q; k6 [" Y( y" Y3 ~' }1 z9 Z2 _1 |
It is not a method of detection of SoftICE but a possibility to crash the
u" z1 B# ^* w* T4 M4 Msystem by intercepting int 01h and int 03h and redirecting them to another& s1 |% a0 g5 j- F, e4 ]5 K
routine.
/ [" d- Y, V' K4 f1 P$ @8 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) e+ O: n2 i: A; _( z
to the new routine to execute (hangs computer...)
1 n, I0 n& D |1 `2 o$ N, h6 }6 @$ D5 M/ L% H
mov ah, 25h
3 w$ }. P2 |+ Z) `- B, D: Y) X# E mov al, Int_Number (01h or 03h)
0 D" c, ^+ i1 n/ D& a mov dx, offset New_Int_Routine
+ o2 k I: G) Y9 e$ Q* I int 21h
3 F: a, p/ m) L! e' `+ ]/ @$ u$ A3 v3 k: P/ M; R( c
__________________________________________________________________________$ D9 }$ e7 E) r* @" w
9 }, o0 b. E1 E+ i4 a0 dMethod 09$ J" j& @/ P3 n& n" B1 ]; k
=========& X& D, f0 A M
8 I. Y. j$ u4 A6 c
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 g0 p- ^9 x( O( p4 r) Hperformed in ring0 (VxD or a ring3 app using the VxdCall).
; n: i4 N- Z6 kThe Get_DDB service is used to determine whether or not a VxD is installed
% Y u, t: a7 D& y( yfor the specified device and returns a Device Description Block (in ecx) for
0 c0 A7 p/ s I+ ?that device if it is installed.
! {0 q+ C' c/ {, [% `( B. d' Q) z- f8 g; k7 x2 y: U# K% F
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ n% n1 a Q, T, K
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 N+ i* e6 K7 s5 m1 p& s VMMCall Get_DDB5 c' o; B3 r6 c; ]+ b L
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% R' z2 C6 i9 k9 M6 A6 ^" b3 ]
# @+ U2 I& L9 v K+ h0 w$ B2 g9 K" m" oNote as well that you can easily detect this method with SoftICE:
, E! c( H$ Z. Y- q. Q bpx Get_DDB if ax==0202 || ax==7a5fh
- Q7 j& [5 ^3 d& w6 D8 R6 E
F+ N# e" i3 G2 v9 r__________________________________________________________________________
- _) q0 n8 V* ^7 T2 X( q |' k) z$ ^/ f3 r
Method 10, {+ r' }1 j1 q0 D3 U. `" M! p
=========& G. r. H$ v0 ?& S3 C
# c: o; U5 D7 \/ r( T) A& G% b=>Disable or clear breakpoints before using this feature. DO NOT trace with
% K' G, i3 I4 x SoftICE while the option is enable!!
1 D" y7 C% c5 M/ h+ `" p8 n
' K7 e. Z4 e) @. B; ~) s" NThis trick is very efficient:
+ e$ h' `. m! o4 t; O; x0 C# Y( S! ]by checking the Debug Registers, you can detect if SoftICE is loaded. t. B5 {* c6 w" |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) @$ k" f1 \0 r
there are some memory breakpoints set (dr0 to dr3) simply by reading their. s6 ?6 y% j9 K; Z2 \, c L+ \ D4 f
value (in ring0 only). Values can be manipulated and or changed as well1 C* [0 h7 f- Z, |0 x9 x
(clearing BPMs for instance)
( c' m+ j2 @$ z5 Y5 P. K; {7 s
9 D% t( V( B) h9 x" p, V__________________________________________________________________________
% u1 U# l' ]0 y& Z( a8 }) \3 m1 Q0 ], F3 i0 M
Method 11# {4 d3 W$ D( J
========= I' f# t3 l" \8 `* E3 L
2 A! m/ m* C8 Z% c& t
This method is most known as 'MeltICE' because it has been freely distributed" {- h+ s$ i2 ], J3 R% ], ^$ v
via www.winfiles.com. However it was first used by NuMega people to allow
8 Q b: ?1 d5 ?) ?; I" T. eSymbol Loader to check if SoftICE was active or not (the code is located* I1 U9 b$ ?/ w2 c3 n" i" c
inside nmtrans.dll).8 k2 e4 K' a ?1 H5 b& @# U/ P
! s F# U5 i, I3 C' E% H: R. FThe way it works is very simple:2 o3 G+ N) L; p" O5 X2 h3 L X9 g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! B4 }* r5 U: M" w- h- L1 w* ^$ rWinNT) with the CreateFileA API.! m+ a( h S* A
) _9 q/ {$ `6 FHere is a sample (checking for 'SICE'):
S- k& v* @; k2 Y, [
; K! y7 ]) [6 F' a( {- hBOOL IsSoftIce95Loaded()
x, i) V2 o- @& ]4 D{
8 Z B+ a' D- N" z3 I8 M HANDLE hFile; 4 K/ p5 e6 H# b+ q$ `8 N3 y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 q. y$ E: i0 n$ B4 c+ L2 { FILE_SHARE_READ | FILE_SHARE_WRITE,$ o! _( K% Q! ]
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 ~% J8 R( Z: P6 P! |# z" d* O if( hFile != INVALID_HANDLE_VALUE )
0 D7 d) ~$ e, F {: S% b; p, J2 O+ t
CloseHandle(hFile);
! r7 ?9 H3 q8 ^1 h$ L return TRUE;
; r) p6 G7 P- k( h1 q |! \ }
2 [( _7 D r3 a, l. D/ f' V$ M return FALSE;
5 C3 C+ D. T3 j}! Z* A' h7 F3 M3 i
: l9 i4 A4 p% m, j, o
Although this trick calls the CreateFileA function, don't even expect to be" F6 w0 o, n" b( F; q' Y+ q% h6 ^
able to intercept it by installing a IFS hook: it will not work, no way!
