<TABLE width=500>, p* D, q( L- x0 k$ e, {( B- i
<TBODY>
7 `; ?; ^: N2 j9 c/ j<TR>
! ~8 B5 P" J0 [<TD><PRE>Method 01 1 ?+ H& j: F0 S, N* q
=========) A) j) h, q* m9 V4 p. _' z. d
! N+ O* P! r% ^1 K
This method of detection of SoftICE (as well as the following one) is0 @( D8 v9 P7 I# Y, f8 j# j
used by the majority of packers/encryptors found on Internet.8 g4 p" g1 s" [5 n6 U) E7 y
It seeks the signature of BoundsChecker in SoftICE8 V7 J, j) E. T
0 P) \% D- e- x+ R/ \ mov ebp, 04243484Bh ; 'BCHK'% l: }4 \# K, T5 ` k/ L# o
mov ax, 04h
6 d4 \1 d! a, ?! S: A% A int 3 ( k8 i% }+ W, `6 E
cmp al,4/ L! f3 Y6 y$ S2 i: O" V. b
jnz SoftICE_Detected5 b8 t7 Q& l w) e; Y! P3 u. q
# U, ]- c2 Y* |___________________________________________________________________________: g' W" _! q# q4 C/ M; J
. c l& R0 I+ x9 B8 bMethod 02: _' N7 `6 B# k. k& Q U4 {2 n
=========1 I# C8 v: w6 ?: X' M
6 n6 w* d9 V2 I# X4 N- mStill a method very much used (perhaps the most frequent one). It is used
3 p H+ t# t e2 ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints," _& r. S5 y0 U
or execute SoftICE commands...
. v4 F1 r9 l s8 ^It is also used to crash SoftICE and to force it to execute any commands
& |$ t4 M8 v) H& m(HBOOT...) :-(( 6 [9 L7 f' Y' _0 w8 ^
% S. R( U |3 p, o# m5 NHere is a quick description:- F& C4 i& L' }6 T7 l
-AX = 0910h (Display string in SIce windows)
8 i a6 }- m. ^* e( y; C-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 R' [0 j$ @7 q& R
-AX = 0912h (Get breakpoint infos)
+ M& x5 y/ S; Z# ^' E- z+ o-AX = 0913h (Set Sice breakpoints)3 g7 k1 R% A4 q
-AX = 0914h (Remove SIce breakoints)
E0 e' H1 r$ _! f* `1 R- \- v* l" k j) G' G! R8 r' D
Each time you'll meet this trick, you'll see:. l/ B3 L- R, K% X/ d- U' V
-SI = 4647h1 T8 m6 q3 m4 y, `% R
-DI = 4A4Dh
, Z: _7 u; q% QWhich are the 'magic values' used by SoftIce.
9 X0 P1 V" ^/ XFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) z: s) E( \% W8 O$ {8 \1 S R5 c9 O
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ i1 K& ?/ x7 Q) V2 k
Envelope utility use to protect DOS applications:" ^8 o2 F" i+ Y) [9 k1 i: L1 n
1 h+ P5 b7 a, f" j' V% \+ k4 a
4 m: X/ t! ^9 e% N9 ?4C19:0095 MOV AX,0911 ; execute command.) `! _ f% I* k" c. z0 ^& [# }9 [" |
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; N& g8 @) T, U9 F! K- `. e+ x
4C19:009A MOV SI,4647 ; 1st magic value.7 Q: s' E2 j% N: d
4C19:009D MOV DI,4A4D ; 2nd magic value.# P/ y# I6 I% {5 b
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- X; S4 Y9 w1 r4 D6 z, K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 E0 U5 u+ a# |# \2 n4C19:00A4 INC CX
1 [& I8 R1 P3 T+ a5 `: i5 a4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& A: U- B$ e, R& E( K) I
4C19:00A8 JB 0095 ; 6 different commands.
