<TABLE width=500>
4 J0 q0 l# A# I6 n0 f<TBODY>
& ]4 z7 z( D1 \8 ]& i8 r<TR>
# F6 ?3 g! V. P! ?( x0 k<TD><PRE>Method 01 % [* y- E1 j8 D8 P* K* F0 A# W
=========
8 b) \/ m2 M8 }$ ?& F3 O3 M& _, ~" |
; u, ]" s& {: F% nThis method of detection of SoftICE (as well as the following one) is* [* j9 B* V) L
used by the majority of packers/encryptors found on Internet.# [- k4 P2 C/ c3 W& I
It seeks the signature of BoundsChecker in SoftICE
. L0 d7 N& [# w* ]1 t/ V: O7 m3 @' j5 s* b& W
mov ebp, 04243484Bh ; 'BCHK', Z! A$ A- O$ a+ s9 J. R
mov ax, 04h: n j. M1 J& x7 x Q# Q: A$ `9 W4 G
int 3
" f4 ]6 V( T- i7 [( {9 ^* _ cmp al,4! @3 ^6 l: l- P9 r( h) L
jnz SoftICE_Detected
# }# g3 C$ D1 |- j
; \9 W0 X: ]# A6 s___________________________________________________________________________
, }5 s* h: e4 n* T5 P1 ` u- s7 I0 R6 m: ?( [4 Y% ]" h
Method 02
/ m+ g, @1 f* m, ]( {=========
; V: }. }8 E; j! s) Q0 K8 M2 c5 k a7 o1 e
Still a method very much used (perhaps the most frequent one). It is used b" h, `+ W* }- f; I) ^* M w; }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 K7 C' m" Z3 C( G" Z. e8 B
or execute SoftICE commands...
, X! R Q* L( t2 |% Y7 ^6 EIt is also used to crash SoftICE and to force it to execute any commands! B1 G8 X1 _( A
(HBOOT...) :-(( 0 p# a" E w% X% |- [% f
9 ^( c% i; i: n8 b" o xHere is a quick description:' w% b/ t3 w$ \/ {$ j6 N
-AX = 0910h (Display string in SIce windows)8 f( V2 N) ]& E2 h
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 K# ^& u% q# i2 h3 ]$ t-AX = 0912h (Get breakpoint infos)
" J* k+ y l8 L3 t-AX = 0913h (Set Sice breakpoints)
; k$ y: X0 @ R9 r-AX = 0914h (Remove SIce breakoints)
5 e& O/ ~- D6 F3 Z
- R) e' F0 g- E. U* w& tEach time you'll meet this trick, you'll see:
9 P/ ~$ ~6 P/ c& g4 c-SI = 4647h! \! S7 G2 |0 I4 W- Z, H
-DI = 4A4Dh
7 h: y) ]9 x/ HWhich are the 'magic values' used by SoftIce." N) Y9 o2 A/ }; l
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ Y! A6 M* S! E
, W6 f" r% @- @# }7 r5 W
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 P( p# D$ c- j6 V1 z
Envelope utility use to protect DOS applications:; I0 d- `" b; n: e8 N( c+ ]
9 T4 \* i' j' J# I5 q5 q
6 k% Y7 H G# \% S" b4C19:0095 MOV AX,0911 ; execute command.4 @# g& o5 f; F, {
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 G( I" W- C6 i' c+ F4C19:009A MOV SI,4647 ; 1st magic value.
- s' p1 O8 U- }2 h& u4C19:009D MOV DI,4A4D ; 2nd magic value.
