<TABLE width=500>
) p: C: q; z; w% N<TBODY>" |9 @& h* n P# Z
<TR>1 E3 N/ ^. ]3 Z. H6 T
<TD><PRE>Method 01 . k9 _3 g7 R* {' [+ z
=========/ M+ W+ i, C0 Q0 |& s
' c: N7 h' B+ Y% D
This method of detection of SoftICE (as well as the following one) is( \3 s, }- G+ n5 A' l: g3 y" T
used by the majority of packers/encryptors found on Internet.+ q# p$ M7 d( I( o' {/ k- c( `
It seeks the signature of BoundsChecker in SoftICE
4 L! e0 s: Z5 O" ~
/ _4 X' _6 I$ R# Y* d- P; Y( \ mov ebp, 04243484Bh ; 'BCHK'; P, f6 U x5 c% _ z8 P
mov ax, 04h
1 v! u, Y/ C& l% B int 3 & T8 z2 Z& M$ M5 E3 k
cmp al,4
: C4 o% w3 p x! l9 X jnz SoftICE_Detected
3 `* x7 V) A3 q# z9 u6 R3 S" M8 a2 l1 o2 |4 Y
___________________________________________________________________________
2 ?- N5 h5 ^, }" C0 z0 H/ \8 l* Z+ r" j. o# g- O
Method 02# w4 M7 r6 \6 H; I
=========1 u( I% I* h2 E. r1 p7 ^
; f- X. L9 [+ a# [0 ~
Still a method very much used (perhaps the most frequent one). It is used; P" P% x/ ~ I2 \" [# z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; o! k4 }# ~' f; l$ l2 g0 e- V0 Dor execute SoftICE commands.... c' s# w6 s& R1 g# ~
It is also used to crash SoftICE and to force it to execute any commands7 ?6 T, `( H5 N+ m/ g3 K& a9 b
(HBOOT...) :-(( $ O& t r# k7 s$ e
( V/ L* E. _1 o9 {* S; }( A" O% i" lHere is a quick description:
) |8 w7 M) f7 `5 r7 h-AX = 0910h (Display string in SIce windows)8 A) _9 \- O j6 j: q& K6 U$ Z8 Q& |; N" J
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& E. L, x! h: b* d' f
-AX = 0912h (Get breakpoint infos)# t. S$ V: r6 v8 Z0 y2 R6 C
-AX = 0913h (Set Sice breakpoints)
! ~2 p P7 H. P1 G# O( M-AX = 0914h (Remove SIce breakoints)
2 I* G W4 a' C* X! T$ x0 M9 |
q0 K7 e, l7 l& U9 f# T: U& JEach time you'll meet this trick, you'll see:
3 x% B/ Q7 S/ x$ m-SI = 4647h
' l, L+ G: X6 }* s0 j! V+ {-DI = 4A4Dh7 q+ S; B- C7 r7 }; L
Which are the 'magic values' used by SoftIce.* U# C/ s" o2 G% e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- I4 p, Y3 F7 r8 Z/ a
9 U; ?, \/ b. K f" c( t: Y' N0 P6 `Here is one example from the file "Haspinst.exe" which is the dongle HASP0 M: U4 I; r: h, J& D
Envelope utility use to protect DOS applications:$ w$ r9 _$ M: {5 u: u3 c
( u0 L1 l G" z/ v) `; [/ @+ L9 A J/ Z3 ^
4C19:0095 MOV AX,0911 ; execute command.# q/ _3 x% O- ]! }. N
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 u+ K; C' q* d- R4C19:009A MOV SI,4647 ; 1st magic value.
