<TABLE width=500>/ n6 ]; A* D5 ?( t( j; T/ @: a7 S
<TBODY>
( B, d' O0 a+ e; {<TR>
& L7 C: r8 j5 C$ U5 B<TD><PRE>Method 01 8 I0 J' U+ Y7 A5 [* A7 n
=========. {8 l7 J3 b& k' C
+ m0 `- h7 j9 }# D2 M' F( q0 B
This method of detection of SoftICE (as well as the following one) is
& G8 N, n5 @) X% X- r2 Hused by the majority of packers/encryptors found on Internet.
$ o$ K# @3 H8 a3 HIt seeks the signature of BoundsChecker in SoftICE! }, }8 Q0 T! N. v5 d" s$ |# K- S
) \. P" o4 O1 J9 t' w) y; w
mov ebp, 04243484Bh ; 'BCHK'
# f. m8 s- u% i$ k4 { mov ax, 04h6 \1 L6 `2 W* G1 ~
int 3 8 h% z7 H0 J& c0 c& V& f
cmp al,4$ b7 O2 [: N/ A
jnz SoftICE_Detected
7 {/ V9 G' |5 `0 G% g, o0 H& q4 v
2 }, B! Q4 f- e___________________________________________________________________________$ m, F& s6 ~9 I) ?
4 N5 r# J0 p% |" e
Method 02
" ]% W, S2 d" t/ }! l=========
4 C" S( p$ a$ j9 T. {7 p* P) B6 ~+ v1 I1 {% R6 o/ ]$ o
Still a method very much used (perhaps the most frequent one). It is used
4 ~9 J+ R1 q/ K+ e$ _to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ m7 g- `& T. u4 R
or execute SoftICE commands...
) ]* o+ w# ]7 Q, R- L# DIt is also used to crash SoftICE and to force it to execute any commands
+ q3 s$ U# H4 h; `(HBOOT...) :-(( ) u: J1 A: O* f Q& p) I0 U; B" k+ v# }
P1 E: P0 r( ^8 ~$ ?5 THere is a quick description:
0 k* f a; h0 h/ b-AX = 0910h (Display string in SIce windows)
' F3 a7 p3 G H! ]3 L2 o-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 L% a1 }3 Y4 x; E$ J" x6 `5 v+ ^-AX = 0912h (Get breakpoint infos)/ R; ?* x ] G: ~8 r
-AX = 0913h (Set Sice breakpoints); x- G$ Y" ?% X6 J
-AX = 0914h (Remove SIce breakoints)8 a* W' H/ r) Y
6 I- r8 k$ E( O- Z( b2 fEach time you'll meet this trick, you'll see:
6 s- Q7 c: h* i-SI = 4647h
, ~. V8 i0 G8 ]3 X-DI = 4A4Dh
3 ?5 M8 |1 X# Z, C0 @2 x/ gWhich are the 'magic values' used by SoftIce.- x8 h" u* ]: |0 \& d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.. K3 J" [- k z6 N+ y! r" H
& W6 \1 _9 J+ B% ?$ r, ^Here is one example from the file "Haspinst.exe" which is the dongle HASP
& T+ e3 s# k5 JEnvelope utility use to protect DOS applications:
9 {# G' k; T4 Z* y9 o# T- f% A' M# |/ \+ F' ^ P j7 ]
7 _( R( \) W) Z# s4C19:0095 MOV AX,0911 ; execute command.2 p: \) b" I1 P$ I! @, M: P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- _+ y, S+ A- _5 y; D4C19:009A MOV SI,4647 ; 1st magic value.* k7 Y* C6 P4 N9 t4 v% C! K
4C19:009D MOV DI,4A4D ; 2nd magic value.2 K) `7 A7 g: Q. @& Z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ \: _( Q2 U$ C; @$ F
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* N. n i6 W& k' j& T3 v/ Z& \4C19:00A4 INC CX
9 r, ]* ^& K- J. {4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 K: l" N* k) p4 l; [% J9 f# E# q
4C19:00A8 JB 0095 ; 6 different commands.7 v4 V, H/ w4 m" G4 R' A9 E; ?
