<TABLE width=500> d- o$ w4 u H/ }* z
<TBODY>% M- H- u) |( w& K4 l) [( T( K
<TR>
9 s1 E% c L5 P' N<TD><PRE>Method 01
7 x# @, x$ j9 O! B=========
( s% l5 b* P, s# a0 A( p; ~% U4 ]' C
This method of detection of SoftICE (as well as the following one) is& p, o/ i6 ?( g2 s% D
used by the majority of packers/encryptors found on Internet.
1 V$ ?. V# Y( \It seeks the signature of BoundsChecker in SoftICE
9 ?. ~9 m ] B5 l @! }6 t- y* C! v* A6 U! n
mov ebp, 04243484Bh ; 'BCHK'
/ f+ d+ v: L$ I" {3 B" n- u mov ax, 04h! a+ r" G+ R1 b3 I
int 3
; }- g* c9 h- b3 P+ N- p6 U cmp al,4
. @7 S% F( n, d( z! W! v1 [ jnz SoftICE_Detected
/ w' \* }: n$ X6 _, b1 O5 ^" F; ^$ ]# }9 B: X K
___________________________________________________________________________
8 i) T% e0 J0 H4 [+ n; E
) O* E* Y7 U S; X3 IMethod 02* ~! ^4 |7 D. m8 t) i' u
=========4 D9 K( k7 N9 v. Q* C1 f2 \
# k- W: r! }; Y* g* S6 T
Still a method very much used (perhaps the most frequent one). It is used L5 { I/ b9 q. k8 B; R& |/ F$ {7 H
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. P i$ i1 }, j6 B" d9 _" F2 wor execute SoftICE commands.... M% w3 X# o) f+ G. t+ K
It is also used to crash SoftICE and to force it to execute any commands0 h* k5 R- H& { H, b& {
(HBOOT...) :-((
' F) o4 T: g& Q+ E D, J/ t: f
- @$ N, u; R1 z Y8 nHere is a quick description:
4 e/ ?3 v6 g8 j; A r-AX = 0910h (Display string in SIce windows)* ]# l' G+ r* s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" t& Q% {; M+ ]$ L0 D0 o4 V
-AX = 0912h (Get breakpoint infos)0 J% E$ n4 i* G# b
-AX = 0913h (Set Sice breakpoints)! O. [8 W1 D8 F4 E; x
-AX = 0914h (Remove SIce breakoints)
2 O. h* H- D, [8 b; v' ~4 v7 }! ^
0 E1 ~3 Z% l! _/ C" U6 cEach time you'll meet this trick, you'll see:
( H- M% g* f$ M0 e7 `1 ?-SI = 4647h* F3 d' {1 ?: |- Q0 X
-DI = 4A4Dh) ^' l" y. e. ?: G4 i/ @. o4 z$ W
Which are the 'magic values' used by SoftIce.
; O2 K4 a: I' M$ yFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 [5 v! Y7 e3 A6 E
+ F6 J; g% a$ S% b" p) JHere is one example from the file "Haspinst.exe" which is the dongle HASP
. T; d' ]3 C0 m* g {Envelope utility use to protect DOS applications:
) t5 q b3 h) `# u e) w+ K$ r0 ^" z8 e5 j& t3 E/ c% c2 b
( l3 ]( q: r8 S4C19:0095 MOV AX,0911 ; execute command." B2 x6 M' V: ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. o9 G: K; D+ X1 g% E4C19:009A MOV SI,4647 ; 1st magic value.
6 r$ d, l* n: q+ y4C19:009D MOV DI,4A4D ; 2nd magic value.$ F. u! _/ t# i! l) Z" K1 ]
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 x" V& D9 O+ y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( t" y3 F7 b% i' Q) e: t7 y- ~
4C19:00A4 INC CX
+ d) P. n$ ?+ Q( r. G7 n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
r* V; _9 g7 D7 ]; ]; H4C19:00A8 JB 0095 ; 6 different commands.# F5 t* Y1 |' ^; r
4C19:00AA JMP 0002 ; Bad_Guy jmp back.! G+ Q) y* h4 b, |
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* J$ a" Q. k' H. I: S0 ?