, h2 \# ^; m# d3 w; F, O! \+ X4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, J& B6 H5 Z9 @; f5 P; @, [- p4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! E! G, L6 a" j0 v, }, B9 K
5 L) u C* o( `* m8 c) G2 SThe program will execute 6 different SIce commands located at ds:dx, which3 E, |3 \% j0 K
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 i. _+ w. U1 ~% h. L1 T% S( a! `/ b
: z# w- ~9 t7 j2 h3 J- L* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." e; I( c1 U1 J) I
___________________________________________________________________________4 A2 G/ Q* D+ ]( \% ^2 r
O4 B, `( z6 }+ u0 Z: @0 _$ [
], R- k) F+ Z: \, mMethod 03% v) e, w' e& h; B1 \
=========
g* T: [3 t, w' G% j4 W5 I5 L: P0 y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h a2 X& F* Z- i/ u/ `1 t
(API Get entry point)
7 R: ~9 G, ?# _) w4 H) Y & I, [2 `; G6 z. K2 S" P+ a3 l
" ]% q" H; W' O xor di,di
0 P( m- I9 ]' w mov es,di" B. {3 C9 c8 X/ y, z
mov ax, 1684h
& ]: n- w c5 L3 D% y$ D, t. g' I. d mov bx, 0202h ; VxD ID of winice- I4 ? M% [; \+ {5 k
int 2Fh
' o8 ?7 e* m& T3 X1 { mov ax, es ; ES:DI -> VxD API entry point0 c# h4 X4 I- X! s6 A! V* T
add ax, di1 k/ f7 d4 u# S4 q% k& u \+ Q
test ax,ax/ A" j7 V* U# Q- z% J
jnz SoftICE_Detected
$ l) O; }. Y _. x. D
' \. _% p0 r% X6 ~) m: y___________________________________________________________________________
* R$ _9 S3 v5 r6 M) ?! i" V& m! U, s6 B& Q. \
Method 04
8 a8 U' h$ N2 [+ \3 T, h=========
# U# J3 u/ Q2 A. P2 O( S. s7 e* L B
Method identical to the preceding one except that it seeks the ID of SoftICE) q( O2 w" w; k* f
GFX VxD.5 D- x. L# h3 D
+ \9 {/ L. U) H6 y xor di,di
9 b; T/ t% _' I- F& D mov es,di/ W1 Q( ~$ k8 S1 D8 M4 B3 a
mov ax, 1684h & s+ b# {. z- \6 V& D# p
mov bx, 7a5Fh ; VxD ID of SIWVID. R* p0 x# P: x, O
int 2fh
( s8 m. |# R3 m5 K) M/ h1 _& ^, N$ \ mov ax, es ; ES:DI -> VxD API entry point
* n0 I3 T7 y" d! ?7 _; g/ h" Z add ax, di6 I' F7 G% S3 a1 j6 q& j; f4 M+ n$ f
test ax,ax
( @1 M7 p( o+ V* p jnz SoftICE_Detected7 e3 }1 p( F! ?) V) I: L7 o9 N' a
3 J& ]6 s8 p9 u: M
__________________________________________________________________________4 z# F# X& H0 N; i1 B7 E
# }' A9 @9 y6 l3 `) u, p& V0 R+ O5 J
0 ~3 l% W$ d- L: ^. ~
Method 054 x9 D) M3 d. l- L; J; S1 w
=========7 Z2 ]( Z, e1 n" M t0 @
+ `) Z1 o* B& s1 B; W' `; \" b
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% R, [" H* @. n) u& X/ v8 G, R sdebugger. It calls the int 41h, function 4Fh.