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# p& Z/ u1 ^, x$ @" K, [; V& n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& ~. r q" x" F9 A5 L3 B
- b- {; ?5 O. B8 s8 O( u. Z9 pThe program will execute 6 different SIce commands located at ds:dx, which6 U+ E& e; s8 z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: T. j$ [; R4 S# \3 C4 N) D: x7 ^5 h: ~0 a# r" g9 J$ k% v) x
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( f! `1 T9 C* }3 T5 B4 |' A1 b+ g
___________________________________________________________________________$ _( n o+ v3 K8 Z$ s {
* L/ A2 W! V6 A' H% U! v5 i# E8 h b$ f W
Method 032 R) Z9 H6 {" Q% _* }
=========
* m, d- L- j# x; ^5 y9 b1 u j+ S0 Q8 Z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 n$ ^% \: b4 ?9 T- O(API Get entry point)
2 d. C% R2 ]1 D: |4 ]+ J# s+ q9 N* {
5 c1 l$ A* W& s# C1 r2 @
3 y; R: a& t2 d% {4 {7 H xor di,di
4 a3 ~) v' ?4 W mov es,di, F: D# z1 u( D5 a! |- T
mov ax, 1684h $ E4 m) V! X: a( k$ V! ~; l* D' G
mov bx, 0202h ; VxD ID of winice
* W. J5 I2 g# t- g% L. U int 2Fh
2 ] G! p8 q; x/ e3 C' _4 R mov ax, es ; ES:DI -> VxD API entry point, F1 Y |( t8 [" Y9 H0 w% C
add ax, di
& y* B% y; F2 V+ \+ F- Q test ax,ax
% p8 `+ m" P" Z5 s. s, L/ z jnz SoftICE_Detected
& ^2 k" c. n1 T% K, i" E; `" ` H7 I
1 \! P4 N; u' b" I0 ]! n5 G___________________________________________________________________________
H- w4 C1 F1 V! o! F4 q
1 a2 |* `6 b* s2 R& P EMethod 04( k9 F/ @3 b4 W' [4 [4 c9 Y( {+ E6 |. M
=========3 r9 _( \1 e! V
: G( _+ d) W8 \5 ^Method identical to the preceding one except that it seeks the ID of SoftICE
8 c; Q X( [$ O; @1 ]- _2 b' B3 [GFX VxD.
* H) O% f* |/ h6 a0 S
% u7 a1 f# H0 T6 u L, k" I5 O xor di,di
2 y" ]. t3 |, ^ N. l2 c mov es,di
6 r: S6 n j p2 O9 i mov ax, 1684h + J: t3 O& F, I
mov bx, 7a5Fh ; VxD ID of SIWVID. @+ W, F: ~$ [5 R. _' G
int 2fh
; H1 R' i4 @' V, ^ mov ax, es ; ES:DI -> VxD API entry point8 S0 b& k* Q1 O q) D* _ R+ H
add ax, di$ r' |3 u& I `0 u. Z9 [; I4 d
test ax,ax' S2 g2 o9 `3 P% w1 e3 b+ j
jnz SoftICE_Detected
" R. b" A0 O6 b% _6 j
# S% H; _7 X- [+ t! J2 s__________________________________________________________________________
+ Z$ R- |# Z4 t+ m: }. R
6 }3 R3 R" y! \: j& [* `( ?