) l) H* T. q+ P: R# [% w7 P4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), G$ G9 y4 _ w) Z2 ~
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 P: r6 _7 ^ G$ V0 \( W- r4 B' \' _
4C19:00A4 INC CX* `3 e* W! o4 A3 R# I1 j- H% s3 t5 [
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 |% J1 ?7 L; Y3 Y. |1 s" a
4C19:00A8 JB 0095 ; 6 different commands.; {- L, V3 r M1 D5 R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% v* w0 L( K8 D) T0 ]
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; a, B. y3 P5 I% Q7 n5 W+ U& ?& Z
, V0 X4 W: W4 i* A5 M' zThe program will execute 6 different SIce commands located at ds:dx, which1 T, ]6 k& J/ m/ j5 S, d$ f% A
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) g: u' h' [* s8 r' R3 e4 y; h* p$ N6 F. Z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 L7 J$ I, N* b- f, l( W; t% e
___________________________________________________________________________$ o! c; ~0 [; O3 k
+ O9 p$ f; s6 q/ I7 g# M+ D) S0 i0 N! b5 ]8 x( {, m
Method 03
, l: J& E8 f+ D=========
. C/ N$ x2 N. w# o5 L8 ^3 e \# g1 n8 j( E
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. ?8 n$ X, O5 B/ r- n
(API Get entry point)4 Z! z2 K2 b8 \
- B3 j0 t- p2 f$ o' `7 Q
# r& d; {: I( v1 s0 p* e xor di,di: v' X6 E5 M. O& F* L
mov es,di
- U+ ^, n% X. J! @: @ mov ax, 1684h 4 P* H3 e* K) ?% e
mov bx, 0202h ; VxD ID of winice
3 [0 q9 [: g6 i int 2Fh
2 f* o+ b8 ?* f; Z% v mov ax, es ; ES:DI -> VxD API entry point0 a1 i6 V& B. P0 @
add ax, di
2 y5 R1 x9 \% N/ m test ax,ax
( [" W; s: ]9 `+ ]! l jnz SoftICE_Detected
4 p- Y8 m2 \% X/ Y" y! P3 ~" s n0 m# P; T$ O8 j- u
___________________________________________________________________________7 B# q9 G) \! o0 M
) }7 B' Q2 X$ t9 M$ M
Method 041 S# \1 b v$ U( P( j
=========
& S! g' Y1 C* T, h% ] v2 [6 P: b' l+ J$ W% }
Method identical to the preceding one except that it seeks the ID of SoftICE
, F) u- E+ r/ m% C9 s% {/ sGFX VxD.
$ X, g5 l6 D4 H7 N& L/ A. }3 E5 R5 g& |
xor di,di' h% o6 f; I) M, ?
mov es,di
; q; D" v1 }$ d! Z3 ` mov ax, 1684h
% U7 n! T/ z6 M mov bx, 7a5Fh ; VxD ID of SIWVID
* h, O/ v7 r* X int 2fh
5 d s! e5 j6 ^% x4 l- e0 p mov ax, es ; ES:DI -> VxD API entry point
5 O+ C* i2 U9 ^" u6 P6 l5 k+ K0 Q add ax, di$ M- ^$ D& p2 Y- e h
test ax,ax/ [+ _ ]- w/ r% `
jnz SoftICE_Detected
* O1 N+ X# m2 M" o
& P0 M8 Q( q/ `__________________________________________________________________________ t$ o7 z2 I: _# x; a* _
0 M* H) z# {: k) d# D* ?" ]) `- k
6 O0 S) q) n6 n/ E! q' |. ^
Method 052 W; Q/ T! N1 r; T1 g3 l
=========2 F' ?8 N. _3 f- C% l! |
4 D& m8 j: s( ]. V( Z3 ]5 K" K
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ g: o& v2 C( F! t2 d
