<TABLE width=500>1 Y- F% K7 {' P6 w3 p
<TBODY>" _. {' {1 j/ Y( R2 g
<TR>% S3 \) @: g! r. [2 m$ O# H. ^, Y
<TD><PRE>Method 01
3 J+ e+ Z) t4 V=========! y- h: A7 o! i9 m" M1 o7 `+ q c
+ m% |! q) i+ j1 N, U* h" C
This method of detection of SoftICE (as well as the following one) is8 ~8 I* b; q0 q0 X* P+ Y
used by the majority of packers/encryptors found on Internet.8 C8 E/ k( _2 g8 p# x- Y
It seeks the signature of BoundsChecker in SoftICE
$ |/ {& ?4 r* y1 c, r. |2 m
! g m, H& G* |1 G$ N* r, U mov ebp, 04243484Bh ; 'BCHK'! Z1 u6 j1 w w0 _& `
mov ax, 04h i" N6 O+ ^' z; U* B" q5 e* `1 k
int 3
. o9 w6 I- P- E6 C7 r cmp al,45 E! G4 V- k" |/ O+ P
jnz SoftICE_Detected6 v" A( X$ \$ A( j$ F3 L, F) o
{3 }% f0 a. H) n2 m6 i___________________________________________________________________________; F8 ~; L" ]- y2 P
5 ]; F; L1 A9 h! @# pMethod 02, q; t+ z1 n3 Y: I9 k) x$ v/ m$ M
=========4 V, m; L; f5 o- r5 p
! m i' J& |1 B. F* @
Still a method very much used (perhaps the most frequent one). It is used
# ~, `5 r. D% F- }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ K! F; G# b% I1 Z/ v2 d r* C; r
or execute SoftICE commands...2 k/ J. F6 b6 @& P6 p
It is also used to crash SoftICE and to force it to execute any commands
4 Z9 A) a9 ~, z(HBOOT...) :-(( . E8 ? m$ t c; a! S: K; n
; k- i4 G6 A3 p3 Z( E( n1 X) f
Here is a quick description:
8 @. }/ d. D0 Z2 b-AX = 0910h (Display string in SIce windows)
0 L6 ?1 n6 y& X$ i7 s& f-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ Q; |2 `! J0 H0 A, l
-AX = 0912h (Get breakpoint infos)0 g% d' J+ A3 B5 B
-AX = 0913h (Set Sice breakpoints)
5 \" W3 T+ i* ^" Z9 K- D-AX = 0914h (Remove SIce breakoints)
5 E3 K. l2 v+ _# F: j$ W$ J4 D N
`+ m; n, z3 G; m8 q1 ]Each time you'll meet this trick, you'll see:, F5 ]) l- p7 U0 ]% r
-SI = 4647h
9 t- O: B+ D2 |! Q; Z, j-DI = 4A4Dh
) `0 o9 M, y& ^; D( D& E8 eWhich are the 'magic values' used by SoftIce.
( s v7 h% y# L, t8 D8 e+ G5 ~! TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 t) u: O' l# Z, Q* H3 a- O _/ O2 \- c9 [, a ~+ \
Here is one example from the file "Haspinst.exe" which is the dongle HASP% R" i6 k: {- e# N# ?$ q
Envelope utility use to protect DOS applications:
0 S7 G) d! T6 a1 c, `" v
, Z! f* U: i& r0 f6 `$ k2 _ Q' O; m+ @+ {! P) {. o
4C19:0095 MOV AX,0911 ; execute command.: A, ]+ Y. T# U7 ^; V
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; p' M: o& q4 J/ h- e
4C19:009A MOV SI,4647 ; 1st magic value.$ {: ~4 x' b* {, b3 A+ G
4C19:009D MOV DI,4A4D ; 2nd magic value.