" v" n% v8 S+ L" J# BMethod 05
; _" w) q8 n1 n/ U& v2 \& A=========
/ j' l7 C2 s* ?- ^4 `
$ A6 B X, L) R5 [" IMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ s: }: R* [3 a3 M
debugger. It calls the int 41h, function 4Fh.6 x/ h" w/ G Y! k( h! w
There are several alternatives. . i; b& i5 `) C: r( F
7 f! j+ ^5 q3 c- ]The following one is the simplest:( h3 z, O4 Q! r5 Q* \
! _7 R3 o1 U# N( z: h; w- i
mov ax,4fh
" w/ y2 B5 j: n% X int 41h2 a. b. ]' Z+ y! |+ `
cmp ax, 0F386
$ o& D9 e3 ], R& d6 i. X& @ jz SoftICE_detected" S$ I6 ?% [6 I
% ]) q: e* }( w( i) v8 c5 n7 D
; i0 x4 L6 o9 O+ N: i0 }% b
Next method as well as the following one are 2 examples from Stone's
* I+ M1 X- Z# G3 a3 l: ]9 e% o* @"stn-wid.zip" (www.cracking.net):; N: s0 F2 v/ Y( o. {" @
+ O, f" d+ e9 V7 m' o6 \
mov bx, cs1 f/ |6 A: g; y! |, v' p9 B' i
lea dx, int41handler2
# l ~, l+ y2 E0 z* u( n5 L7 C xchg dx, es:[41h*4]
% V# P8 Y; O/ X9 H$ u: D E xchg bx, es:[41h*4+2]
; S' l8 N! ~2 M. D& U8 ?+ e! A$ r+ } mov ax,4fh" U# H' I5 |- }& l/ C6 l
int 41h, \& ?0 s; T% Z$ z" ~7 O
xchg dx, es:[41h*4]7 m! ^6 x6 B% s, S
xchg bx, es:[41h*4+2]
: R( Z) l; q* d U cmp ax, 0f386h
7 |6 g4 Z, s$ M' i- x jz SoftICE_detected
) X+ d0 Z. U5 r) u4 h1 @) G% G
, |. d, M1 I) }& I' Mint41handler2 PROC2 ` X( ^. Y9 t0 c' C
iret
( `# b4 k" O' g2 d' S! u# Rint41handler2 ENDP
# g! Z/ S+ C; D6 I( ` W: x, A4 l( w6 g/ p
2 i2 n6 G9 p* Z( }! I_________________________________________________________________________$ H; G% V" @" z' s" j$ w
7 h! a* W: G; ~# a4 X' y
$ k) R! h7 U* R mMethod 06
8 P& f0 c T" a# ]9 Z=========$ j% Y/ a4 l5 W. g0 m
- l0 |. o9 @. s5 F" k
8 l8 I0 G. M: y. K8 ]4 @0 {2nd method similar to the preceding one but more difficult to detect:3 Q x" ~( t1 I# c/ X$ V7 K
3 D6 G* X' i! J/ \0 o( W7 b. L: B1 ^- Z' O6 n4 K7 I
int41handler PROC$ l/ w V$ O9 a
mov cl,al
: R1 \* X% l; T; L" D& x5 N iret
$ _/ `2 M$ y F' w z# r' Lint41handler ENDP
, A% p' @# r% L9 B5 a# h: b t4 X' b0 P" B- Q' ~
* a- ?, h3 B& C xor ax,ax
2 j& P o2 k/ w5 s. }* u mov es,ax
! S0 \# B9 ^: {8 g# w3 S, x mov bx, cs3 ^ s! q3 x: v
lea dx, int41handler
% ]: B; E# G( h$ z# N# f5 k3 { xchg dx, es:[41h*4]4 K1 X+ k, a; y: C% {
xchg bx, es:[41h*4+2]- D% w" P3 K& X* E
in al, 40h
8 I3 l$ j3 h* [) Q: C3 S xor cx,cx
. `6 q! E L7 b& j: p int 41h6 m* m; _3 w9 `: |
xchg dx, es:[41h*4]0 O2 [0 W) Q/ r, x& x+ g1 r
xchg bx, es:[41h*4+2]9 S5 `4 [+ e2 L% F% h/ r
cmp cl,al
. x. l# |9 B r: K. t$ q jnz SoftICE_detected
8 ~9 a7 D+ z% s! D+ g- y |6 h! h1 t3 a: K$ R
_________________________________________________________________________% |# s! s/ E8 z3 |( L1 [0 Y
( n1 t# H7 G! c+ D1 B) m3 k
Method 07' ^( B* N. Y0 V/ B( L: E
=========
( o9 O/ C) k' Y0 A
) N7 s$ ]6 g# b1 n) o, mMethod of detection of the WinICE handler in the int68h (V86)
6 o" e1 W, t7 }* J: Z+ G- p
4 K8 I; y) X' l mov ah,43h5 P$ U% z. w: ?7 ^* s1 D
int 68h$ @5 b4 y! F4 C- t1 R) c) t* H& j
cmp ax,0F386h
# n3 Y/ ]9 h+ ?, E jz SoftICE_Detected5 k; S8 {# e' g# @* E6 J+ A% M
, Z" g5 n7 s& X) _) S
) f$ h, D8 a) s0 A$ d. v* l! l2 T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ q K& _. b- S$ ?