debugger. It calls the int 41h, function 4Fh.& {5 |6 S) E! Y# i) F9 p6 c0 O
There are several alternatives. 6 A$ L& e: Y' Q o# t( e, y( s
/ r- P9 L$ \0 D' [. rThe following one is the simplest:$ s" x. [4 P# J/ m" \
! V" W9 M7 c3 O% U* \
mov ax,4fh
$ t# Z# S- j! [" O. B3 n' q- e4 C4 I int 41h
; k0 H2 E' W% L) k- k6 o; |: M- z cmp ax, 0F386
: y6 E9 x R4 f: @3 I2 D* E jz SoftICE_detected. R+ h2 W4 c7 k. O9 [
6 f2 e% @0 a' B2 g! y7 x: q( w, L5 e P( e: T% r; s
Next method as well as the following one are 2 examples from Stone's 7 N( m7 ^; G1 f3 ?+ N& u1 `+ [' l
"stn-wid.zip" (www.cracking.net):
) w( m! W' L' ]/ S$ j7 k6 n/ W& g H4 z
6 D# ]! n; k2 ]" r: d. ? mov bx, cs z& E9 B) n2 j# T& T. X
lea dx, int41handler2) B1 M4 k( c& |; s2 a; i
xchg dx, es:[41h*4]
; ]7 y( O: l" |6 D2 j, W" R# I xchg bx, es:[41h*4+2]
b/ K8 j" ]* V( q mov ax,4fh
6 v/ [' W3 i4 C7 k ? _- H j int 41h, J- e( u$ U3 P7 @4 j
xchg dx, es:[41h*4]
+ a2 q1 \: z4 ^9 ?) M& L xchg bx, es:[41h*4+2]
, N0 _& R1 ?) G/ c* z cmp ax, 0f386h. a. Z7 d! }' ^
jz SoftICE_detected- @% O. b* W( V6 ~( p$ E; n1 R/ c4 V
; a0 ?2 x: X0 X1 h" M/ y# A
int41handler2 PROC
0 e4 _& p3 g- t, n, P iret ~7 k* K" d) f' y$ ^: d7 Y. ^
int41handler2 ENDP4 ?. @+ Q7 b* |0 I
, s. v2 c: q, N9 C" k, `1 ?8 y s( w
_________________________________________________________________________
/ _9 H3 T1 K) b9 E2 r. x: f! N3 q4 S. ^; K' m8 i
; Q& R: w; |! o0 I! j. t! p5 ^9 vMethod 06
8 N) }% @! L9 T=========" T( _$ k k/ E) t& N
; n% n9 _* x+ K: f
3 i9 l1 D4 ^: o* m7 [) c" [5 I+ G7 Z2 j2nd method similar to the preceding one but more difficult to detect:
! Z/ u0 h' A9 t4 e( U9 D8 e
- i% e+ b% u8 b9 Q% o% r
0 Y6 ~$ @8 @9 h* I; t+ Gint41handler PROC! t4 a+ J% u, k: c8 \8 V1 }/ z
mov cl,al
4 k9 ~) {) a( I. r4 i iret6 H. h. [5 ]2 @7 x$ [
int41handler ENDP
4 J4 B- k: k5 D9 o$ p0 G% M2 e. F8 v6 T
' a* U$ o! v! D+ ~7 l) C" B9 G- g1 z% {0 a
xor ax,ax
1 m( a! L: d8 f9 c* M/ l mov es,ax# d, X& ?- v* H! ^
mov bx, cs
' F/ W" _4 P4 O lea dx, int41handler
: B# F: t( [# p xchg dx, es:[41h*4]
$ f4 U3 s# m, W8 S! U xchg bx, es:[41h*4+2]" }( g* _, M9 w5 L/ z
in al, 40h2 K. s3 c* r# N4 L9 a
xor cx,cx! [2 m$ F" o0 L
int 41h8 G9 q2 j$ A' Y
xchg dx, es:[41h*4]. c& ]% c7 n, X" ]
xchg bx, es:[41h*4+2]
7 G' |0 w) P! P& D cmp cl,al
' h5 | e) P! f T$ E4 J jnz SoftICE_detected. W5 ?7 S) O5 _! h
2 r5 I# s7 n. X1 Z6 s. G& U- @_________________________________________________________________________
) B/ {6 J- d1 ?$ _$ ~' t7 }
' f& ~ }1 w* Z) G; {9 p: T8 ~Method 07/ i0 [3 L8 h$ m! I6 @' ^# p( D
=========
[6 T* [$ `+ n8 _6 R3 M, T5 `6 z+ `6 W, u/ w! s
Method of detection of the WinICE handler in the int68h (V86)6 q1 e4 M2 K2 X4 [ q
6 b2 ]* l3 m) M7 B7 \
mov ah,43h8 w, r# @1 J' D# v. X7 v* y) ?