) G5 U8 u1 g1 ^! j+ ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; ^# `1 {0 s1 k% v9 m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 V( ?" d6 j, S8 R1 B6 S5 W4C19:00A4 INC CX) l/ k4 U7 z, W0 M
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. j3 c5 C1 Z' k3 \& |8 k
4C19:00A8 JB 0095 ; 6 different commands.1 f. M1 W6 z9 u6 M+ b) @: E4 j
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 ?. E2 v( g# @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 C# d( I& |0 U8 }% B+ y3 d
. X! E0 a, ^2 e3 G5 G/ N8 sThe program will execute 6 different SIce commands located at ds:dx, which
& K# E" R1 L N& I$ K; Z8 Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& ?; \( U) d' E! |* `# d0 Y: g
5 r; z0 G) A) o% I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 ~/ _% D+ f3 k! S6 i
___________________________________________________________________________
- L, j1 x" `, R9 k, d
- b+ ?# W! a' [# H6 \9 T4 g
* W# u9 H) i) O! _$ u" sMethod 037 W9 G! Z B I) F+ D4 A+ ~
=========
7 j) s% a+ V/ G+ S4 t
3 c; ?' v0 Q% ~# m' RLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" ~& a% B% r/ }5 r6 I o5 S(API Get entry point)( N0 @& K6 j$ A7 n
# |3 q1 V0 M& T5 ~0 F) A
, }, z3 l% J+ u9 [8 o* J l6 B xor di,di
( s9 w- ?& X$ O mov es,di4 D! Y. n( D& | w4 k3 E
mov ax, 1684h * W: D- W4 K" s! w0 ]! }
mov bx, 0202h ; VxD ID of winice& b6 ?+ j$ o, K) N/ v* O
int 2Fh
, p) J5 K7 e. p' V mov ax, es ; ES:DI -> VxD API entry point
& C/ x8 w: j. K4 \) m: l/ }4 h) p, p1 v add ax, di2 Z' y; |1 {1 Z/ G( H
test ax,ax& _* s |" h6 U. ]8 t) H% j+ a0 B
jnz SoftICE_Detected% K1 p$ t4 J% k: C$ n
6 C3 F/ q" w# e, Y: |___________________________________________________________________________$ N# |. R* ]7 h1 l
x# u; Q* s( l* S8 X4 ^Method 04# I5 a% O, }7 t! w! u8 @8 G! r
=========: x2 J% e8 H& [- _5 y# V
$ ^& k" E0 y% x5 G# i
Method identical to the preceding one except that it seeks the ID of SoftICE
5 p0 m' i! n. \" s7 u' mGFX VxD.# O: G$ F( J+ c3 U2 S) ~
! ]9 p4 ]6 U/ P8 }2 t/ `. `7 c
xor di,di" q6 q/ r1 Y% P7 i% m
mov es,di
; c L/ ?. F+ o2 c, l6 L mov ax, 1684h
4 x& |. `. X& I% b; h mov bx, 7a5Fh ; VxD ID of SIWVID4 R: f0 [# [0 X, f7 L6 C& H
int 2fh
. [$ b U6 `+ D mov ax, es ; ES:DI -> VxD API entry point
' f S, }7 W+ T5 f# J; S7 w' Z add ax, di
3 _8 n6 X, k6 q8 _; v test ax,ax
9 ^3 }# {6 d9 C) d7 g+ k7 X! b9 x jnz SoftICE_Detected- z4 i& D- Z3 x/ X8 d' L) g
) {+ I( R9 ?7 y! t8 N( l
__________________________________________________________________________
* {. N C% d Y @) Q5 R) {* L- J# H# n) u. ~* ?7 z$ T
; e q ^0 S$ H9 c* W5 B: F
Method 05, y5 H" h0 f# B6 S
=========& O2 L4 u/ U1 L0 B
0 g, w1 {( M- o2 K( r7 [3 {0 ]7 s
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ O1 N* F' S+ B- C' Edebugger. It calls the int 41h, function 4Fh.