app like this:& e9 ~, h( K( m& ?6 p+ x4 n$ }
% w" V' X- J# `& _ b BPX exec_int if ax==68
% k. L+ u; d. S' e# o2 g5 I$ X (function called is located at byte ptr [ebp+1Dh] and client eip is
" c: Q# ~& t' E. p, [/ t& c& _( U located at [ebp+48h] for 32Bit apps). Y9 \7 p( ?! \! S- M# g) `$ ]7 ~
__________________________________________________________________________
7 {! W' H3 ?3 C& K: v& O/ @' Z) M' o
5 @) N9 n; b) [+ o5 n$ s5 x0 R! ~Method 08. e- i' g8 i. {; O5 D/ H' d
=========
& G$ R/ |, S+ \" O0 E9 P8 s9 ]6 L. m# W. f, \3 d
It is not a method of detection of SoftICE but a possibility to crash the4 p$ M0 Y2 |+ N) g2 S7 w
system by intercepting int 01h and int 03h and redirecting them to another5 m! g. u7 O5 z! s4 ~
routine.0 V" }+ b9 Y# l" G$ X# k8 }1 M
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* z9 x0 L) m0 i- Tto the new routine to execute (hangs computer...)- O9 k5 v5 l. K' E
2 N1 o& Y: g: `
mov ah, 25h
" t6 L+ A; y3 W4 [) W5 d' U mov al, Int_Number (01h or 03h)( M6 P: P- [) J$ Y" z
mov dx, offset New_Int_Routine n. \0 Z/ A4 Y$ n
int 21h/ R# d4 n+ X0 z6 v7 [" e
0 Y2 m1 V1 [: w8 v7 {
__________________________________________________________________________' A4 c9 U+ S4 }4 w2 V2 Q) i" e, d7 `
9 p# Q, a5 e! n/ X7 MMethod 09 A' r ~2 k) f
=========0 e1 K% j) U" z: t+ n4 k. N
. H4 _5 \5 P- x8 D) X3 n1 ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# T7 x! R |- J2 H$ x# u& T2 [
performed in ring0 (VxD or a ring3 app using the VxdCall)./ }. h$ ]2 [! d* E+ Q
The Get_DDB service is used to determine whether or not a VxD is installed
% a. \/ M8 }7 K, X1 hfor the specified device and returns a Device Description Block (in ecx) for$ t/ r$ s9 U6 ~& g* R' b. f
that device if it is installed.
, z* R0 E( x7 J3 P# o& |" X: A+ R
" r1 A9 _( q* S( P1 e6 m mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& H0 v8 f5 g& a5 \ @
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! |) B" z. q1 c8 F1 l' s, Q
VMMCall Get_DDB
3 y4 R& u, E# k mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ [' y4 x6 F. g+ s' t% Z3 A" ~* G5 Y' Y: H
Note as well that you can easily detect this method with SoftICE:* a# T4 r7 w; h* d! n7 A
bpx Get_DDB if ax==0202 || ax==7a5fh. j$ Q% u; V4 J3 {
4 e& G6 y) A# C1 z2 W3 X' p5 q) b
__________________________________________________________________________
: ~. }& ?2 ~; V8 w/ T
, v# ~$ t; o1 ^Method 108 K- N1 b: u- s- `3 }4 `0 u6 v! C
=========
% x4 ^/ A( O9 U D5 o& a/ z3 u
2 e6 z& M' O4 U/ Z( A5 o5 S3 u c=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 H p% i4 L" ~) O! f; r/ b# ~ SoftICE while the option is enable!!