int 68h
$ D# I% H o g8 ] cmp ax,0F386h
) U4 C& [/ |$ _$ A7 Z w) J6 T$ Q jz SoftICE_Detected# C$ Y4 Q- b! q, @$ y1 i
! m2 @5 `1 H1 x" b7 ~3 g6 i8 b, h3 c: ^/ l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 ]6 ^% w" @1 r/ H/ I app like this:
# k/ |7 k+ M! a* i% f# ~7 |; C! P
$ G0 t p" Z$ w& U" L' k BPX exec_int if ax==68
) O9 I! V8 j! F* y6 ?$ A (function called is located at byte ptr [ebp+1Dh] and client eip is
6 v$ c: M! Y3 L+ b% b" h located at [ebp+48h] for 32Bit apps); L! o& x8 J) L5 y, X
__________________________________________________________________________: v) V. u5 D! d$ t+ X' q! T" \
5 |: R' r$ X" t; v+ S
8 g/ L; D; n4 ^3 zMethod 08) s5 c% p, W; g2 R: H. T
=========
8 @. h7 z- T% A/ j: J9 r3 A# E+ w+ Y) S# _/ A' L. X7 K: V
It is not a method of detection of SoftICE but a possibility to crash the* W6 k l1 F7 k$ v. S- U1 S5 o3 b4 K1 c
system by intercepting int 01h and int 03h and redirecting them to another
1 {) w0 v) `3 q g- }& }routine.
M7 ~; M! l4 g' b3 W/ k! J2 k! A8 OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' M5 f5 }0 j# M4 Z) h$ `to the new routine to execute (hangs computer...)
: `" S* a" b4 [' B" ]- k J/ J1 {0 }0 ^/ W0 \8 h, A7 S6 s
mov ah, 25h m2 ?# f1 L- d% q P
mov al, Int_Number (01h or 03h); ?2 `3 x% ^/ s) Z( M4 l
mov dx, offset New_Int_Routine' I/ Z' W3 l5 ` r' I `
int 21h
7 u# `8 R* a) ]% |' _% ^/ C' Z. r ]. S- u- S2 R8 |
__________________________________________________________________________
3 M% H8 Z0 _6 f. v$ t* C0 k7 n$ j2 m" O+ q8 l8 G2 }
Method 09
/ T" J: R4 l, @- @) I; W) R=========
' L. b& m- ^0 A( Y! ~: x; j! z6 }# R [) b( Q1 s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; |+ ^8 C3 |3 Z+ _$ j5 y( s9 f" ^/ I
performed in ring0 (VxD or a ring3 app using the VxdCall).5 M3 u/ ?* D9 }3 m
The Get_DDB service is used to determine whether or not a VxD is installed
9 b# i! ]" X+ i( d0 z1 L% gfor the specified device and returns a Device Description Block (in ecx) for9 l0 j# F% @7 G U$ ^
that device if it is installed.