w+ l1 L4 y7 \. N" i& o- sThere are several alternatives. 0 A: d8 e! |, H
1 F, i8 P! P) B& E! J; l: C6 BThe following one is the simplest:
L: l4 y% E, }8 c4 r
, N7 l% }/ V% R/ f- T7 a6 |$ L3 k1 V# G mov ax,4fh, H f0 x' T# g9 [& p M
int 41h
' _# g$ h [0 F cmp ax, 0F386( h$ _6 A+ {9 P3 H/ H
jz SoftICE_detected2 h. U# B7 Q6 E. E4 _5 v
. j, M+ k1 k1 k* n9 L
' @( h5 G% T3 I5 w' X
Next method as well as the following one are 2 examples from Stone's
6 U7 z. P0 f' A+ S6 G"stn-wid.zip" (www.cracking.net):
( y: F, m4 b9 r: U& y
" Z* N# M1 d7 o1 k mov bx, cs
+ l& Y* {. b: |. b U' }, C lea dx, int41handler2% s0 H; ?0 `6 {5 j' o. G
xchg dx, es:[41h*4]* `. `' E% T* Z- e: J1 Z% k: D
xchg bx, es:[41h*4+2]* ^6 {: z+ p3 w( T" r/ H; ]& o: s6 X
mov ax,4fh# R+ H: V8 d \9 r$ r
int 41h
2 h" Z8 `$ d1 l+ U xchg dx, es:[41h*4]
/ s. i$ U) @! F' H( O k. G& d xchg bx, es:[41h*4+2]& L8 W3 N5 Y6 r, ^. h9 I7 |
cmp ax, 0f386h
9 P! e9 @0 K& c7 u8 I jz SoftICE_detected0 O7 r' M3 k1 M, V, Q
9 I( z A$ v+ }5 i! @2 C3 Yint41handler2 PROC" N" i* J* J9 t; K2 H; ?' N
iret
7 e" `# K# x4 r7 w7 w9 Pint41handler2 ENDP
# P- G! f0 y6 k( {0 `, C+ Y+ U. B# R1 a8 B' }% L2 w1 e
6 M5 \3 k9 w9 I2 N u2 C: Y1 z6 l/ ?_________________________________________________________________________ X, W7 m2 | Y
" f4 i# I2 ^$ j7 P3 M0 _- ?1 d2 g7 {
Method 06
! b6 y2 p+ j) u) n, Z7 b=========
5 B5 q& K- d( `. i9 K) s' Q# x; A0 h1 X- Z; b7 H5 `& R
5 |: V# L+ O; ]% H
2nd method similar to the preceding one but more difficult to detect:
6 I' r3 D4 l3 M% j) V0 Z* }" Q9 _1 a" E1 {- {
. @# h2 e* S& B" G4 v9 f; ]9 i
int41handler PROC
. F4 X0 e7 T+ ?, ~ mov cl,al
# x+ A& C) o3 ?6 u- i3 C) o/ o iret
$ _9 z: B. D* z, Zint41handler ENDP5 {" F9 G h' B2 ?3 ]7 h
* q! D1 @3 U5 F$ w8 _# L; D
; O4 E0 v4 c7 m4 Y# `0 V" R9 x
xor ax,ax" ~0 F9 `3 z+ X/ f+ x6 H
mov es,ax% D( e/ B9 [, |
mov bx, cs
" u+ r3 k" X' E1 h C1 b lea dx, int41handler" E. l! I [4 I
xchg dx, es:[41h*4]9 z1 Z2 l0 J7 ]: \: g3 e) @! l- @6 f
xchg bx, es:[41h*4+2]
* u' {6 d6 d4 _. {: Z+ _ in al, 40h
& p B2 C2 C' Z5 g* D3 j- n9 ~ I xor cx,cx S4 I( a+ v& w
int 41h/ a3 a) c, ]1 W
xchg dx, es:[41h*4]
# F$ O0 l2 Y3 [" E4 o$ Y0 O% P xchg bx, es:[41h*4+2]
+ u1 X: l# G- H0 ]2 y cmp cl,al* ^9 |: p& f5 e7 U* d0 l/ E
jnz SoftICE_detected! K; L+ F0 J z3 k: z( s
8 n2 G5 Y1 @* B
_________________________________________________________________________' K- Z- l3 T4 N# B
) q F/ e% _+ J9 f- m
Method 07: l* {& M; I% |8 V I
=========
4 y, i( z9 \2 Q* x: R: G# ]' b8 b1 S( S) d
Method of detection of the WinICE handler in the int68h (V86)