2 m% G' F1 l: R! W g" Q* l: P/ s& V' {/ B- _" j
This trick is very efficient:
5 N2 S, y! G9 d5 c* O2 o4 Cby checking the Debug Registers, you can detect if SoftICE is loaded5 Q- O$ `- `9 h& i$ h% V$ b
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 \/ W4 x$ v/ m# _# a' wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) f+ I* j1 Z! @9 i2 {8 }. k# |value (in ring0 only). Values can be manipulated and or changed as well+ {5 a w# i! ^7 X. l
(clearing BPMs for instance)
( q2 m, H1 R' i/ h+ u# {' E- r9 i" i8 L
__________________________________________________________________________2 B1 k' A1 I5 F. f+ M1 y2 o. n
9 r+ }/ C) z; Y! y
Method 11
2 j/ @/ A8 P5 r& c9 M. ?=========
( v4 v" A1 Q5 d3 k# I: e* ]4 t2 v; Q- L: H( Z- _' K/ a* C% [
This method is most known as 'MeltICE' because it has been freely distributed
& G @+ h5 ]' w3 f8 Vvia www.winfiles.com. However it was first used by NuMega people to allow
& d, S' j$ ^6 q$ U1 t! OSymbol Loader to check if SoftICE was active or not (the code is located
4 r3 q3 l( N3 h- @$ U2 v; ]: Ninside nmtrans.dll).
, ~- s6 \( o) d0 Q$ ]: v4 c! R% u$ {0 O
The way it works is very simple:2 {- x: J' i% [5 m* ~, a V' A; B9 T
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 i) R6 s3 E1 L/ O
WinNT) with the CreateFileA API.7 z+ p2 M2 T F- n) o
! q5 s4 f5 O; J/ qHere is a sample (checking for 'SICE'):% R: K5 e) |8 l5 u1 ]
! i5 M( S3 ]4 i
BOOL IsSoftIce95Loaded()- u0 n$ V. Z1 G1 U' Z
{* T1 k9 v, S5 ?! [$ ~
HANDLE hFile;
- A. i. r, f& J" f hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ A( ~+ \! C$ D+ T( x* a/ X
FILE_SHARE_READ | FILE_SHARE_WRITE,# V) `/ N2 l5 B2 q, n
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 K5 \& T5 _. T+ g* ] if( hFile != INVALID_HANDLE_VALUE )' P' k. x$ s2 y0 `5 g, _; P; z
{
( v) d$ |$ h, `, ? CloseHandle(hFile);( Q3 [5 E; R: J
return TRUE;
/ Y( i7 |- M/ X2 C( c$ T/ I }( `4 y1 i) U1 V% e8 Z% Y+ \
return FALSE;3 D. i. V) m: x: A5 Y9 j
}/ |' e, e; g1 p* \% k5 O
, [6 Q% C. k- [ o/ O) eAlthough this trick calls the CreateFileA function, don't even expect to be
9 e c% \' q/ H1 K# Nable to intercept it by installing a IFS hook: it will not work, no way!
! X* @: q. W. q9 f. z) g) @, pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. \7 y F% M5 I2 u+ R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 \7 U! H- h- q. rand then browse the DDB list until it find the VxD and its DDB_Control_Proc) S% }3 W- Q2 ]7 O- P
field.* O) E$ K8 i$ V. z8 H! d
In fact, its purpose is not to load/unload VxDs but only to send a 3 o7 @9 F% Y- A& l7 `7 m0 V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) X8 c3 ], Q6 o4 H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! `5 [4 \0 F _ Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) b# Y6 k. g- a7 B& B: a
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. |5 I- S. `# }) D$ [its handle to be opened and then, will be detected.