, a2 q; N1 f, v
The program will execute 6 different SIce commands located at ds:dx, which/ N0 L: g1 B' K/ Y6 v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 X1 X- M; N }1 ]! G3 Y
y2 r8 E# I" h9 _/ U% N( y4 Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' z* [1 G: y' F! a0 I" Q
___________________________________________________________________________
0 t% T. R! p- ]( }* c& r$ |( z# \4 ~$ ]% s
$ p# c2 m6 d: C! O- j0 A% AMethod 03: T7 E% g) o2 N! C2 s: v$ i! u" H2 _
=========
6 S L3 I( O+ c1 U: u8 n2 y! L7 }% t8 t# ?$ K0 w0 b! b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 l6 t- f2 e8 X9 y(API Get entry point)& q- H2 |1 t5 v9 ~: l- O
& u1 q$ V3 l1 }: g4 i$ p l' |+ C" I
: H+ W& f1 `+ X) }& Q( V xor di,di+ R- E: q! T2 E; K
mov es,di
' H" y- v4 p* u; s' q3 U0 p: o- [) { mov ax, 1684h
; ^# Y( z4 d6 b0 A, H3 L) n mov bx, 0202h ; VxD ID of winice) X' A& z4 U v/ a
int 2Fh
; J/ S2 c y8 R7 p/ ^3 S mov ax, es ; ES:DI -> VxD API entry point( z0 t1 @+ g! C! |0 h
add ax, di6 c/ c) A- l1 N
test ax,ax3 V% f" e6 m. s5 z
jnz SoftICE_Detected
! ^$ T& o& U0 s( G9 g8 K: f7 o
" R4 z4 w. p1 [* ]& V2 y4 e# D& ^* L7 t___________________________________________________________________________# S! }5 f9 s; K% m, L
) d* O, m& f3 R8 h
Method 04
/ p& n% Z/ O8 S=========
7 S3 e: z, t: {
# s% S# R# Z1 f0 ]5 fMethod identical to the preceding one except that it seeks the ID of SoftICE* B5 N& ^0 A9 B6 [3 C, b4 ]1 J8 I* ?
GFX VxD., l8 i3 b, f* h! m6 r/ U# z
5 D9 c5 M, C) R xor di,di
: I) Z$ o+ v* K) @8 y# d mov es,di
' r: F# F. A0 w$ X3 d mov ax, 1684h % I* ]# B$ u+ U, a" v0 a/ a
mov bx, 7a5Fh ; VxD ID of SIWVID* Y/ v. @- y" t7 ~% f# j! R$ x: h7 m
int 2fh e1 o5 h( n- |3 v( V; d0 E
mov ax, es ; ES:DI -> VxD API entry point1 w* X! D! e: m k$ f+ f- e" g
add ax, di
/ m6 Y u+ ?& { test ax,ax
) U) w: ~2 h: R5 T jnz SoftICE_Detected; ^+ [, r- ^3 r& A2 @" p O2 z
/ |( ~! N, D/ K2 p" q
__________________________________________________________________________" I3 Z. O( V7 F) y( Z8 Z, B
& k; o' W% S1 b8 C. _! x! W' b/ j$ j6 s7 T0 E
Method 05
* U8 E. {5 A% B7 E( v6 [=========6 I! c6 @* {6 D, T. _, b8 s9 S
: C) W/ |" s& v& B& y# N6 Q6 [Method seeking the 'magic number' 0F386h returned (in ax) by all system
: q" R9 C/ n) e. l! ~debugger. It calls the int 41h, function 4Fh.