6 U! I, [7 o8 u5 p7 J- N. f- r0 Z4C19:009D MOV DI,4A4D ; 2nd magic value.
- N; h+ a/ W: s0 I0 f2 C( T4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' M3 q! d; W% G9 _5 b
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( v- Z% d6 V! I( w7 q: x4C19:00A4 INC CX8 h+ s# e( z3 R6 e b
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) d# R* j( ?7 N6 q% {3 w: c4C19:00A8 JB 0095 ; 6 different commands., N y# O& P' O) y$ H; Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.' P( u' D* i# I, d4 o
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 D5 Q% i' H: z4 f9 t3 l0 z* w# p; c; N
The program will execute 6 different SIce commands located at ds:dx, which7 H& {, Z4 I$ k" _6 P0 P# v o3 e
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' i# M' |* B# D: o* w1 l+ J! Z1 w
' ], C4 ~. V5 A* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 [7 Z# ]9 o+ a' E5 C/ Y___________________________________________________________________________, M4 ], D# c' I& K( J. @* q6 e
! ?# ^; g( F' [' X1 i
- [* S" E, T; g2 Y$ nMethod 03+ `' l6 [# r# y% l
=========6 l' o4 n3 m; b+ l4 K
7 ~ ~* R2 {; Y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 u' v5 f' _8 q- T% ?# W0 x
(API Get entry point)/ n) G P2 D3 k9 W4 ~, W" H
* M0 m/ e: o O- Q3 _% J$ ]
3 z$ e, N* b. K xor di,di' Q! j8 [: z8 P1 K( t- u
mov es,di; T4 a* k5 Q3 z0 M- h1 k+ C6 \, r1 d2 V
mov ax, 1684h - D. _; U/ n( d) i7 B
mov bx, 0202h ; VxD ID of winice+ |$ L9 n- x" y" X) ]4 ^& ]; q ]' H
int 2Fh
' J; H- s+ b, j; | mov ax, es ; ES:DI -> VxD API entry point d6 |/ v- y4 M
add ax, di
8 r3 c- D) s( B* ^/ `) Q7 O test ax,ax: i6 {- [3 R1 o2 X' x0 l- ~5 H0 w
jnz SoftICE_Detected5 D% q2 X5 F: I7 d: e( ~
1 ~& q, E9 }6 |% b___________________________________________________________________________7 A# w ?/ g( M2 t' V/ s
7 ^+ p& [9 c$ O5 x+ rMethod 04
0 z4 ] s. Q! _- B" s3 d0 z8 a=========3 C: W# D/ O9 l/ W5 s5 M; ~9 l% V
9 H2 ^8 Y1 w- Y) v, a
Method identical to the preceding one except that it seeks the ID of SoftICE
9 @( X/ J: L& E# U( @2 ZGFX VxD.
6 Y; t; h! Y% i" C+ e1 g+ c
& {* Z% M" d$ @6 U xor di,di
4 v) p& K# r& h+ x2 o0 l8 e$ p mov es,di
1 v" n1 l1 }$ q6 n. b8 r- A) a) R$ w mov ax, 1684h ( ]: l# v* Y H( m
mov bx, 7a5Fh ; VxD ID of SIWVID2 Z% n# E' b* q7 a+ I1 ^- B; ^' ~3 r
int 2fh
# \( D Q2 g1 m/ \6 m2 ?) ^ mov ax, es ; ES:DI -> VxD API entry point
: x) B( ~ |8 D- T. B add ax, di2 |' e4 J: T* @2 V: O7 O
test ax,ax
^; H% X% i9 S9 e1 Q! g2 d; K8 Q jnz SoftICE_Detected
- M# d: O# L: W1 [1 j( X5 x7 }
__________________________________________________________________________7 t* V6 ~% U' r
9 P' G% O1 s' C* s/ n9 D0 p# J3 _
& |4 B3 P2 G/ H: ?3 a+ YMethod 05
9 t, M- I0 @: Z=========+ Z3 i( w! I( F4 N
$ P0 o6 L, s3 V# |) m7 u1 zMethod seeking the 'magic number' 0F386h returned (in ax) by all system