6 w |" V, k* {+ m# k7 K
5 u# L1 }" p" f! X mov ah,43h' ^+ e1 D9 `5 J& O5 t4 e' g0 L
int 68h
% [& W# F" R: k y5 ?4 `0 ? cmp ax,0F386h
, C1 \ g. _- @+ [5 a; v jz SoftICE_Detected) Y. _9 Y. J: [+ \& g7 e
m' S) r/ _ T! Y+ g J; S
; |* I7 D4 y0 I4 h4 v, U) u
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! b2 I- ^2 m6 O1 z) z" b- ?" r6 F
app like this:
7 y- y) T6 t3 Z+ _2 U8 |$ c9 j
. N+ s& o$ p: q% c BPX exec_int if ax==68
) @9 ]9 ^9 ?* J+ b (function called is located at byte ptr [ebp+1Dh] and client eip is2 s( P" y9 @- O2 S2 Q4 S
located at [ebp+48h] for 32Bit apps)
7 z) @$ D/ |: L% U; B( B% L* l- s; D__________________________________________________________________________. d+ n/ U% o, w* p3 f
3 `3 }% r# u$ ]$ K! S2 H) Z ]
. p- E1 P; y8 A2 o+ Y7 V2 s H' a [Method 08. W) v# R+ m) Q) F0 {+ E; P! X
=========
$ }% b! `- B* {: b2 g1 v' m6 N3 }- P S/ _! f! l+ s. ?' Q
It is not a method of detection of SoftICE but a possibility to crash the1 |8 I% v& P M7 P, _7 Q4 c I
system by intercepting int 01h and int 03h and redirecting them to another3 s! w& Q4 L# C4 U9 c
routine.
8 ?' w9 ^( A8 G7 W; T+ x5 F* A! k# MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( l+ ^* g1 a1 K( L
to the new routine to execute (hangs computer...)
4 w: D9 q; Y) I( E( ~6 d7 f
. h- m7 A9 C6 g* e% F. h mov ah, 25h. ?! _4 F( E2 T
mov al, Int_Number (01h or 03h)
. ]! G) H( w/ ^9 _9 j( ~# j mov dx, offset New_Int_Routine
- `( [! K0 M- g; U# N4 w, L int 21h
( b7 U" ~- N1 i8 z5 l' n
. k( o: ~. b& A( u! p" g$ L9 U( ~* t$ ?__________________________________________________________________________
- D" R! C n& _
, @: G! q9 U6 jMethod 09, L0 L3 c/ n# o
=========
3 r% e2 t' x0 G
% R$ p& Q: ?5 cThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* n' g* ]& R0 W3 ^5 q
performed in ring0 (VxD or a ring3 app using the VxdCall).% S) H/ h1 l: A* e+ Q
The Get_DDB service is used to determine whether or not a VxD is installed
: U" v8 f8 U# m/ s4 Afor the specified device and returns a Device Description Block (in ecx) for
7 H+ F) n' w! f+ mthat device if it is installed.. ^8 [, c: N" K& @. C
6 ?5 a, j% t- l2 _) _: w8 c4 L mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID n# H$ S2 H) W9 A: a4 m
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- N6 M% ]% s( S" f- C; z VMMCall Get_DDB
: r7 t2 d. ?% v7 K0 d- l mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* b% ~& b9 p: o$ q; C) J/ y1 S
2 }) k0 F6 @/ p8 d1 d+ BNote as well that you can easily detect this method with SoftICE:
: i: [! h( Y J: K$ P/ \5 P5 p8 S bpx Get_DDB if ax==0202 || ax==7a5fh