2 S) u# `8 z5 Z L1 }# a: hThere are several alternatives.
; {! N5 n+ n; C* W" S/ j- ^3 o6 _ z' F
The following one is the simplest:
3 i6 H4 v! L* \$ N) e2 Q' J8 m3 }% O: b6 v2 p
mov ax,4fh# c& n! T, j \. n0 U$ E
int 41h4 \/ B& x. P/ ^) U" t2 F
cmp ax, 0F3863 x9 Q' x' ^4 Z0 v/ Z+ b9 q0 `2 @
jz SoftICE_detected
; t- m( H: r( I$ n" E% g. R0 T6 l* w# |* Q9 G0 K) F" w
9 F0 p, a$ C7 F6 z6 i+ G# BNext method as well as the following one are 2 examples from Stone's
( ^' N' P+ D# @! B: L: e, m"stn-wid.zip" (www.cracking.net):7 h7 P0 O, B3 Z( X M
. ~ j+ k6 o1 I mov bx, cs
0 N" ~) f1 X8 [6 p6 k2 E lea dx, int41handler23 Q% i, d& n! w9 ?; \$ ]! y& g8 `
xchg dx, es:[41h*4]
& }, r( w, R: F1 ]) ]+ W* V6 j! V xchg bx, es:[41h*4+2]
; B1 j% ~$ O) w5 c' U( L mov ax,4fh
( S" q, k' D% ^$ g J int 41h
`. H0 |, n0 ` xchg dx, es:[41h*4]
$ P q( i2 t( ` |. p4 \9 P xchg bx, es:[41h*4+2]* _2 Z2 B7 b3 I/ l7 R( P: ]
cmp ax, 0f386h y7 d, c+ X* @ Q
jz SoftICE_detected+ D2 ~: l! Y! n% V' C& W- x9 p
6 v8 ]# s/ F9 Y1 e S% j1 s! K. kint41handler2 PROC
" u5 b2 f- C- R& b% |$ e iret
1 w" N9 \ t) e+ k9 H& ]int41handler2 ENDP& q8 v- P- Y2 U
) z9 H, C- V: o) a4 V+ Q) @/ E; P
f; u/ n5 M. R. s# Y7 ?, I_________________________________________________________________________
5 P/ @/ T0 _! q9 L' \5 b+ q$ I% _: ^; N
) z5 g- K% V) P) u7 B5 IMethod 065 g* |* Q# ^- T/ a5 v$ M
=========% S: s* l0 r2 w& i' `8 D
" }( n$ {1 L% p" c% y- K6 k$ [/ k
& ~% Y( Z6 Q$ Q- Y2nd method similar to the preceding one but more difficult to detect:
' Q3 u! f, X' k# Z2 X& C" F) ^( |! \
9 e; O! _: ~7 t9 l: \4 G7 u3 x9 l
int41handler PROC% r8 {3 n+ H9 p) m `$ u
mov cl,al
% P3 _8 v% E& ` iret. g. J" P a+ \% [, t1 U/ }
int41handler ENDP
# F/ J- D' K6 A- k. Y- G* u0 A1 E' l/ G0 h9 a) P
$ V: m& q) c1 g+ w& |
xor ax,ax- ~6 S3 p0 z! e% C7 s7 N2 Z! `
mov es,ax( Y4 f: a, s( x6 O: z* z, t3 t) W1 T
mov bx, cs) P) K. [( V! ` R
lea dx, int41handler, n1 q2 I Z4 z7 Z ~$ b$ V/ K
xchg dx, es:[41h*4]( Y7 v$ }1 e3 X6 g
xchg bx, es:[41h*4+2]
4 H$ {/ @! s$ D5 b9 w! C: l% F. } in al, 40h
1 ^! K: v# A# z% x- P xor cx,cx% s+ ]1 ~- A- ?% l) E: i
int 41h" I/ ]$ N8 P: r% g7 u1 j3 I
xchg dx, es:[41h*4]& s3 L/ T: n3 i2 g; P/ n, [
xchg bx, es:[41h*4+2]4 T' t! B+ _7 }6 X8 ~
cmp cl,al
, X* m2 X- I2 g: }2 x( C jnz SoftICE_detected& H& O0 A. @7 r/ y/ d$ m$ I! I' a
( T6 J; L3 d! y G_________________________________________________________________________
; P% q0 o2 S- Y; A3 K/ q# j% v( A b9 l
Method 07
& I w3 K7 }3 W, v S=========
4 B W$ L$ ]$ |8 a; G) L2 L; T* V" a( p( z+ S8 p. R
Method of detection of the WinICE handler in the int68h (V86)3 ?* p4 D5 S! o. [/ H
! r# o/ M0 {8 l- O" f mov ah,43h9 d/ L: i3 s$ }6 z! r B3 Y
int 68h
8 S% G8 p; d* B( q5 { cmp ax,0F386h