* D0 s! D7 I9 _* G5 tThere are several alternatives. " L9 N+ c: m2 n" ?, B
* n6 A+ N1 B/ R3 Y8 \, n, N, IThe following one is the simplest:
, g B, ~7 h, r3 y+ U. K5 Y6 p* }3 X' N- E
mov ax,4fh
8 f8 l# W" @6 Y: N$ d$ V int 41h/ m: B A4 }, R
cmp ax, 0F386* }, C& I1 f6 \ Q: z1 ^1 w
jz SoftICE_detected( v* T8 \3 b' i% u" K& N1 S
/ E- \ K7 i+ F( w6 u# z$ u+ V! e
" p5 F8 q E0 z0 o9 \( K* XNext method as well as the following one are 2 examples from Stone's & B! P# c0 U4 y6 R6 P6 e
"stn-wid.zip" (www.cracking.net):
" X s' t2 a* C5 ^) Q! G6 W( E) z/ B" P
mov bx, cs9 r2 D( T I8 {& v
lea dx, int41handler20 T! a' }$ F1 f
xchg dx, es:[41h*4]; @: N, o$ a' r" m8 S
xchg bx, es:[41h*4+2]! @+ {1 b. K3 |% p! K2 e$ W
mov ax,4fh
; c( Z9 ~* X' w2 I3 i( ^ int 41h
2 n( I% j9 \$ X7 f/ c& e xchg dx, es:[41h*4]
# u4 _% T/ C0 N( ?/ D ^+ z xchg bx, es:[41h*4+2]7 p. b: E+ U4 F! `2 w. Z
cmp ax, 0f386h3 [+ s7 c/ Z# l. j
jz SoftICE_detected" p7 U8 R9 m% f0 r' @' r
2 r) j, X7 o# S1 C2 E
int41handler2 PROC
7 ~. a+ y, k9 w) c, M( t; | iret
' U X* _! ^5 W# z+ Z0 B4 n; iint41handler2 ENDP
; k3 l5 [. L9 V* T: x! x4 B
; m0 G8 ~7 P9 J7 V( @/ f* o0 D: b0 S# P0 u; P) p' d
_________________________________________________________________________
, g7 r. V5 d+ Z) j" G4 R) b% S% V S5 d
! U1 q$ g. F% T; s# x3 R( ^
Method 06
+ Z* ~% K' I' n* s. q: R=========1 s5 d- I" `0 K d% h* }
0 g; n* k& w9 S& Z* U& J. J) p+ _2 ^: i$ \# F' V, S
2nd method similar to the preceding one but more difficult to detect:. M6 {, W2 c7 B* i! T8 }. k$ a
% @; N1 h7 Z" d5 t0 C' x/ {; m9 f# M/ f
8 d+ K0 }, ?! @2 G0 F7 W" c3 B- p
int41handler PROC
: i8 k+ y: l" F( g1 R: x8 r. v mov cl,al- T; m7 L7 `8 F. n+ X
iret
- y5 {# i6 @' P) _int41handler ENDP5 ]3 W3 n& P7 p
/ l( d, ?. N1 T. l( }
" U5 T$ G3 Q1 S, v5 e+ Q1 o8 n xor ax,ax. a3 J3 z1 R8 n. ]
mov es,ax
) Y" F+ l. ]# W$ L5 f) { mov bx, cs4 w- V( T$ u) Q( v4 T
lea dx, int41handler2 Z9 h/ m4 p3 B- o- r
xchg dx, es:[41h*4]
. [5 X$ h# o% }3 ?0 r xchg bx, es:[41h*4+2]
$ k5 W1 I( m& X0 q! _2 I in al, 40h6 s- f# ~8 W0 D1 h# z; _: p/ U6 a: G8 T
xor cx,cx
- m$ T- q0 Y3 i' Q# w int 41h
3 E6 o; _! b' [ xchg dx, es:[41h*4]
6 t; w p3 Z4 x7 m2 u# ? xchg bx, es:[41h*4+2]/ l0 K, E' w5 ^0 s |- G! c
cmp cl,al
+ [, t- |3 _& D5 U J% F; X0 e" D jnz SoftICE_detected, o( D" N3 _0 q
; C- K( Q6 I6 [9 f8 E+ w- s8 P m_________________________________________________________________________) x% b9 z3 E/ u7 A5 \
$ q. |5 z5 j/ K8 O3 Y
Method 07# \5 B4 m- d; P7 S" t/ |7 S
=========, f p) p/ o$ k/ T" j
7 E5 E6 I N1 \3 wMethod of detection of the WinICE handler in the int68h (V86)
+ Q0 W9 ?) n* n3 r6 n9 X' B% C
1 G+ V) d) p1 K& Z' B mov ah,43h U" b6 ]+ B6 T% g. r
int 68h
* f \8 V- q+ x: P cmp ax,0F386h
/ e t; h4 V9 o& G- a* { jz SoftICE_Detected
% z \* T! ]9 M" M5 n' N# H0 @8 J$ e; o; l8 |7 |9 I+ w