9 x, e# Q% d4 t: T* t
: m" x8 E: a" H" s) L mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# P# ^" m3 d9 p1 T- f Z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' H/ G. y& |! \! ~ VMMCall Get_DDB
# O7 k1 A7 c* O; ~1 M _ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" o" n5 l$ l+ N% u. r& q7 y- X
& M; H. p$ I" ~, v' p, \Note as well that you can easily detect this method with SoftICE:+ f. D: B/ k% ~ z% r
bpx Get_DDB if ax==0202 || ax==7a5fh
( S) a4 R" ?) }5 ^2 ]) F4 j% X4 X) v& |* ]7 w$ v
__________________________________________________________________________
( m6 H! K9 M! Y4 b
0 }4 D- r( D; k! eMethod 10: e( H) ~! w: k s/ d6 |
=========
: }1 p) x9 |; L8 M0 [# @9 W2 \
3 \& V# x( B: m- W6 R( _1 F=>Disable or clear breakpoints before using this feature. DO NOT trace with+ D; c5 s3 Q U% N( ]* r, M0 s1 L
SoftICE while the option is enable!!6 F1 z: x; P6 E- a/ ~0 C _2 X
+ r9 _6 E8 R2 z* w, p! U
This trick is very efficient:9 i/ s& M8 H8 V
by checking the Debug Registers, you can detect if SoftICE is loaded! `, t/ b: g( ]/ g+ O
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& D# l. n4 e1 W5 f3 @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 `9 w, l7 K m/ m }2 L& ]value (in ring0 only). Values can be manipulated and or changed as well/ p( k N& O/ C. S6 x. e
(clearing BPMs for instance)
% ^9 G/ E. e4 m' I
+ W6 }# d8 R3 ?) T5 t__________________________________________________________________________
# D" s) d. X+ f- c' M6 w7 R) p$ V
Method 11
+ U: W; R( R K=========
; c3 ]" a$ h3 u D) ^ t7 @
. ] X y K+ hThis method is most known as 'MeltICE' because it has been freely distributed
6 q! }3 y2 U: l7 s. k: \) }via www.winfiles.com. However it was first used by NuMega people to allow
' L1 _( B, `9 [% U- @5 J* H! e5 uSymbol Loader to check if SoftICE was active or not (the code is located
5 Y& @& p- M! d- Oinside nmtrans.dll).
* L9 p' ^* T7 c5 R) d" d ]; D1 R6 L* \: [. p5 U" M9 G
The way it works is very simple:
; A; E7 d6 o3 `- |& x+ c& j+ kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
E5 ^" b0 n2 R9 F6 W$ B- f9 V" _/ ^WinNT) with the CreateFileA API.1 D, d5 M6 ^- R, j* ?( \
! Q) S3 Q8 {+ H; V, x: R' @% y
Here is a sample (checking for 'SICE'):
+ E! Q; q: c/ ^- }8 g" B, S! Y0 Q5 r% z2 u! b# D- P& d; R, O
BOOL IsSoftIce95Loaded()$ [' [- O3 F( ? {( ]7 c0 p/ P
{
* h! ^4 _9 g& ]; [" l" c HANDLE hFile; ' T3 e: l4 y' [/ j: t: Q1 v2 r Y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) |" N6 z, ~; @& u5 X$ E* Q! d; e FILE_SHARE_READ | FILE_SHARE_WRITE,% `3 O, D" Z6 n2 Y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 J/ ~% g4 \9 P" T8 Q if( hFile != INVALID_HANDLE_VALUE )2 L" n; d1 k, t. I
{
9 D: n0 A& c3 X G* p CloseHandle(hFile);
' T; y: Q) o5 J9 [! k return TRUE;
# W% U3 y: h2 k9 _ }- k1 ]1 P9 n5 z& b; @ g" g
return FALSE;3 Z5 J# L( n$ v$ m5 `
}- S1 ^8 g8 v. h9 C" m8 w$ N$ w
+ y! x4 z' E: {( f% [1 F
Although this trick calls the CreateFileA function, don't even expect to be
; n) M" D* m! |5 dable to intercept it by installing a IFS hook: it will not work, no way!