( l$ C" `) Z' T0 S7 \: n jz SoftICE_Detected( e. w" Y2 h' m3 {- `- p5 P
/ t# }; R4 N- t2 P
! e4 E; Z Z/ P S
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 [7 @6 s9 z" @* \' F# u app like this:
7 {; }7 [& Q# q) A y7 L; q4 f# ~- D& M" v ?' B
BPX exec_int if ax==68
5 \% l: P, V' {5 W3 J9 | (function called is located at byte ptr [ebp+1Dh] and client eip is
( v1 g' S, y( Q5 ]1 x7 Y* f located at [ebp+48h] for 32Bit apps)/ \ F, M" Q6 }8 F3 _& z
__________________________________________________________________________* p9 U' G/ v- C9 k- u
9 j8 |7 ^9 s; \ m+ Z
$ \' t' A* y6 S* U% K8 P% @" GMethod 08$ T, {- n* B: P* y) P
=========
+ h: }/ a; P! I0 q) \4 u- b3 a6 I7 s+ b* x
It is not a method of detection of SoftICE but a possibility to crash the* r8 {8 B" Z0 ~4 b7 u
system by intercepting int 01h and int 03h and redirecting them to another* R) h' W- L2 B/ G9 L/ g
routine.$ h: l& `9 O L# v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 K( \2 m& }1 N- e! C [
to the new routine to execute (hangs computer...)
0 R0 u2 C# m f6 d- K7 O" u( I( d3 v: y
mov ah, 25h( y1 P0 d" ?/ ]# d
mov al, Int_Number (01h or 03h)
/ i6 g) C6 R+ g8 r$ M mov dx, offset New_Int_Routine
0 m. }4 U" ?! M9 }6 } int 21h* v4 h& x' h+ _, N I- A. E$ e" I3 i
2 k( @1 g8 u6 d$ `) T
__________________________________________________________________________: ]( \2 v- s, \/ T# _
- I, m9 ]) N+ ~Method 09
/ [' r* k- j, b w3 t1 P5 s=========$ B3 m7 G3 o D$ C- x O
4 L: E7 K# I- _2 S3 }1 V M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only \6 \: k0 O7 B" I
performed in ring0 (VxD or a ring3 app using the VxdCall).6 u3 H' T4 \9 q \1 n- S
The Get_DDB service is used to determine whether or not a VxD is installed' p1 ^. I& Q; z3 A
for the specified device and returns a Device Description Block (in ecx) for
7 L# D8 d8 M9 {* Qthat device if it is installed.
1 U" x# a1 |( i9 c9 U
% F& @8 g: Q/ C6 C mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) E0 U' Z/ Y- [9 B% s& ^4 U( c mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( F! y+ S9 z* G$ F
VMMCall Get_DDB1 y8 H- ?0 s1 m! r$ _: S
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 S9 a' M. k8 P6 K2 ~5 ?9 M+ |
4 P( a; Q1 t+ A3 b9 y5 s0 @1 cNote as well that you can easily detect this method with SoftICE:- u( b. x2 R& Y- ~& f( `, Y
bpx Get_DDB if ax==0202 || ax==7a5fh
- F6 e, H: ?8 N }9 I0 L$ A
+ X" j: ]$ [' Y- G__________________________________________________________________________9 }5 i6 ~4 S {. t1 m- c9 x7 Q7 O
0 `# I# }1 K8 e: j+ v+ P1 O% J; ^
Method 102 C2 @* J1 L& `
=========
W: H6 k+ Q$ r' G
3 m8 }4 P, a1 m$ J+ X" {7 ? E& A2 p=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 @7 w7 T% d h) T" b SoftICE while the option is enable!!