$ T6 I5 t \. {. P: Q- Wdebugger. It calls the int 41h, function 4Fh.1 m4 b7 I4 Z& O& @
There are several alternatives. " I, S+ q9 g- c- ~, e+ j6 l
! h3 r; |: c# I9 a* Y& q7 p6 j# U9 r
The following one is the simplest:. N/ C, T5 j' ^, B
9 s; `+ s# f( P! E9 j/ o: \- V" u mov ax,4fh
/ z0 `( c1 s0 z% Y int 41h' c( `1 G- |! T. M
cmp ax, 0F386
7 g9 H; V2 H2 L jz SoftICE_detected
" |! z3 q+ {4 M( U5 r/ p; j! z7 B2 v$ J6 w0 O' L
5 l, k, C, l6 b1 r4 Z
Next method as well as the following one are 2 examples from Stone's
4 Q5 [# ]# n, P' E( B: {2 ~"stn-wid.zip" (www.cracking.net):. q4 N& j5 p$ v( F3 d- B$ X
. ~6 C1 q3 v3 G: b mov bx, cs5 C! v8 D: z- v0 y. R; F G. {, ~
lea dx, int41handler2
1 W0 |2 R* c' U# ]/ y xchg dx, es:[41h*4]
8 W( N- B; W1 }1 `. [/ I" v xchg bx, es:[41h*4+2] g( V. T9 x4 ]1 H+ \0 {
mov ax,4fh
/ Z, x" c: W! M, l3 c( v! `6 O l int 41h" V8 W4 ?3 X% w. z
xchg dx, es:[41h*4]
' n( t8 X, w6 l; ^: V: ? xchg bx, es:[41h*4+2]1 e w+ t: F1 K
cmp ax, 0f386h
. B. h0 { `! d1 W4 U1 m jz SoftICE_detected
% T g0 C! K/ ?% W f: J$ B7 r% I. k; }2 h% q* I
int41handler2 PROC! T( C9 z+ a2 L: Q
iret# H+ @/ g9 U( s0 a" ]. ~& M' @
int41handler2 ENDP- d' K0 |& j2 {. ^
6 N# |1 t$ W, Z5 z# ` K
$ G: Q- |4 f" e_________________________________________________________________________% b. R0 Z+ n' h) `
; u, i, b, V2 \! P. q! r$ ~/ ^& ^0 e- B
Method 06
2 w) I, Q# E) e& X9 w) B, q( a; p=========9 w' n; U y7 @ y0 G7 z
6 U; F9 g, d" k. m0 b8 Y) l4 X
6 I1 Q! ]/ h' R/ V- G2nd method similar to the preceding one but more difficult to detect:
- A# ]3 Z: W! r- e% E! h/ |0 ]6 A7 K& |# \& C7 q$ U
0 q V$ x5 `) d% j# n7 Jint41handler PROC
0 ^9 a( V: P' d. k1 E: v mov cl,al4 r0 h% P8 n8 X# a' }) W
iret& r+ g7 I7 A* c M, ?% r
int41handler ENDP
3 ~4 _) f( k8 n( ^. ~2 C# I: Y3 h/ C; W( s
7 [7 Z4 y% _4 a: |/ X
xor ax,ax
7 N+ R6 l& h1 W* D1 G) {+ u mov es,ax
) ?' r% O' N' }& ^ mov bx, cs- l/ u6 {* C! m# X* [' o& x
lea dx, int41handler
4 j5 h3 R. ?( F" Z }: } xchg dx, es:[41h*4]
* M' u |& P& }; H0 C2 [2 `- H) Y xchg bx, es:[41h*4+2]
8 ]# U$ |& h C5 ` in al, 40h2 W/ B5 D8 g2 y1 p
xor cx,cx
" \7 k; ^5 f% W int 41h/ T" T# p- V q( ?5 n7 T4 z
xchg dx, es:[41h*4]
5 i, ^1 @' p% m5 X7 y1 c. i xchg bx, es:[41h*4+2]6 g4 x) c- z3 i# F9 U+ R! h! K( a3 j4 r
cmp cl,al3 X; W1 `+ B# g
jnz SoftICE_detected/ ?9 o. I, ^7 y# j; r% Y- Q5 w1 e+ B
5 Q* ]. _) s/ P9 |
_________________________________________________________________________
* `6 r( b: ]5 Y) e9 {+ N* K; s5 d, v; ~
Method 07
; X0 R; M4 B- `, p% t=========
. l. L1 r6 G5 `# s6 F+ d6 V# Z, b. _' I# W' b
Method of detection of the WinICE handler in the int68h (V86)8 h# Q* \/ V1 H! l0 y+ p
8 S' m, V) V) A0 @! g0 n mov ah,43h4 t: v* Z7 [3 G& e% l
int 68h& O) T' T$ N# T
cmp ax,0F386h. R& m' \ k2 L2 n3 R