4 o( k5 T5 g' R3 J# S+ R# p# C% V8 _In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* e! ^$ G* k9 `& O( ?+ b- gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 t2 e+ G/ U) K4 z3 k# K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* W: b( A3 s$ d) a5 q
field.2 E7 |. |' @ B9 M
In fact, its purpose is not to load/unload VxDs but only to send a
/ X$ C/ E/ Z }& x) |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 t( t7 z; ^ \
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 f0 y- ?( c8 q5 F1 b; f9 Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; V6 b9 h W4 M: A7 a3 w0 [; bIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, A0 S# R, k4 A2 w5 Y6 wits handle to be opened and then, will be detected.# ?/ z5 F) |+ @* u: u
You can check that simply by hooking Winice.exe control proc entry point
& t, H# |* f) Qwhile running MeltICE.
& r' X- ~2 L, y& w7 z3 H2 E' W: _- F* o
# O1 O& E9 k# [% g5 q5 P 00401067: push 00402025 ; \\.\SICE- K; |( R5 P9 }- p5 {2 p) O5 O
0040106C: call CreateFileA
, g p8 _ J3 \% u6 E3 g0 }6 s 00401071: cmp eax,-001
+ Y# e2 M9 U: ?7 c+ ?0 p4 [ 00401074: je 00401091
1 E+ _2 g h" n. X" z! S: ]3 x
% f$ T$ O: D5 C, W3 j+ t( f7 i* [( R' j/ A% A( m" A ]$ v3 ]
There could be hundreds of BPX you could use to detect this trick.
! s0 D( I' i6 V/ c( L-The most classical one is:
; y( C$ S3 ?' t* L+ Z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* F2 d/ t7 \: V *(esp->4+4)=='NTIC'
0 R8 J8 z: h8 T- b! Y- p
" ?7 V9 ~% D( c3 y2 B0 y-The most exotic ones (could be very slooooow :-(9 ?9 p$ `- \ s0 q+ g6 Q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
|3 H' n5 P7 v- J& E4 V. h ;will break 3 times :-(
# [+ ?; C/ G& H' H$ z5 f) r2 l! T& K! ~
-or (a bit) faster:
% K @4 v3 C; j( ~1 s, d BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ V& b0 P+ ?1 m1 @. O2 Z
( ?" ~7 o; `3 b) N BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # C4 m2 g) F9 h
;will break 3 times :-(8 @0 V& x/ }$ r& H3 x; U) S6 ~
! x$ P' z# N$ r+ B+ `
-Much faster:; O* y* h6 @% T- n3 p
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* D9 t7 J$ e3 [0 ~
. F" H) B: |- D& }# n/ zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ ^; Z' s3 t. i: ]3 E T1 Wfunction to do the same job:9 N6 P1 [! ~, x" U. o
& m+ n$ u+ {3 T( W push 00 ; OF_READ
4 l0 t% J! c. w8 H: W+ b mov eax,[00656634] ; '\\.\SICE',0
1 d7 i1 `1 W- P9 O push eax% q6 K* g6 z0 n* ]
call KERNEL32!_lopen z' d2 c4 C5 Z, D
inc eax( |, M- m2 M p0 c+ y- H1 S
jnz 00650589 ; detected
7 d0 A0 [: _+ k" T0 g/ q9 F" u push 00 ; OF_READ6 ~, g+ x# F8 H- s" I, P0 r
mov eax,[00656638] ; '\\.\SICE'/ D3 c: f6 y2 t4 h
push eax* F0 [# d& ^: d# Q
call KERNEL32!_lopen
6 s$ R2 n* Y( @$ q- l inc eax# W. m& q# E# U' t6 _4 X7 T6 z
jz 006505ae ; not detected" B# U% F% ^/ }# X6 }) w, V" H
- \7 m6 [) ~2 i1 V8 }& @8 J$ d+ K9 j- y8 I7 r
__________________________________________________________________________
- l* f# c$ p0 ?* W- [
) k3 D/ D' J% pMethod 12
, f, A3 v$ D, M3 g% t4 ~# d=========
$ ]% |& ^; `$ [: V$ {9 T5 c' Q: i. ?2 `2 |7 t8 K/ s2 Z