/ R* @% X$ Y0 M' d, W, z# s# X
5 b' \- ~3 l" w, @% aThis trick is very efficient:7 i* B. }, M9 x' f9 x. u! v( i
by checking the Debug Registers, you can detect if SoftICE is loaded& M W$ a: ?: \" e$ @7 L
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ r7 {1 a3 k) X5 H) r& n/ j
there are some memory breakpoints set (dr0 to dr3) simply by reading their8 a$ }1 j# l) _' C% ~6 x
value (in ring0 only). Values can be manipulated and or changed as well
0 v* T1 ^' n9 g8 k- x8 G# [(clearing BPMs for instance)
) X0 ?; U) a) T" X5 K+ R& n- p
; _2 ?7 U8 H7 C__________________________________________________________________________% v) T& N) e' \- s! B* P
u$ e4 x9 i: P. S) C% c. C* _Method 11; w8 [; f2 h: h, G" J* ]
=========
9 f2 K& v V1 w3 l
; E- v; B# X$ l. N6 kThis method is most known as 'MeltICE' because it has been freely distributed
& Z) A0 q0 t7 J2 t/ n) H5 tvia www.winfiles.com. However it was first used by NuMega people to allow
/ a7 ^$ E' e. K1 y/ c: R' ?3 U5 `Symbol Loader to check if SoftICE was active or not (the code is located5 o$ K. L* K: h# v" n% V7 u- P
inside nmtrans.dll).+ ?; C4 I `9 f6 D
7 H) K* A$ l; ]) Q; vThe way it works is very simple:% w; I' l# R/ o7 o% w9 b' e4 K
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# [5 H% t, u3 q
WinNT) with the CreateFileA API.2 A5 d0 R4 c2 e$ g4 [+ }4 q/ Q4 T8 P5 K
& p* R8 h5 O% |Here is a sample (checking for 'SICE'):
) ?7 M2 e$ P4 C; v1 L7 |5 X7 o3 `, |% U9 G" |0 r* `# u
BOOL IsSoftIce95Loaded()
. Q* g+ \6 {; ]- N* ^{
4 \) K( p H7 N# `! g HANDLE hFile; 0 e0 E; g: z: U( a. |# v# K/ S
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ e' c0 I1 ?$ r6 t' n4 F FILE_SHARE_READ | FILE_SHARE_WRITE,* p: H4 `& L0 A; f7 F, D; x
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 M! ^* Y8 z+ z' l" \* F
if( hFile != INVALID_HANDLE_VALUE )6 w$ ~" @$ n3 o( \/ \& W
{
# ]5 A, D! a5 P2 C6 R) q V6 R CloseHandle(hFile);
4 f" K5 Z: } ?" V2 S( c) X return TRUE;- v: {: o1 e# Y Z( U+ ^! {
}$ v3 [0 E! k) w% Z! C
return FALSE;* [0 Y( J5 h1 Z% g) H
}% c Z. z% Z& q) E* m
8 d0 M/ ]7 h4 \" e
Although this trick calls the CreateFileA function, don't even expect to be
4 M% G& \1 i9 N2 T/ c4 Aable to intercept it by installing a IFS hook: it will not work, no way!
, \: {" j+ M* p1 `6 u. d8 k4 ~9 YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% L( P6 L$ J. n6 Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ N3 @+ B3 d' t* x9 L- U" ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) I/ |( \! L. `7 T2 {3 s
field.