# O' N$ u+ s p9 I9 ]
* c% c4 T! U$ q8 X3 {( b8 s__________________________________________________________________________
& o: R5 D/ I) S A* j8 @5 s6 @2 B {9 u; |, r' Q2 A
Method 102 H5 K2 @( ~) e& `( {" _! U# D
=========
! w# B' I0 K% z; a7 h
* n( Y1 ^1 b2 t) `( ~- h+ A=>Disable or clear breakpoints before using this feature. DO NOT trace with+ o. g3 k3 y* @% S }, r
SoftICE while the option is enable!!7 w: w# _& P7 u9 Q+ E! K
" x! x5 C4 R" }! @* [
This trick is very efficient:
) v' {- X: `. [. N3 Gby checking the Debug Registers, you can detect if SoftICE is loaded9 w0 F$ N5 I ]) x P& L
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 Z( A3 ~) Y8 O6 |/ [/ A c
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( e) I l) o; K: c; ^value (in ring0 only). Values can be manipulated and or changed as well5 U& v' B- n1 U5 X0 Q: M9 O* y
(clearing BPMs for instance)* ?( U! p# w" ?7 x
6 K6 f0 G" x+ W/ c& Y__________________________________________________________________________
) `" a0 Z$ d4 [5 C$ \# R2 J, h6 |8 G4 K" r% m2 v+ w7 L* a* i
Method 11( b5 E7 h q1 |" [! r$ q
=========
" C) {' V5 T2 u
7 H8 z5 Y8 T! l- r0 t/ z# BThis method is most known as 'MeltICE' because it has been freely distributed
5 B, a' S8 H' \1 |via www.winfiles.com. However it was first used by NuMega people to allow3 J1 q3 @/ b B# o2 `, T
Symbol Loader to check if SoftICE was active or not (the code is located
7 z! U3 M( T! i: {" b3 ^1 q0 einside nmtrans.dll).
% o1 w# v& ]2 c& f# _# [& {/ [) s1 j1 F4 N
The way it works is very simple:3 a6 i+ o* g8 Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- P3 S1 t8 Q+ rWinNT) with the CreateFileA API.
, G# H- s; ]2 F& {
+ h% Z+ L& L6 J; XHere is a sample (checking for 'SICE'):
' ]1 W7 l5 h( A$ b+ Y' I* c4 X+ g7 K" {2 V6 B
BOOL IsSoftIce95Loaded()
7 n5 p# J" H0 c/ H{/ i8 Y1 J1 _, ?" z% ~
HANDLE hFile; 6 S( }, o6 ?/ p3 J: z+ o5 z% f) x
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% ?6 j/ h2 m9 M6 _$ y FILE_SHARE_READ | FILE_SHARE_WRITE,
# B/ M9 E/ V% ?1 } NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ ^# m7 H0 s1 @/ L8 a' N8 f O
if( hFile != INVALID_HANDLE_VALUE )
; O! e! U4 v- P; y- u {
- i, P; W% ^6 {! t; R3 R CloseHandle(hFile);
$ P+ C5 v: z' l5 g! q return TRUE;
; J7 R9 V3 E* { }
2 D1 W" h& G+ c* C3 x: y6 i: ]7 H return FALSE;# p/ l2 Z: Z6 D. [2 C
}
& A0 Y- y/ r6 Z( M+ {7 v
& O4 W6 R6 g4 YAlthough this trick calls the CreateFileA function, don't even expect to be
' F& o' \/ A5 Y8 Z6 f2 |: eable to intercept it by installing a IFS hook: it will not work, no way!