jz SoftICE_Detected
: S9 [, v+ y! B: X! t* f; R' Y
. W* N2 w" { P. R0 i& c A! w' Z4 O6 }$ S& _
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! }& u- A& w$ |5 A. o+ _9 r* V# |
app like this:
& @, V0 n1 M6 N2 J# }1 E! v% k
3 L% n' O: C% ?! d9 u BPX exec_int if ax==68
' r$ G& @* L7 N j: w (function called is located at byte ptr [ebp+1Dh] and client eip is
4 \! N; h: r5 z% |; `0 \6 P located at [ebp+48h] for 32Bit apps)
1 ~* V2 v7 V5 L# G__________________________________________________________________________9 U- c" K7 Z" i, B' Q0 H6 k8 N
6 s5 r/ T" S6 d7 F$ o$ R7 X
& _! Y0 ?( a, {3 ?9 `Method 08
8 D2 E$ ?* K$ X* \- d=========
! j3 |9 J; ^# I
: @) T' I" t. BIt is not a method of detection of SoftICE but a possibility to crash the% i! J+ d* l8 h9 M. d
system by intercepting int 01h and int 03h and redirecting them to another5 ]& n% J, n2 Y
routine./ i+ ?6 F" T, F7 _5 `
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 L1 A% Z) e6 p& ?! [: J9 eto the new routine to execute (hangs computer...)7 V5 b/ P+ {) Z5 K, ?
9 p9 F) c: }6 I; u$ x/ w4 |' f
mov ah, 25h
4 K: l' K* m/ A! k% B% } mov al, Int_Number (01h or 03h)/ N/ g; j* G3 l. I, w
mov dx, offset New_Int_Routine' y0 \' x! Z9 b3 ^
int 21h
# I) r) E8 w" H5 J6 P5 v' ^
4 F/ s5 o n7 ~4 ?: t1 J, H__________________________________________________________________________+ p- K4 I( _& P3 Q8 b6 _, P
5 T8 Q4 \' w6 k; N- E9 MMethod 099 T% d8 `$ y( o2 q7 I5 \9 J1 c- `# I
=========7 p/ V- F9 H, _- @) b1 [
/ c8 j" w0 n2 mThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 y, z: y& o8 z0 |+ H
performed in ring0 (VxD or a ring3 app using the VxdCall).2 A, f+ h; p+ H) E: m1 _. @
The Get_DDB service is used to determine whether or not a VxD is installed
& `; w j0 ~" n3 R& Jfor the specified device and returns a Device Description Block (in ecx) for
+ R" w' _2 [+ Y S# I; V' dthat device if it is installed.
1 u" z" W; V- i$ w4 {2 }8 M/ @* j$ F! Y' C
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! S3 a+ W0 i7 m. g4 ^8 _. a) o" I
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- Z0 A5 I: I4 z4 Z
VMMCall Get_DDB8 _/ _- h! S" u$ z0 v3 m4 S! |0 D4 h* }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 f( Y- }3 _8 E' T
+ ?( G: P4 e' p9 _# C; TNote as well that you can easily detect this method with SoftICE:$ p& f; a5 o) {& b9 e( L: }
bpx Get_DDB if ax==0202 || ax==7a5fh
/ Y+ O& O' _5 s1 n/ A
9 s: L1 s* s2 e' P2 e( T6 _- c6 B__________________________________________________________________________, b5 L0 Z' p4 `; H }
E8 j! w" c) ]7 J: k! A5 m
Method 10! H/ Q" F( J, y- a" J4 E: W) h: u
=========; c3 f u/ ~" h5 w( i2 H
( B" W; p6 V% x7 `. Q. E=>Disable or clear breakpoints before using this feature. DO NOT trace with; p6 x" z3 L% A
SoftICE while the option is enable!!