' F. s# ^7 b& D1 E$ SIn fact, its purpose is not to load/unload VxDs but only to send a
& f4 U4 `: ~* n3 Z0 HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% P. T3 d. v; L2 i U4 R) [, y9 c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) g3 G# ^: J B- S2 T6 U- M) ^, K3 Z. ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
* \5 x7 d% b6 bIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 f% h0 v' k' _- t, `its handle to be opened and then, will be detected.1 H6 {& t) S( i
You can check that simply by hooking Winice.exe control proc entry point2 H7 M6 l' l6 k- w5 ?, d* G+ s
while running MeltICE.5 q$ z# Q3 @9 s5 r2 \
9 X% u0 W( H9 {
4 N; _) f- [1 y* O l; b 00401067: push 00402025 ; \\.\SICE
; s" [7 D4 ^' B8 } 0040106C: call CreateFileA( |) n+ F0 Y3 Z$ F) `9 ^
00401071: cmp eax,-001
8 o6 ?, C( ]: j6 S 00401074: je 00401091
/ T# G \, u# m, e. r9 h- X6 Z; x7 l9 B+ B9 p8 u
; E# {; X! o3 d( t
There could be hundreds of BPX you could use to detect this trick.
4 y/ m; Z$ E5 }' T4 j! H$ E) v-The most classical one is:9 M- Q3 @1 T7 C4 v9 f/ k: L! H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. O9 i: Y) G8 [4 N* c4 r
*(esp->4+4)=='NTIC'7 \+ X2 B& R: \/ [& g
! _( h/ O+ y* v-The most exotic ones (could be very slooooow :-(. E; [; Y0 k# I: q" @5 D
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- U2 _/ d/ W# D e! H3 c ;will break 3 times :-(
4 x% s2 _1 r0 |6 \) k: `) \/ q* I3 A
6 }; F; [+ X. N-or (a bit) faster:
% o3 ~8 T; ]) M7 l/ I9 T BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! F9 v, x) Y: {2 @2 d' i4 M& h+ A+ T! J% J$ M/ Z2 r- s! G
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% r' v( X6 ?4 c6 v# t7 U: O ;will break 3 times :-(
" H3 y! `$ K+ P' j) g% P! o9 P4 u1 V ^8 n8 M1 ]
-Much faster:
9 E$ x* |# |& v; Q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& O# A! U( p; \% [: ^3 L
8 L9 e. h/ q& L) x2 \6 PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 x9 w- J) e% _* f5 U! H% Z9 [8 ]function to do the same job:
1 y; a. Q) s7 m& |( N; O+ k
0 ?# P1 [! v% h' L+ I' u# o push 00 ; OF_READ
9 [% J0 c) U' _5 w) i+ h3 g0 I mov eax,[00656634] ; '\\.\SICE',0: U1 Y( L% M D3 S
push eax' Y) s" x. Y. T* L9 q
call KERNEL32!_lopen2 J* S C; v2 ^- E0 \9 i
inc eax
3 T. m+ k- |, m8 E4 n9 G jnz 00650589 ; detected) x+ ], [# s1 ^9 v" K) g
push 00 ; OF_READ
2 {1 J+ I/ x/ } G mov eax,[00656638] ; '\\.\SICE'
$ T* e5 i+ v* {% c, l push eax
! S, V4 w2 s$ v call KERNEL32!_lopen+ h' n) ~; {0 `0 ?. o& [3 Y( `
inc eax3 ^; h" g- i3 V5 G4 u, X5 n
jz 006505ae ; not detected
7 x% D6 A1 B- Q8 V! Y! U: j t6 C4 @# J9 Z8 k
: W- ]8 E; q. C# Y& g0 T5 V__________________________________________________________________________" D0 I0 F$ c; _% a# L% E4 }
6 ~1 F8 l7 q! z; V. |, ^Method 12
% n$ L: }- [; K. E. U* x" A=========: @0 o1 w8 V2 Z' @) [
# L; |7 |; I: b3 O; [8 s }' N5 WThis trick is similar to int41h/4fh Debugger installation check (code 05
' A2 t* S* H2 Y! z; N4 P1 p& 06) but very limited because it's only available for Win95/98 (not NT). X6 l) L* {' L a3 \+ J+ s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' w8 a( J8 v% @; m
" e& A, X7 P; u3 Z push 0000004fh ; function 4fh
: x' Y/ x# H' P% U X8 j7 E# Y! U push 002a002ah ; high word specifies which VxD (VWIN32)
2 K1 a4 _; O" V2 v# @* l ; low word specifies which service7 a; ]2 l4 M" T; I3 r N; Z
(VWIN32_Int41Dispatch)& w- d J! v0 L2 g+ [) r6 i
call Kernel32!ORD_001 ; VxdCall1 J2 n3 y" L& F" [1 X
cmp ax, 0f386h ; magic number returned by system debuggers
* }% P: T: P$ N4 R/ ?" i2 Q jz SoftICE_detected
. v8 ~! W# g1 p" r# a' X8 q- _7 ?