! Z/ H1 ^) {; f2 yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F4 b- A' i6 m) U( J
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) s! X T9 v+ xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 F ]9 N$ N& D* F# V. k/ P% sfield./ ^( s y: `3 k, P+ j, W' E& Q2 S
In fact, its purpose is not to load/unload VxDs but only to send a ( y. R, \2 ^/ H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), U# l# g. ?, W, k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* _; B! K0 e4 \2 uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 T" V: q$ N& c# jIf the VxD is loaded, it will always clear eax and the Carry flag to allow! m; n Q# j. y" A; [, [) S9 h; S
its handle to be opened and then, will be detected.
9 @2 |1 O) {( ^5 c2 HYou can check that simply by hooking Winice.exe control proc entry point5 k c6 P7 b# O
while running MeltICE.( \- H1 ] n& U. b
6 I- \. r' ~4 w
& j! h3 }. ?$ N' t; d
00401067: push 00402025 ; \\.\SICE
0 x( @. w1 U' B5 C1 H6 [ 0040106C: call CreateFileA
; z3 f) f* K! @& z1 ~% R& S 00401071: cmp eax,-001
4 u4 b1 x/ \6 a+ Q% R- G 00401074: je 00401091
6 ? J9 h4 X0 O1 Q
5 p* X6 A/ i6 d$ H3 v; U# D7 t
" I3 z% K0 U( b+ q( A) wThere could be hundreds of BPX you could use to detect this trick.
1 t/ e' f; D( ]2 j3 L-The most classical one is:
( C8 M+ j" A3 A BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" G/ y5 M7 v5 @, u& p
*(esp->4+4)=='NTIC'
( a" @$ d* X% ]) l4 i8 i' ^" R7 b+ q4 l3 K n
-The most exotic ones (could be very slooooow :-(
! d5 C( q8 d; G( P/ L! F- p% ]1 G BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# c, H5 ]) ]$ ]' g- `+ M ;will break 3 times :-(! L# l" `$ I( k# _ a
0 E! E" C8 Z4 V* D" }" `6 ]: Z-or (a bit) faster: ! V; Y9 X L! ^5 p
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& G6 A8 ]) x6 \/ a: w; r- L2 n5 V
# \. o" c$ q/ S1 ?4 k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 `7 m5 U4 [) i$ J9 x
;will break 3 times :-(+ k$ R- I1 `3 Z. F, r
/ H8 ~& O! d- D3 ` c, i
-Much faster:
1 g) s2 A3 x7 u$ V: Y _ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ {. B+ L5 R: j4 H" u1 y
+ T. J8 n2 `+ F& k' wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 f' e- ~8 d7 h! O/ a
function to do the same job:: c+ a$ D. t k9 M0 I6 L! b
5 L& g- Z2 @+ k push 00 ; OF_READ
! P8 H* D* y6 \/ u( V mov eax,[00656634] ; '\\.\SICE',0
: P. c. L$ B* [; [- E1 X push eax
3 t `- E% g4 s7 D: v. X call KERNEL32!_lopen! K4 v0 |# O& L+ O( L1 u
inc eax
9 U5 y- X, F5 z; j5 E8 v6 x jnz 00650589 ; detected
: r' G: R. r: Y$ \& l6 f push 00 ; OF_READ+ j, n4 M* v2 ~
mov eax,[00656638] ; '\\.\SICE'/ A9 L* E! s: R2 b1 V; g
push eax+ w7 L: n2 C8 ^9 V( g! v
call KERNEL32!_lopen
O6 c2 P, D$ y4 l. K3 w" t inc eax+ `" D; ]# i7 z- _! E
jz 006505ae ; not detected
) X& M4 g: n2 T ]& R+ D! ^1 j: m
" `3 i5 X H9 M4 m ^3 U1 h8 C0 A9 b
' o0 `1 J) y8 Q__________________________________________________________________________
+ u. @& [9 [. `' [; I& {; X" G8 P E* j2 K7 a# w8 ^
Method 12
7 ]) S) d8 p1 |: ~=========
$ x2 N6 F6 R( J8 I- }4 S" ^
