<TABLE width=500>
0 ^% Y6 p; w/ u! G% [<TBODY>
) h) Z# O) K: d, {" A! O<TR>/ B. ? \3 I) N/ {/ c
<TD><PRE>Method 01 ' n" G. n" \) S3 ^
=========
2 `, e; T% Y' f0 z- {% w; ?$ ~
, n* H. P; J% z! x4 KThis method of detection of SoftICE (as well as the following one) is
; ~ Y$ t0 ]) P, Zused by the majority of packers/encryptors found on Internet.
, |, b* J$ h7 ~It seeks the signature of BoundsChecker in SoftICE0 p2 U9 _4 i3 U6 u
* {) b* G9 N0 J# c& b0 \4 {: d2 [
mov ebp, 04243484Bh ; 'BCHK'% Q* g' W7 V9 C# |' y+ p
mov ax, 04h1 ?2 ~& Y$ G1 H% }8 [( j* d
int 3 1 x1 x$ w2 R- G$ o$ l
cmp al,4
# z5 i) m, w% ^$ e jnz SoftICE_Detected0 z. L! f8 S& D& m5 {/ \9 @
3 `1 `. K& J# P) w8 j___________________________________________________________________________
+ ~6 s' d! ~1 e5 E/ e" H
8 {) s' c/ g3 ]& b3 S% C- gMethod 02
% M7 Z0 e1 |7 |9 ]. R" v: Y=========
6 B: E6 n. n, L7 P
7 `" y- g2 f Q5 U5 W1 I6 FStill a method very much used (perhaps the most frequent one). It is used
- P5 G& x" B/ }5 X$ D+ t) U$ Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; z6 X0 z2 T0 H$ `0 M$ m$ u4 k* ^or execute SoftICE commands...' K; D# [9 H5 t! E
It is also used to crash SoftICE and to force it to execute any commands
1 Y s8 A4 r% {- P* g6 p(HBOOT...) :-((
, d N; ~! R) { z& A$ I8 P, D, h4 q3 Y2 Z
Here is a quick description:; @( ? e& P( ~0 q: @3 m v
-AX = 0910h (Display string in SIce windows)6 r6 W6 u1 \) ?/ r0 F6 q6 o$ h3 ]% q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( U8 S1 R" E l1 l4 Q, W; x% g8 u
-AX = 0912h (Get breakpoint infos)5 R* G' w" l5 L6 ^% y# x
-AX = 0913h (Set Sice breakpoints)
8 a) N: V# [7 D- Y8 M5 p3 ?-AX = 0914h (Remove SIce breakoints)
7 \6 n' v# c9 E% e/ j3 g/ _3 H2 L" o: L5 w6 B9 m2 d
Each time you'll meet this trick, you'll see: d& x M% a; ]" u
-SI = 4647h
! s& T3 a& \9 {3 x4 a% k3 D& b-DI = 4A4Dh4 {" I: n7 Z0 g
Which are the 'magic values' used by SoftIce.
( A* n' h2 i$ M$ V. Y! }' k# CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.. Q" U; F* N/ n9 _
) c1 N! d/ W5 w; E4 h' x7 v1 [
Here is one example from the file "Haspinst.exe" which is the dongle HASP) G& P! Y$ Y. i, t) ]0 [' R) i
Envelope utility use to protect DOS applications:
# B( g" l* a& k/ Q/ c6 ~- W9 j6 \- x& {+ A9 S2 Y
9 w9 }" a$ D u' V* B6 a
4C19:0095 MOV AX,0911 ; execute command.( y/ w: H% ?6 t' I3 a
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." t+ A6 ~+ h8 ?% C
4C19:009A MOV SI,4647 ; 1st magic value.7 O8 K' f7 q$ S% k3 o( ~
4C19:009D MOV DI,4A4D ; 2nd magic value.1 P0 p% D$ v2 E5 u" v0 R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 {; K" w, n- r" e
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ k* W5 q4 ^. l( @9 ]4 H
4C19:00A4 INC CX
/ E" q- n8 |# r j6 |" r( u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% L5 L1 @, Z8 ]; Y1 L
4C19:00A8 JB 0095 ; 6 different commands.