. Y5 o' H: ~# v7 j. DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- [' E3 k# R; v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 ?- h, d0 B2 zand then browse the DDB list until it find the VxD and its DDB_Control_Proc; H e8 d3 o2 I; V- a7 W/ o
field.6 _* q- S/ b4 ^9 a* V3 M
In fact, its purpose is not to load/unload VxDs but only to send a
+ y2 j" V& o5 z/ M0 C3 M0 m; ZW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& h4 h6 }3 j$ K: m8 }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: N0 m: E2 d/ J. b4 |" @7 \" }5 o+ r
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
^% v. X8 Q$ _/ y" L& b+ BIf the VxD is loaded, it will always clear eax and the Carry flag to allow; }9 I7 w8 W9 Z* W3 Q: z
its handle to be opened and then, will be detected.& t* b8 q% ]9 ~9 E5 u
You can check that simply by hooking Winice.exe control proc entry point: h) s& c/ s" M( ?. S
while running MeltICE.
X% h0 o; ~9 E8 ~
6 F, a6 ~3 H- k/ I! g$ L: A- A
3 F9 y5 O* u; D5 a% D3 h6 K 00401067: push 00402025 ; \\.\SICE
5 H8 W9 f! Z, `" a# @ 0040106C: call CreateFileA
, z: g0 ?# ]* N" Q. t 00401071: cmp eax,-001
" J/ ~; ?- d% C: J1 f 00401074: je 00401091
/ h+ ^. c0 l- `) }1 f2 F- h
8 D7 g; A( C& O0 Q8 C' F5 B6 F$ f5 ^. u. S# f& a$ `8 g/ B. U
There could be hundreds of BPX you could use to detect this trick.
' a. D& r; E3 A0 o-The most classical one is:
. g6 f. W, v9 ~. ` BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; W% n0 I* o7 w# m! m& k *(esp->4+4)=='NTIC'
* Z. g- ^. _. f
0 L; t K* `' s! R H d4 l( X$ t-The most exotic ones (could be very slooooow :-(
, @8 k1 }& O6 \9 V, g9 C5 t BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " n- F, S6 l/ h" Y* I
;will break 3 times :-(
8 o; E# m6 ]3 {
$ _$ ?" j$ g( W-or (a bit) faster:
6 l* [! I; Z) M$ \& c6 ~/ ` BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 x- K8 T7 ~: [" [; w
4 N# W9 o* N( w: J% H7 ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) {+ U/ M* m& c R- x4 q3 w5 I. E ;will break 3 times :-(
6 @! s& O+ L* _% U. Q' j5 a9 [8 D- O% e
-Much faster:6 q0 d! Z) h1 A/ o4 v, ?- \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( l9 C: A6 ^& B' n" ^ V1 w7 z/ B0 C: t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ C0 n \6 S4 e# L/ P
function to do the same job:
5 v" D1 A( k+ M9 ]; @" F- l0 E- I
8 r/ P0 d; t* C! K# U7 d/ X+ { push 00 ; OF_READ1 r( D2 c: F4 t
mov eax,[00656634] ; '\\.\SICE',0
! t+ {. I% h6 y8 _6 ^+ X7 E push eax
2 K8 J* X) w8 \- h K _ call KERNEL32!_lopen
" ^* F; a( y8 D2 J' M: c9 Q: T$ n6 ?7 O inc eax
/ }/ Y" O; y( p jnz 00650589 ; detected
9 h7 Z6 Q1 H# t; Z. E push 00 ; OF_READ( ~& k3 \" c1 X7 d. `
mov eax,[00656638] ; '\\.\SICE'
2 |0 @. [! F; V( g/ ^1 ] push eax5 G' O: W r* P5 l
call KERNEL32!_lopen6 |5 }/ t( l/ `
inc eax" d, W* `+ ^$ `. C1 m1 c4 R
jz 006505ae ; not detected7 [" X3 x9 C* f% k+ y
5 d9 ` C0 F9 J! ^ P& H; S, ]1 N/ J& B& O
__________________________________________________________________________1 j. `; z' T7 b! ~2 | u6 K: o
$ P2 R. C+ N/ k0 ^. L" sMethod 121 D: D" B" W8 {& [0 y) j
=========9 Y- s; C+ V/ w8 ^5 m
* t- G" k5 f/ Y& k e8 W$ |
This trick is similar to int41h/4fh Debugger installation check (code 05
2 s! [; ^0 I9 D: k d- }1 o6 r( o& 06) but very limited because it's only available for Win95/98 (not NT): e- H. Q) J, z8 z8 `, m
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' d3 ]) d. D0 x6 t
* a8 z9 u! W& N# D) b) r push 0000004fh ; function 4fh
. G8 C0 S7 O" w8 b% C push 002a002ah ; high word specifies which VxD (VWIN32)3 h7 k6 o6 h+ \3 _
; low word specifies which service7 x+ q& j5 i& f4 j1 Q* Y+ ^
(VWIN32_Int41Dispatch)
& y K9 r: v- [, C S% t x call Kernel32!ORD_001 ; VxdCall( a: H, B' }9 q4 a# g0 k3 ^
cmp ax, 0f386h ; magic number returned by system debuggers! o8 X4 ~/ ~4 X* j, ?