8 t. b [9 z- C+ T, [; Y C
- E% a2 Q/ W) W% ^This trick is very efficient:
! J$ Z4 `/ [: L1 h$ i& m0 Q) `- xby checking the Debug Registers, you can detect if SoftICE is loaded
( X {; o: K. t) C. m5 _( J2 ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& L E: Y5 J$ f- c h Z8 \there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 d$ s5 |' `. s) Q$ V* i( U' Gvalue (in ring0 only). Values can be manipulated and or changed as well. ?4 r& P4 x1 t( q
(clearing BPMs for instance)4 S% D# i) \9 q3 q' {5 m
& b! Y) \: G3 X# ]) A0 U' b/ }5 Q
__________________________________________________________________________3 T W/ o$ O3 i, z5 j
) V" H. y* Z `( {- D& J6 S
Method 11
# n: f8 F: a% n=========
7 k2 Z) D) ]; ^1 P. M1 {8 V) `2 ]2 G. J1 O. @. v
This method is most known as 'MeltICE' because it has been freely distributed
0 C! T& E- Z7 t7 k4 h( `via www.winfiles.com. However it was first used by NuMega people to allow
2 u# E/ l4 \, |( [Symbol Loader to check if SoftICE was active or not (the code is located0 d: R+ s. C# j/ E
inside nmtrans.dll).
$ b" A/ O7 N- j# g" @$ p: S" c j0 X- M" w* J. [3 |$ a) a) U& h" t
The way it works is very simple:
; A4 f, B# N# i+ _) h: L5 wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" p/ i+ F0 D! i$ b8 P0 ?( F
WinNT) with the CreateFileA API. C# k) |+ b2 W- V# C. W3 o
( m4 C7 A; c5 c z- U: z
Here is a sample (checking for 'SICE'):
6 o+ b! e" @! ?( H C; X* J4 _9 Q6 H3 k/ h( ]8 H V: a! a9 p/ ?& ~9 \) R; ]; r
BOOL IsSoftIce95Loaded()& O. C5 s0 Z- ^# W3 W* m/ ]
{2 _/ ~) Z2 H1 u3 s$ O7 E' R& W
HANDLE hFile; " i: \2 V% `. F; j- S
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ i4 t' k+ t3 u FILE_SHARE_READ | FILE_SHARE_WRITE,1 d6 U9 C) p, V0 d8 p( M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. n" K: p# z7 K! e) d if( hFile != INVALID_HANDLE_VALUE )- K l! \& |( J9 U
{
+ W1 e; l5 k% }$ @/ n CloseHandle(hFile);% N/ ^9 h2 a0 D/ C% i
return TRUE;* b+ u! s; G8 B/ W
}% S6 u+ [; B' O/ H" D- f
return FALSE;1 z+ A" H+ l3 B
}
1 y% M. a: D; ^# t3 f9 t# V' c3 \! O1 ~+ E- X
Although this trick calls the CreateFileA function, don't even expect to be
5 E+ b- r7 Z( A9 h# R7 fable to intercept it by installing a IFS hook: it will not work, no way!
7 g3 t' |0 J, C5 j O, LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, e% e; c. u4 b. k: mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) f* ~& }8 p) w* ~# }7 Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( X: R8 _ c; \8 |field.- y9 _2 j( M+ t8 W
In fact, its purpose is not to load/unload VxDs but only to send a / c/ J( ^# X+ |, V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 t; [. X" O! l' i1 ^' m& _to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 i. t q+ U9 }9 sto load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 k2 q& p/ \6 t1 E3 CIf the VxD is loaded, it will always clear eax and the Carry flag to allow; I. ]- \; e+ j
its handle to be opened and then, will be detected.