- _7 C- Q* \- |$ K4 O1 MThis trick is similar to int41h/4fh Debugger installation check (code 05, z6 y; t# k/ q! G# Z0 v
& 06) but very limited because it's only available for Win95/98 (not NT)0 e/ Y2 O, _ }& ~
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 V$ f4 g; B, m' c. E5 H$ O( X$ C
push 0000004fh ; function 4fh2 B+ v3 h, V3 O. i' }
push 002a002ah ; high word specifies which VxD (VWIN32). Y& |& ^0 \- F& r1 X+ D+ i
; low word specifies which service7 v7 G, u5 v e) b2 D0 U5 `
(VWIN32_Int41Dispatch)1 z9 d; O2 w) S4 Z- Y7 q/ P
call Kernel32!ORD_001 ; VxdCall- l' `- q6 x3 O' k. W5 ^9 w
cmp ax, 0f386h ; magic number returned by system debuggers
; |9 F% `! G0 Q. n( Z jz SoftICE_detected
4 Y1 }. |9 j! v: I! b/ r$ E7 j
% G$ N4 R3 ~) oHere again, several ways to detect it:
# [% l; N( F# _/ ^4 L. X5 {0 W
0 j5 o4 x g8 R% ^4 ? BPINT 41 if ax==4f! {, U2 t/ i6 a# ^! G
5 b. A. ] K. h; W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' l' @' z- S0 P+ G. x% C( g
. M$ B7 L1 t, ? n! k% H
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 }4 T5 Q* H5 \$ e. m- y6 a
0 g5 Y2 S/ J7 Z: w9 n) }! G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 S% d' p( N! C; I# v& n
# L' h p0 { {) |% Z: L, b" ~
__________________________________________________________________________
4 y/ m2 u8 C7 j" k D( j6 F! ?2 @! X
Method 133 E1 V7 [2 H b D
=========
v" @. D3 O, e1 g& l3 a' y2 X( v- r/ C- p2 R
Not a real method of detection, but a good way to know if SoftICE is
* S1 T; o ^# E* d5 u* K9 linstalled on a computer and to locate its installation directory.3 Y4 q- `, C5 i2 F
It is used by few softs which access the following registry keys (usually #2) :, K' e! _1 \* c
' D1 s1 a+ h9 O) B, e0 w* v: Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, y1 q# ~0 W& p\Uninstall\SoftICE* S8 i; b4 a7 z( e
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 V) z: _! V! q! L+ v% J! w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 V! w+ I+ f0 ~\App Paths\Loader32.Exe+ b% }- s, M% N% _8 J1 N! |
. Z! W: }. J7 S6 X
# N, t* S3 a3 g! L; r" L: oNote that some nasty apps could then erase all files from SoftICE directory
! c# g. y1 G7 V1 I- y* h(I faced that once :-(
# v% \$ S, Q/ I- S: y! J( u3 x: U, d
Useful breakpoint to detect it:
/ ~& I+ P$ `- u$ k
0 x* K6 Q" G" R5 G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. M: P! p; l0 [9 v
/ p; f+ \4 b' U7 z, J__________________________________________________________________________: ]! p4 O$ K7 l' @( V
& f8 e& s# `1 [, B3 j4 P; z
9 g9 y5 ~- _5 G- D6 _; |! Q: [7 ^Method 14
5 S0 J1 E4 x5 X: B=========
) L7 N q7 R1 @! s
1 y' f: L: B" v: E% {! B% [; MA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 l0 W1 v' O7 t, a; f6 v& Uis to determines whether a debugger is running on your system (ring0 only).% g7 D3 ^1 } `$ R5 C: h9 P* t
- w6 c% Z" f9 A7 S9 l8 ^) N; \ VMMCall Test_Debug_Installed
( G+ N2 u5 {: [* [. ^( B je not_installed
6 p6 R M/ g5 F# F
5 ~. Q! F8 i$ K# ?2 F AThis service just checks a flag.. I5 _) e3 L# g+ V. g, ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