2 F: {) Z& \; g# b5 C* N! Y& g4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 N x( i0 t+ V2 b' @5 X8 N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: j2 n/ ?" F0 c6 I" v
( K( z b I, {; k& eThe program will execute 6 different SIce commands located at ds:dx, which+ ?5 Y0 i2 X* n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; d7 u" U( @+ L, g: D
% g# f; u, ?% _( {& q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; V0 C: ]2 @+ N+ R: B1 Q# w___________________________________________________________________________
; c; ?4 S, J9 [+ O
" N: F/ ~ |$ T$ ^6 _. C. `0 m" A9 ?' y2 A0 N/ r/ i; W
Method 03
" `. ~- l8 R- g5 G' Z* D=========
~4 W1 `0 K6 S8 |
* ~, ^: B t( x. j- u% ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 F- v# Y# J5 e: N0 n) X
(API Get entry point)
* D9 ?2 a V; _' Y* [$ Q
0 z0 g" |8 { ?5 T, r% u4 y2 d
" M0 p A. K, a2 e" M xor di,di
0 @% \5 y9 d* q6 v Q# n+ `$ I$ c0 u; A mov es,di4 }" } [2 |0 |5 @
mov ax, 1684h
# B+ I* h9 R+ B4 v1 e: d mov bx, 0202h ; VxD ID of winice" ^9 Q% N0 ^0 o) h) r+ Z
int 2Fh3 g0 F. |$ ?' j& ?& T# M/ U2 [
mov ax, es ; ES:DI -> VxD API entry point
0 U u* K; j8 m; E7 k add ax, di: H9 P h# X! m+ q- L- m# |# w
test ax,ax
! t6 n1 s* D8 I3 P; R6 F; U jnz SoftICE_Detected/ }: g( g. l4 P' J3 W6 T% ~
1 C! O" D" d0 w6 a# D0 |! j+ V+ T___________________________________________________________________________3 g: Y I' o" |, `; ~
) |( L/ J. ~( n) R& |9 SMethod 04
6 n7 C. Y Y9 Q. w! l=========! R1 f( y: `& t0 U* H9 ]% o1 e" R
" J- R3 ]( d) s+ B+ fMethod identical to the preceding one except that it seeks the ID of SoftICE8 R- Z L9 v( {' S
GFX VxD.
- B; N; ?. H- C
% {8 Q# W: Q- z9 [3 G ?+ { D xor di,di; i) q8 B$ ?' V) T0 u1 |
mov es,di
& K1 z' n* R- R mov ax, 1684h s7 U0 J3 I: c
mov bx, 7a5Fh ; VxD ID of SIWVID/ `- N4 [. U- Q! }- w K( t
int 2fh
( b ?0 S2 n/ e: H9 O& Z mov ax, es ; ES:DI -> VxD API entry point& L* C2 G1 I" ^. O- \1 K) a9 M' p
add ax, di, b6 G- b) Q. [7 K3 u! f
test ax,ax4 p7 v. l/ n! \" E# ?/ |
jnz SoftICE_Detected
, Y( o( ~2 g* l* W- S, |
! y' ^: o; B% [__________________________________________________________________________1 H- e5 f7 f3 ^+ n6 Q
7 h; ?/ D; g% B6 A* ^
x- c& h& S; A' d# @3 a: sMethod 058 X: r& X; ~2 ^& z; ]
=========( r5 Z6 Z/ c$ ~4 x1 ?2 S
: u- a& K5 ? D$ LMethod seeking the 'magic number' 0F386h returned (in ax) by all system
- E F% q2 c( i9 N3 g: x3 G6 Gdebugger. It calls the int 41h, function 4Fh.2 `# I9 J; Q. P
There are several alternatives. " N8 H. k5 B3 L. a
( W) g. Z6 l! \# ~The following one is the simplest:) Q1 z8 G0 s0 I1 ^