! S5 q8 C3 p4 }+ ~ b/ mYou can check that simply by hooking Winice.exe control proc entry point
9 Y7 I. j8 ~: q% Gwhile running MeltICE.) x. z6 ~5 n% I* e% E$ Z
: ~1 s8 i" \8 B4 v. e8 l# v
; U0 Q) A: w u 00401067: push 00402025 ; \\.\SICE S- u% V' r! v* m" Q Z
0040106C: call CreateFileA
; g. t5 }; n5 P z2 \: e: Z 00401071: cmp eax,-001
! E4 ?( A) U, @7 m& e# T; k 00401074: je 00401091
3 s/ Y7 C! x, I( _- S! t: C$ d, V7 r) V) `) t1 |. W
5 \9 s2 F3 y: N$ e) w @# g5 oThere could be hundreds of BPX you could use to detect this trick.
/ F7 g! e7 f6 b-The most classical one is:/ K7 ?* m; M7 o6 Y: \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 G- g2 p+ V o
*(esp->4+4)=='NTIC'
8 k; b: _4 H6 W; d5 Z m5 U6 N7 P- r8 J. e+ h" c4 D p* L: a
-The most exotic ones (could be very slooooow :-(
8 U0 y$ C4 U, ?$ y3 w BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - @1 \( q7 _6 v: g* X+ [
;will break 3 times :-(' W9 E- z5 o' m5 B; M; S
2 }8 ^2 p) |; }# `; [5 r
-or (a bit) faster:
8 }: w9 @" Y7 I* C BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 M$ h1 a& Y6 E5 @
/ F- V# r4 ^+ P, C8 F% z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - o* o8 U, Y, o. i
;will break 3 times :-(
5 _ u, M5 G2 Y2 }6 g0 [4 [9 g5 K
7 S+ ^+ G% ?% \& @-Much faster:* R6 R+ Q9 Q; x' P+ F( D, c+ B
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 e9 }8 d) [ ]2 b1 ^% e+ d) J+ u- w
1 E" n4 X0 K9 p9 T, d9 o
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 K: @4 X; y; r2 G$ H
function to do the same job:! }# O5 e& S3 A, P+ u& p( \
$ S$ @# ]1 y8 v. x0 y' n push 00 ; OF_READ: U. t; R. W$ o& T1 [) [9 s" c3 X
mov eax,[00656634] ; '\\.\SICE',0
& J7 Z% `& @6 K3 R. J; m2 i push eax& R, X; b7 u$ ]& \, W
call KERNEL32!_lopen" |) r7 D" l+ X) Y' ?: e
inc eax
# a' t, L6 M5 b. ^ jnz 00650589 ; detected
7 I0 t3 e4 R: V' X/ b push 00 ; OF_READ9 V% ?' Z" e7 @
mov eax,[00656638] ; '\\.\SICE'
* L0 O' I. ] @4 t1 H push eax
# V& t; x# h; {( [# A call KERNEL32!_lopen
3 }* K {0 P0 F+ |- a" i3 g$ i inc eax4 t5 q6 L" X) b* C
jz 006505ae ; not detected
7 I7 v. D# {% f- s2 b$ N( E; c" f) k& L: P2 \% f
1 {. T) G' r+ \% K1 d o3 i
__________________________________________________________________________
4 C0 z0 i9 b8 o8 k, B) s& [( c& _7 n
Method 125 c& [3 i+ q/ l: F+ P( Q
=========2 [ v. n2 O( u, y* x
, B: A5 ?8 u* K1 u: V4 T; \1 ?: g- ~This trick is similar to int41h/4fh Debugger installation check (code 05
3 ~2 F$ S- U* ^& 06) but very limited because it's only available for Win95/98 (not NT)* v ^& |: n5 e1 [3 Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& U1 Q) o0 ]' I/ R& z
% U, @8 j1 A$ v7 g5 f5 _
push 0000004fh ; function 4fh, W2 _ c) l% l1 W
push 002a002ah ; high word specifies which VxD (VWIN32)9 C) n0 a0 F4 J, s9 }4 }: a* {