( [! k4 Y, q: `0 t& n, q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; p' C Z2 D$ l5 m& Q% n! _) K* B2 `6 i app like this:, ?, g) T- D7 G7 t' ]2 F
, t4 p1 q- \ C- N, Z8 ]. R BPX exec_int if ax==68) N ?, P( ~4 f& u2 W
(function called is located at byte ptr [ebp+1Dh] and client eip is5 a3 {3 J' u0 u4 j: O4 ^9 G7 ]" m
located at [ebp+48h] for 32Bit apps)
! L4 E9 T7 o3 T' J1 s__________________________________________________________________________
9 n9 X Q1 s! K* y5 o
. Q! ]* g) N3 S5 q( D% M8 ?- q9 [; m j) J6 U5 g
Method 089 x, R# `% ]/ o/ R" t$ r4 G+ U# N1 ]
=========. v! u2 l9 g% C& W
4 B4 w. K3 G, w/ C# I: l
It is not a method of detection of SoftICE but a possibility to crash the% a: \4 x# {5 ^, v2 D2 ]. Y+ M
system by intercepting int 01h and int 03h and redirecting them to another
/ f4 O: h, S6 f; t% b8 P# Froutine.; E- ~/ x; t5 ~# ]) X3 w& Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& |; n+ Z1 [5 ]& T, N- |2 S8 r
to the new routine to execute (hangs computer...)+ j* @& Z6 }, E
0 I" r. J J7 U# {) {
mov ah, 25h
% n0 [& F s8 y0 C8 }* q- K! p mov al, Int_Number (01h or 03h)
) C2 t% |* a9 m mov dx, offset New_Int_Routine
) J0 M, u4 Y) \+ I+ F int 21h
! p$ G1 l6 V' p9 ~: J7 @% ~9 I: s% j! B8 D4 @4 C
__________________________________________________________________________
; p, U, D( \* Z: ^
" W4 K7 |; Q" JMethod 09 ]1 u M) W, V* L
=========
; A) } H7 O, S( Q# u' k0 }4 I
* V, _6 S% W$ A5 _7 M' S* F4 zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ Q' v* k* u5 I4 @# m
performed in ring0 (VxD or a ring3 app using the VxdCall).! M+ }6 p5 ?5 e% X; A
The Get_DDB service is used to determine whether or not a VxD is installed+ t U* \. ~0 d
for the specified device and returns a Device Description Block (in ecx) for
# H/ R# C6 g) x I) H- t( Cthat device if it is installed.7 U$ M, K" n: a: B0 z
+ }8 Z+ D$ m1 [/ G% C6 W9 S9 N+ \3 \
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 x* u/ n! l+ b- o
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 ^$ N* k0 i4 V0 p7 m l
VMMCall Get_DDB
, O! U, O* F' Z, ?! l, T mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, U9 }: A) b8 ]7 ]& l q& F- Y5 _" n0 T! o$ e# W% G
Note as well that you can easily detect this method with SoftICE:
# s% R# H" l1 A$ z2 O' \ bpx Get_DDB if ax==0202 || ax==7a5fh" v0 k# Z1 H. i9 H5 q' g
4 m& |" O. G' h$ ]% t, M__________________________________________________________________________7 f/ h. l" x }- G) a
& @0 p: n1 k1 s- [; C3 j7 @% ~
Method 10- K* _% \: V- D! E6 }
=========
1 Q7 h$ V7 h0 c! s# z- E* z1 c _# c; R$ R$ d+ I
=>Disable or clear breakpoints before using this feature. DO NOT trace with% Y' f5 L$ z t4 x4 T: Q
SoftICE while the option is enable!!: e: t' X! y6 s. a) s
( a' W+ W; c" _4 s* A$ P
This trick is very efficient:2 Y+ N2 t G! r) N0 h) C