This trick is similar to int41h/4fh Debugger installation check (code 05; Q$ `/ T4 ]8 v0 X8 B1 Q' `% N
& 06) but very limited because it's only available for Win95/98 (not NT)
8 i7 y7 s/ d7 @) w5 H$ Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 ~; Z3 M) o9 u) O- X+ i; Z
/ R4 g- y7 A; {1 ^5 A$ `- A push 0000004fh ; function 4fh# k; s# X1 s W( Z
push 002a002ah ; high word specifies which VxD (VWIN32), o2 ~' _4 n1 p
; low word specifies which service
$ y2 L! h* J* o1 \& M. z (VWIN32_Int41Dispatch)) U U6 {" l N: B
call Kernel32!ORD_001 ; VxdCall- l4 M: Y9 U5 ?
cmp ax, 0f386h ; magic number returned by system debuggers9 |8 d9 N3 s' B
jz SoftICE_detected* n) S' P H+ _/ q
0 e; S$ h6 C9 g XHere again, several ways to detect it:
6 x, Y( H0 e& R9 V6 g" o3 j3 X g- C7 u2 f5 R z- h' A
BPINT 41 if ax==4f
5 q' P5 C& ^; M% B, g' L4 ~
+ N' G- F" M+ |0 [, `8 p8 z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& }& r- f7 b1 |. M$ |1 [( @; D
% d1 d1 H4 ^$ } n5 \* j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# ]+ k/ q( [& t% R$ O4 R
( a4 q! Y, n+ M, E BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; u, e$ a$ s* L' e
. ~! M* K3 V: {__________________________________________________________________________
5 ~" p: j* ~ s" i4 W9 k
2 F/ e, C m& l' M2 n) ~. LMethod 13
/ K- c% t6 f' x=========. Y4 N$ `3 O' P9 u+ j- z
7 L, H9 h% R) n7 G1 q; _. INot a real method of detection, but a good way to know if SoftICE is4 N0 [2 K7 X0 L
installed on a computer and to locate its installation directory.
$ c6 _6 @8 g& ?5 jIt is used by few softs which access the following registry keys (usually #2) :/ G* V# Q- m/ ~6 O& a5 a# H
' r2 n4 _3 Q* |/ R' h
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" M9 E6 n8 P0 W$ H1 i\Uninstall\SoftICE
+ ~5 \1 S4 i9 e-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ c8 ]/ Q* c4 ?2 _-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. _9 S: |5 \0 r* s2 O
\App Paths\Loader32.Exe f" t7 c5 n3 C% q2 k+ @1 x
1 j6 D% t$ s3 O5 T+ f, A6 V/ I
% L# q( }3 s4 r0 Q
Note that some nasty apps could then erase all files from SoftICE directory
: H( h& V i; k# C3 U2 f# n(I faced that once :-(" U6 P4 v, H9 Z6 p9 @
, G. r/ @( f! U/ ?+ P% o
Useful breakpoint to detect it:8 `& T5 `! M: C8 {
. q9 h- t. s2 j7 j) [' Z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# z+ @- k: {; P- j- X, V! F- U; h4 u- E/ J& {! ~( t
__________________________________________________________________________! z7 X! ?( c p3 J3 L+ [2 C
; s: z$ q, ? [! C
2 R3 d$ q. j2 W4 K8 M& X; b
Method 14
: e# w# G8 {* x# p=========
' i8 ~- z& r) O; z
1 _1 T4 Z7 v6 u6 u) X' ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' v% [! k. k4 _; `/ b# o( Uis to determines whether a debugger is running on your system (ring0 only). V: X: x) @3 R1 D
+ j( ^) H3 L% e VMMCall Test_Debug_Installed
4 x4 V/ g; c7 T) O je not_installed" Z) |0 C0 Q* n6 I* w2 l# L
7 n% T" y3 Y/ x' a
This service just checks a flag.0 D! c- m' b7 a" H! m% A: T
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