; low word specifies which service
. r, f0 `* e# c/ |; h# M4 r2 R (VWIN32_Int41Dispatch)
" j/ L/ I* W5 O1 W call Kernel32!ORD_001 ; VxdCall& q8 F5 p; q9 N5 U0 _2 E0 N
cmp ax, 0f386h ; magic number returned by system debuggers
$ p, H" I X% q" p' S: o* K jz SoftICE_detected
5 n# `/ B3 b! V+ k, i3 ?. ^5 i, E. Q C+ T% I
Here again, several ways to detect it:
9 \) R4 n9 I7 _. j$ Z0 t" a/ k) {; j: n6 w ]* @" G
BPINT 41 if ax==4f
; h9 ]( H6 k$ t# ~; x8 r7 O. R. C8 ~' Z+ O+ y t& ]
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ Z" w$ s* u' H4 ^" l
1 W7 f0 X% v" M5 O BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 C( Z$ h- y6 y n4 `" r
8 U/ U: M1 H5 a' H8 N: v7 X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 G# H1 P' M! F1 X/ |8 g2 _5 @
" D7 ~+ m* K* N l5 E( @9 B__________________________________________________________________________. K6 e, z/ B( n* e5 ~7 Z
) I9 K B' R$ b' |; u& P+ u3 O5 G# S* mMethod 139 p1 x9 _* m6 x* C0 c
=========
& t* O+ L) d, K( l" q
; Z* F+ j+ P) Q& u- J/ @Not a real method of detection, but a good way to know if SoftICE is: T" g# V1 K: ~4 D: f1 [
installed on a computer and to locate its installation directory.: U: C6 S; {$ ^* T0 f
It is used by few softs which access the following registry keys (usually #2) :
5 E3 Y! X# B1 M* X" B+ ]
+ f. \; |6 @8 Z$ T. {6 B! }+ f-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( l2 h3 ?9 K# A. _5 {\Uninstall\SoftICE) v8 p# C# U2 ?6 n/ w7 b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) _, ^2 }) s9 B' j/ E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 B+ h) ]; s8 l H' X/ ?, D* z\App Paths\Loader32.Exe' x! }; V/ x& [
9 {: c7 v. O/ k: B* x
# u+ J W* J* ^- K' ?Note that some nasty apps could then erase all files from SoftICE directory' d' G1 M9 K$ Y
(I faced that once :-(
% s/ f7 r1 m" M( g3 v& h. G
; E, v5 K8 n0 ~# ~9 DUseful breakpoint to detect it:
' Q. q, |# ?/ ]+ c& h
8 J, r) T% @ }( y6 Y% K. v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) |& g& Y8 @( M" A4 ~" e; [
; m; R3 M/ \" ]* N3 S/ }__________________________________________________________________________
+ x, M8 m4 |8 K7 C( W
/ M! W* z& L$ P. G7 z6 d
3 c( l: z0 [0 _2 y* j, cMethod 14 0 U- ^' ^( E2 I0 o
=========' a- V6 C' {6 Q& V# f0 _
0 [0 T3 A* k3 j( O2 _( P" x0 D
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( L1 Z- l) L( ` x$ b4 d' A
is to determines whether a debugger is running on your system (ring0 only).% G+ z) l J$ W' ^
9 y& o3 K$ h! P6 Z VMMCall Test_Debug_Installed
4 Z) w: C Q4 F& F. D' v je not_installed
2 W3 f* A j' h1 y" u# H8 [0 U) I3 O7 c" R9 W# R7 \2 b
This service just checks a flag.
/ S* t, C& j' I# f7 X</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