by checking the Debug Registers, you can detect if SoftICE is loaded& v6 ?6 D# t2 Q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( y9 X1 S, G9 T- @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 F* W7 x$ I% P$ r5 w: N9 C- }- h2 uvalue (in ring0 only). Values can be manipulated and or changed as well
5 j1 g f/ h1 s; T8 n4 f* A ]- H(clearing BPMs for instance)8 L8 S! `* A! U
5 Y Y3 _ D. c
__________________________________________________________________________
: s; {' r' E8 |1 E; z2 E' I# }
( A/ d1 U0 z7 T! hMethod 11% G3 ~6 ?0 w* x1 D& y
=========
T9 j' e' _* `% c
6 u) y4 a* D' u. o2 _7 o: qThis method is most known as 'MeltICE' because it has been freely distributed$ [. e M, w. n5 |$ b
via www.winfiles.com. However it was first used by NuMega people to allow, j) l2 E7 v4 H/ g, S
Symbol Loader to check if SoftICE was active or not (the code is located
, J# Y6 b# C6 \& f8 ~( ^1 E; `inside nmtrans.dll).# Z+ w/ V3 C; I# r0 K @
+ i( c4 r y$ e6 k
The way it works is very simple:, _! g2 R: o4 @
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) F+ B8 z) T& O4 Z; MWinNT) with the CreateFileA API.
/ M, x+ I2 S8 d7 b* U6 h* C3 `9 l0 _* r& f0 T
Here is a sample (checking for 'SICE'):- V; A' M6 y# M$ g# B. T/ }/ h5 H
8 n; s9 M/ e! g G+ I
BOOL IsSoftIce95Loaded()
& `( [1 H; D- U/ Z7 A6 t{
; T& Q. G* M; i: R HANDLE hFile; : [- X/ A5 o$ d* C, c5 w- @5 s
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 f" z5 R9 w( d% @& s, S4 }) s* L FILE_SHARE_READ | FILE_SHARE_WRITE,, }/ C% K- |1 P) {
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& \; ^. ?5 V$ |0 z6 l if( hFile != INVALID_HANDLE_VALUE )+ u" }7 R4 k( i, q
{* Z2 x/ ?9 ^: ?+ o, Y
CloseHandle(hFile);/ ?/ p- x) [; o
return TRUE;
/ u0 {: R, E5 n; }/ d2 { [/ Z }' m0 Z9 I0 @3 R4 {: P
return FALSE;& S) `7 R1 b- t* s, R) u
}
; K1 J" i( ^# ~, n6 Z8 A+ I+ h. W4 d* f7 l
Although this trick calls the CreateFileA function, don't even expect to be0 [$ d, Q$ Q: t9 Z6 ?
able to intercept it by installing a IFS hook: it will not work, no way!, n" W# ~* Z# z$ @8 h- I
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
a9 t! u! U/ D: l* Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- X& j1 ^ ^: S7 Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc3 d7 c% B4 Q8 k; j7 ~% M
field.
: @4 u6 ?3 p' A$ f% {' lIn fact, its purpose is not to load/unload VxDs but only to send a
9 c2 ?9 j @, i% ]3 kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 Z" a$ e/ Y, A# cto the VxD Control_Dispatch proc (how the hell a shareware soft could try a, T- [0 {" Y* E4 a9 T
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: @/ M8 R& Y& k4 s3 eIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 A$ V7 M9 [4 z9 e$ P- O1 Iits handle to be opened and then, will be detected.