! G0 C; S z( Z0 DYou can check that simply by hooking Winice.exe control proc entry point
$ J& @8 M7 o* b- lwhile running MeltICE.& n5 l' S: @' M% h1 F7 u$ a" g# r
/ i2 O9 m% e8 R( _/ f$ i3 x% X/ T' m9 y9 Y3 n
00401067: push 00402025 ; \\.\SICE
! z) J, Y" t6 T" ?# l; c1 S6 | 0040106C: call CreateFileA2 A" I) x- X2 a3 _5 f, j! {
00401071: cmp eax,-001' X3 A/ ?+ V/ w
00401074: je 00401091
6 {: }% R6 f( V; l& a4 y
6 F7 F M3 y6 s1 T5 ~. F8 }4 j" n' ~5 k# a- @0 E
There could be hundreds of BPX you could use to detect this trick.
, M# G j% H: q3 B. X% R-The most classical one is:
3 ~5 E: G" [, a" z2 _. _ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- K/ Q* C: \/ q! V2 i
*(esp->4+4)=='NTIC'
$ U i/ \1 C4 {0 S" m, T
2 S/ v* M7 n8 w) _-The most exotic ones (could be very slooooow :-(
7 w) a+ S4 n% E, [. l, } BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 `0 e5 g/ t& u9 _
;will break 3 times :-(
( A8 Y- g& M0 {, x( s$ g; G
1 m/ i& l: N4 `. A' W-or (a bit) faster: ( z- L/ a0 r+ R0 K3 J x
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' J& q1 W0 e* U# ?" K g" G# G1 a8 F/ l/ V4 \) S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% h0 P: l' V) t ;will break 3 times :-(2 h2 n& L; k* f: d1 l- v
- n- M; ]6 s6 e5 ]) V$ u* s
-Much faster:
7 C8 {* z& O( z: _2 y1 E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', G( N0 u9 J& @" @7 p4 [
4 a3 i j a& J" C# l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* x9 o/ F' [2 c5 P4 Z
function to do the same job:7 N) ^' f. [+ n$ A6 d
- i1 e2 S. g- _( m' s: Y
push 00 ; OF_READ
& H- F* V) l9 X- _! K( u/ E1 T mov eax,[00656634] ; '\\.\SICE',0; g3 C) X7 Q* @2 U d7 I
push eax
) g4 v1 l( S9 R2 L/ W call KERNEL32!_lopen
2 `- |6 p, l# D! g {% u inc eax# d' W h/ N0 r5 {6 R5 l% c
jnz 00650589 ; detected: C2 p6 E U# k1 i0 L2 w9 I# r
push 00 ; OF_READ
9 ^2 X: U3 `! U" g# u mov eax,[00656638] ; '\\.\SICE'
* h$ L2 F0 I$ ?+ Y push eax
* R7 O( L3 e4 Y; A. ?' v call KERNEL32!_lopen
- w1 ]" f. ?% c1 X: f; Z7 q inc eax
/ L7 c9 N) z3 U" j jz 006505ae ; not detected! p; P! I; S& d5 A
" y/ h& a4 q4 d4 S _& r: U4 g L/ E
3 F0 m% L g6 q% A, Z3 y4 ?__________________________________________________________________________
' b8 { g; c) X+ C5 l/ J: a% h+ |! v! W" w& o, d# A) Q3 w$ f
Method 12: I+ p- P' L) Y: {3 }3 ~
=========
1 K+ g' N0 i, Q# k: s* O( \+ o' i# i' f/ K4 J
This trick is similar to int41h/4fh Debugger installation check (code 05) d/ B! D' {1 F$ w
& 06) but very limited because it's only available for Win95/98 (not NT)
! ^/ {6 X% e' jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.& U* X* N9 ]7 Y) ?6 ^& p
8 m) Q) Z: X- e push 0000004fh ; function 4fh
3 s4 {' I: P3 b H" f$ e9 b push 002a002ah ; high word specifies which VxD (VWIN32)