jz SoftICE_detected
+ { S+ ?# V: T9 \4 I- X" X x1 {' I2 {) U
Here again, several ways to detect it:
& U( B: N9 C: L; M7 _7 i3 C% Z. r2 F. F! Q
BPINT 41 if ax==4f
! f' k2 k! |" T. @3 _. I1 ?
# [6 k( K/ _/ o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 g& s6 q* M5 \! N9 q
' F! O2 L" s$ J) I
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# W, v7 h% C* P' B9 S% p: ^4 Q
) B8 v0 U+ n% ]" E BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; c1 P. f, J) w$ F9 e; o% {& X2 @. D3 ]' J/ y: E6 e( }
__________________________________________________________________________
- ~% `: Q- N& |8 t
7 Y/ P# F( P% i j5 HMethod 13 ?0 @8 @# D9 p$ o6 x, c6 t
=========3 K. P4 R6 j, u Z0 n
7 f! }' m) ~8 D* X* ~% K2 O
Not a real method of detection, but a good way to know if SoftICE is
) N- ?; V; e3 ]. a% ^installed on a computer and to locate its installation directory.
; t" }# R0 \$ @. r; D1 d9 nIt is used by few softs which access the following registry keys (usually #2) :% ~8 r4 r7 j( U, |" ]( c
. Y4 Y3 l" l* _6 @3 e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 I& c, [5 T& e\Uninstall\SoftICE( `% X3 J2 A/ K! Q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 G. w" ^+ I# K' H& ]6 c-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- _2 E# x3 V; \& ?) Z\App Paths\Loader32.Exe
$ K& o& N! Y+ V5 u
9 P f. N- p/ N# h- c, t( c7 _* y! u3 w3 h4 @- ~5 E
Note that some nasty apps could then erase all files from SoftICE directory$ t1 l) f2 ]6 A3 K, U4 p7 ^- S
(I faced that once :-(- o0 b9 x& \1 Q% G; w
/ F; B* }3 f6 k1 B+ A! i+ RUseful breakpoint to detect it:
" y) r& i7 _% M/ ^- `5 `0 x9 ^/ m; M$ j; R- z3 |9 ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! F# P/ }' D: `! z
" h4 F' ^5 H1 w% }' H__________________________________________________________________________5 \6 J# _0 H! i/ y) Y+ W
! G# b* X4 c! h4 P
: a6 E8 t$ `0 m) D/ c2 A* PMethod 14 " u! v# Q0 Z& M* A+ }
=========
/ r# l1 H `9 c, ~
. k: f @% }5 ?7 @: I. i4 yA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ _" r+ Q) ]# F, u+ e0 ais to determines whether a debugger is running on your system (ring0 only).
/ O" y: i u6 m/ r' [4 A* H0 I8 i6 E2 e& W E* `
VMMCall Test_Debug_Installed+ a: u( w2 }0 F
je not_installed
2 H6 J# k: F! n; y/ s9 O) S
$ m9 x& `4 x' K* {This service just checks a flag.' L; G7 R% u. O; W; l( R1 N3 b% A
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