# M' B4 J# ]1 ^You can check that simply by hooking Winice.exe control proc entry point4 i! J) G3 k* d* U; m' ^' U5 f
while running MeltICE.% Z! V' U9 E/ a' Z8 c4 x- V
6 r+ n$ C; m+ k |. i2 b9 ^' u4 h
# U, n) j0 ^0 x& N1 F G- Y* M 00401067: push 00402025 ; \\.\SICE
' q* F% \ `; b4 e* m& C3 F 0040106C: call CreateFileA& f3 y0 m# Y! B& {/ b/ c- a
00401071: cmp eax,-001
5 N+ `1 C- D; D& F( k) ]+ c, d 00401074: je 00401091
; B) P* G- B2 @- _) s5 G% B; D8 U0 _5 @) x: M
& D; Q: p" z% h. w" l2 b+ z6 E9 ^
There could be hundreds of BPX you could use to detect this trick.
& _$ a9 ^! I U9 K ?-The most classical one is:7 v% z1 K5 N: Y% R8 a' X
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ n/ j n* j; B$ h$ t0 ]. O" U8 y *(esp->4+4)=='NTIC'
! w: @- ^6 W, ~0 N1 ]) j9 `
9 _8 m% W: y$ Y! }9 d-The most exotic ones (could be very slooooow :-(
- R& m! e- p5 `6 [4 {/ @: _- O BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 u9 O, B' B7 x4 K' h- f# U* o
;will break 3 times :-(
1 g# A2 L& g/ I! G0 X2 h2 R: h0 E K! H/ X8 R4 c W# P# w4 C4 g
-or (a bit) faster:
0 k2 c2 B ^, n7 }* R2 E BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 E9 b$ v( s6 v+ h2 o
+ L9 q* c. T+ d( x2 o BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& W' G+ @6 \6 l& ~6 i4 o" Q& p l ;will break 3 times :-(
, \5 g3 I1 w: x, e" M& f
) |9 T. {0 V7 m& Z4 z2 k$ u& n-Much faster:
- ]$ L& l& i! `- M' E' l BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 M# ?* o; P8 b; z& |; p! e3 m
; {4 u5 Z6 K4 a2 N1 I7 Q# iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 n+ R* z( q0 y o% ?4 U' r+ a' Q
function to do the same job:
% m1 D9 O% [6 c; I" C' ^
5 x j; U# p! i- A9 |( j% Q push 00 ; OF_READ5 A6 N4 K+ O' a0 o3 t
mov eax,[00656634] ; '\\.\SICE',03 [+ d: j4 K' U+ u5 g+ j
push eax
_' Z; h" ? |/ i call KERNEL32!_lopen
: M# W( B3 r$ t/ b# Y4 M& y inc eax/ Z) u8 O- y: x
jnz 00650589 ; detected1 C x B" s/ N; V, a* D5 ~
push 00 ; OF_READ- I5 z8 B& w! j/ R/ J) V& @9 J' `7 ^
mov eax,[00656638] ; '\\.\SICE'
6 P$ q; O' @( @+ l push eax0 Q, A3 _5 J0 C y6 `1 i1 ~9 n2 u
call KERNEL32!_lopen
- q3 P" I. ^; g inc eax8 Y; K! J9 W' Z2 o1 |8 v; z
jz 006505ae ; not detected2 _; P8 G/ Y; f/ ]
0 B, c y5 T$ Z% @# P- V! R* {6 g! o! k
__________________________________________________________________________
: _' d! k2 B: @" ~" r
2 h w, `5 i _+ M8 U! kMethod 124 a- @. w! v% O" }5 P2 O0 u
=========
8 K( P6 x% Q$ ~% a% [) ?5 Y" L2 a7 ?. U5 ?) K. Y
This trick is similar to int41h/4fh Debugger installation check (code 05
+ j. E3 Q3 F. S$ w& 06) but very limited because it's only available for Win95/98 (not NT)
; Y( G2 u B% d; p0 j4 vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* b! q; s7 C7 k" m- h' T1 w8 x4 D# P8 N7 V1 U
push 0000004fh ; function 4fh