6 a+ c6 g$ _( B) O3 l9 S" M7 ~( D. D ; low word specifies which service8 r; F! C4 ^- q3 S4 e/ A
(VWIN32_Int41Dispatch)
: d% Z7 B5 M$ V, P call Kernel32!ORD_001 ; VxdCall
; Q1 D$ ]- v) t1 x' u- j$ K3 v7 q cmp ax, 0f386h ; magic number returned by system debuggers2 P! q6 N$ t+ W4 b$ s
jz SoftICE_detected! ^+ V, H5 i7 |3 \4 J, B+ Z7 N n
- _$ r7 o5 T( C6 n
Here again, several ways to detect it:% d* [$ z# D6 D0 @
* m4 H5 T2 L4 p5 n
BPINT 41 if ax==4f
& X# z' j0 B+ A1 u6 _) C
1 F) H' J, W8 n0 @! v BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# _1 X( o d5 {7 u3 ~- b O
. i' B$ I( s; y5 y, Q/ C4 D6 ]$ m. p BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 h' Q8 C; U' f+ s
4 C- B6 o [' n7 i0 P( U! B' [! P% {
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: ~" Y8 h+ z# G- ^% O5 J
; k1 S. _9 P! x0 m5 a, H$ c) `. ~, r
__________________________________________________________________________
3 j8 I; W) n; B/ {, \
* A4 ?( O4 m& UMethod 13 {$ {7 O& c' V- d( L
=========
7 L5 Y6 E' F% v# s0 x9 E$ `) m2 V6 ?: J
Not a real method of detection, but a good way to know if SoftICE is
, [" x F: U/ J9 H, P( [0 @8 Linstalled on a computer and to locate its installation directory.. y0 b) g$ [( E. F
It is used by few softs which access the following registry keys (usually #2) :
' {/ ]5 `- H6 |6 Q9 _, S* U$ I1 G6 l" r$ r7 e1 C4 ~# o" q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: g, p' z3 F+ d! B4 p/ p! c) U\Uninstall\SoftICE6 h! h0 _1 H, r, _4 @
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 ^, v7 ?8 j! y0 L-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* v* n: T; j; w& T! l
\App Paths\Loader32.Exe
- Y- Q- z& p( t) b. n0 r6 Y/ K, b+ q/ n6 y. m4 {
' ^1 i8 v9 N! z, t
Note that some nasty apps could then erase all files from SoftICE directory# c M) H5 x; c( K4 Q6 g* q7 o5 l2 R) N
(I faced that once :-(
; L5 z" }1 k8 W% |0 C% |$ B9 |6 y% z9 P9 Y @9 X7 e8 @$ |+ g7 _1 y
Useful breakpoint to detect it:% p* D+ B# {. Q w h- m a
" s/ B8 Y" ]* W8 j0 ]" y: c BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 `/ B: C( |+ A. I8 l/ D' x) ~0 F* ~7 Z& x
__________________________________________________________________________4 C$ S5 b2 a1 w$ q0 V
1 F+ f* y; F& v1 z6 c# y
: S' t* z, j" D" DMethod 14 5 h, r) k2 X0 j' @/ A; a
=========! B" ?8 v1 I% D6 v8 Z( Z% Y0 m4 J y( i
1 ]( U O q& w0 Y' p0 D
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 T" \$ ^+ W" k, ^& N
is to determines whether a debugger is running on your system (ring0 only).% f% |) U8 v' V
& C+ h& y- p1 w8 q) g
VMMCall Test_Debug_Installed
6 k! [2 f Q8 [! C je not_installed6 O, |! Q6 e* q& m& u/ F
. W/ z( y. [% W! s& L
This service just checks a flag.& o4 s7 g: ~- s; J* \: T9 Z5 e
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