+ b: t- u. a* W8 a w KHere again, several ways to detect it:9 x* f% x# B, k/ x- o) m9 m0 G
+ i7 Q6 ]; r6 J1 J( m$ W9 O) O8 ~ BPINT 41 if ax==4f" W4 f& L4 I. c$ A, x: Z( w8 y3 Z# Q
+ o* {: M: w; Z5 ~+ {$ B BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ h! `4 Z* c* a. ~: k m3 Z
6 v5 d6 z: F$ g, A& J, L BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# C) U' N- Z: g% J5 ]* ?7 b- |0 G+ |
) L: I0 C4 o8 K% M* p
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 x/ e- b6 Z1 u f b# D0 X! V( Q' K, X3 ]) K3 d5 g" N
__________________________________________________________________________
/ W. N4 f2 l$ B$ _2 r s, ^! b" ]% [4 T: o
Method 13" q5 z9 b1 ~0 H- H
=========9 j0 u' K# A. I; U; @) d( d
' d) x$ k4 \1 ^
Not a real method of detection, but a good way to know if SoftICE is* F1 p. X2 c+ `& X
installed on a computer and to locate its installation directory.% ]+ H. j1 [8 o! D
It is used by few softs which access the following registry keys (usually #2) :
9 j! Q: \- ]7 Q4 |
% n) L/ \5 s( @& @-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# j3 U) B# o4 \, O4 }. w: P1 o
\Uninstall\SoftICE
4 o4 o. @! t/ g9 Y; ^-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 P7 h$ U3 k2 G3 ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 l1 o2 B+ E2 l- O' q$ U\App Paths\Loader32.Exe
, @! t% V( m0 U) L4 w
6 D: m" C, W. D) @ p- M3 p* \0 l n, _
Note that some nasty apps could then erase all files from SoftICE directory
7 N( g e0 A0 d- G% T; S(I faced that once :-(
7 Y. z1 Z6 @2 o9 H! C9 M# a& W
7 N0 x. L' ?) @% ]2 n `Useful breakpoint to detect it:* { A8 O. E ]; i& s8 [
; f8 f: l+ T9 ~0 k+ v
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') T [5 f( e; l
9 }& X! a7 C7 s% U8 }7 P% }__________________________________________________________________________% G6 e" c9 y6 N3 n
/ j4 Y1 d* |& U! N, [3 q
* i, a4 L' z3 @) H0 e* W
Method 14
4 K) y3 J9 C4 v4 _5 {( a' y=========
u2 g! _/ T7 a( D4 b% ~- }" p4 n( I. j0 o0 a2 C# h; x. \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 z+ |, G+ G- G$ Tis to determines whether a debugger is running on your system (ring0 only)., Q! C4 k' ~9 r2 l& F. }
, _7 }" O6 l) S VMMCall Test_Debug_Installed
* f# z4 F0 A6 p( w6 C+ B je not_installed) K ^* H$ W7 [7 Q
( C- a/ Z0 U. ~; }
This service just checks a flag.
0 A% T0 }2 X3 D</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