' U4 R" z0 Y- D/ K8 l push 002a002ah ; high word specifies which VxD (VWIN32)
* ?; Q" _9 h% I9 C0 N$ p2 j ; low word specifies which service. h) t: q8 R* r
(VWIN32_Int41Dispatch)
: |3 s2 i# Q' D& i; n call Kernel32!ORD_001 ; VxdCall) `8 S" S7 J" u
cmp ax, 0f386h ; magic number returned by system debuggers
! {# ~: r; G6 M9 y jz SoftICE_detected
1 k, } a- c" i9 o9 a4 E
9 z) o) ?+ ]# H8 j8 v+ MHere again, several ways to detect it:
/ Y/ L+ C7 R; E- o
" z( k* y7 }& T- B/ e& ]1 c BPINT 41 if ax==4f
0 u9 N d6 h9 R7 w- y
8 U, H. R0 j8 h0 R' F. O BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one Y" P9 h- b) e! A% e
, ]' H! p8 d o) I BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ E! G9 o% a# g) X- S4 `" N
4 y: k3 A3 t2 G" B7 @! l BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 I# i( O( D4 Z; s0 n8 }6 _9 N1 ~. Y; D5 s2 ~0 Y
__________________________________________________________________________
# l$ a& L0 q4 V& Z) x- p( T5 i. Y# R# v7 K* T. ^$ z
Method 13
" O; x8 k3 Q& H2 r' l0 g=========. n3 M g2 p V4 J) ~' E
, K! T& O3 ?( H( B3 C& A& e0 I
Not a real method of detection, but a good way to know if SoftICE is
2 O0 r) y7 D: x! m& R+ sinstalled on a computer and to locate its installation directory./ L6 o" u& v& T y0 v# r- v: ?
It is used by few softs which access the following registry keys (usually #2) :
8 {( W: F) @+ Z1 o: }' Y8 q' W. y' `# W, t0 W9 H+ [/ @
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! C7 q" i% x' h( v; V\Uninstall\SoftICE
8 g* J& \7 j. S$ M5 n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 U" H) g4 k% W3 q8 V5 t; Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) X* ^: [; b* N8 y+ _\App Paths\Loader32.Exe
) o5 g% D. j3 H8 m8 f! r! F9 W: ?. A: t, ~1 S
/ s5 n# \* d5 _% c$ gNote that some nasty apps could then erase all files from SoftICE directory
/ B( n& d$ T' s3 p1 z(I faced that once :-(. X/ f: m! u5 u1 z( h
$ E2 ]- X- V, i8 T5 M {6 j
Useful breakpoint to detect it:0 K4 e8 P/ h/ L/ i$ G k
- d* D% {& Y2 E5 ^; W; | BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' F- A3 Q- ?: `$ ]" _; j
+ R! n$ ]; j7 }8 U( d__________________________________________________________________________3 c/ O3 E( f0 c1 U% R$ t
5 j: J4 o% F; Y8 I# q3 _6 _: t! U5 ~/ p' u! J) \
Method 14
: H1 x3 ^4 r/ U% j- U3 L=========
9 w0 t7 Z5 U6 k) _2 @# ^7 G4 T8 X6 O- x. h$ o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 t5 j0 T# d2 o8 a8 G y# w/ ]is to determines whether a debugger is running on your system (ring0 only).: ]- a! ]' K/ J* j0 h' W5 p* W
1 o, u& y/ c/ _3 y
VMMCall Test_Debug_Installed
2 |% W: p, A/ m1 P2 [ ^ je not_installed
6 _" Z5 D- G1 A9 m) T3 m1 N" B* z4 P+ U# |( W8 H- M$ P* w- ~
This service just checks a flag.5 c7 H9 q" u' g" J8 i
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