$ i, U$ |4 W* t- y) I
mov ax,4fh
' e% T: L8 f, D0 s1 [ int 41h; M h- ?2 [; [! h% y! _
cmp ax, 0F386 `6 p- b- L% _4 f
jz SoftICE_detected" `* P1 A; c* s1 U( _- j
! ^/ w8 J* J0 d
- d+ s9 N2 W q* DNext method as well as the following one are 2 examples from Stone's
1 z, t) ?0 u: a/ U B"stn-wid.zip" (www.cracking.net):9 e3 {8 G, _3 K5 R
( k( @* j! ~& s$ J7 y& i% [. C
mov bx, cs
; _# V- ]6 p3 q% v x- R7 l8 R6 K lea dx, int41handler28 q5 ^9 C9 c5 R- N2 T; F) |# c4 @
xchg dx, es:[41h*4]0 R7 @" s ~- @: K0 B" D1 V
xchg bx, es:[41h*4+2]
( P- Q# J. Q7 e8 a( o mov ax,4fh
- o& n; d6 n8 a+ L' W) k7 W int 41h8 S" B6 }( i2 o0 H
xchg dx, es:[41h*4]/ i1 N9 Y$ K% C; U+ I
xchg bx, es:[41h*4+2]
+ m6 G4 S3 ]: t/ [( O! A4 G cmp ax, 0f386h2 I3 k0 ~) n9 x, g4 H4 _+ o. b
jz SoftICE_detected! _6 u3 {" G6 c; V
; S4 ^- P- n, a; {1 ^% w9 fint41handler2 PROC
8 t- N7 e) [7 r1 w) d iret
+ h' J' j% e+ e( L- H$ S0 J. U$ Yint41handler2 ENDP5 t% D; Q$ H6 ~/ v
! L! @+ b- U& Y1 q v- W
% y" }7 T) J7 a W0 Y$ Z, D% |_________________________________________________________________________- ?3 Z: H6 x# p- c) y6 O3 C7 R( U
2 b+ W3 X$ x! G$ D- m, e
1 O3 Y4 G. v( f5 l+ |0 nMethod 06
/ J7 H( e& b% n9 @3 `4 k' H=========
; ^6 A2 ]! }7 w4 l$ z
! ^) q- G* O5 a% N' r8 m
/ D/ W7 }" g k2 c- N) l4 r& Z2nd method similar to the preceding one but more difficult to detect:
4 s5 ]6 I6 m7 w" p
}& t1 V b7 v) r0 K6 T6 b/ B3 m" D9 K( ?; z% B6 v5 j( \
int41handler PROC; \" a4 s& j8 F* ]' Z8 C
mov cl,al
& q; k; @) m$ e* ~( k) }; g iret
/ A& ^! A% p% l5 e2 k% g" m7 Uint41handler ENDP1 n3 m$ _2 \: Q: m8 q3 t- b" }
) Q3 }+ d( m' f( `
- n/ V! j) }" R% H, F, R
xor ax,ax
' i9 E1 P5 Y1 I mov es,ax) B- l' z; i, o' ?8 i0 x
mov bx, cs
) f+ K5 E5 ~3 X% b; U( c lea dx, int41handler
4 I/ G6 H2 B8 \3 z( @6 L xchg dx, es:[41h*4]- O8 O2 Z K1 t& C7 u3 W3 r; s
xchg bx, es:[41h*4+2]
3 v0 ]: n# o/ ?: i& [ in al, 40h3 t4 I0 V) [( I' I! B' [* V# J
xor cx,cx: {1 \# S" E% g9 c: t
int 41h
S- W& \/ h. ]9 _) Z( | xchg dx, es:[41h*4]
: Z, Q# ?2 m: U% I xchg bx, es:[41h*4+2]) Z5 J$ A+ Y" m" o( j, E; C
cmp cl,al1 g" K Q! u3 G6 {5 t6 N* i
jnz SoftICE_detected) V6 F( A! Z8 L# k
' c B* {; X1 R/ b; C, a_________________________________________________________________________
0 c" @# H* K; @: f; d7 O1 ~! }! R0 h* c) x7 k+ E
Method 077 b/ i- y% o0 O7 A1 j' X9 s
=========: }& C- `+ X. E
" L l6 v {% {# p' TMethod of detection of the WinICE handler in the int68h (V86)
; y9 x6 M1 ?* S6 L% h& x D5 f1 o9 [' Z( b
mov ah,43h9 J% n- p/ ~9 F( x" W6 Q1 p- `
int 68h
: n6 L* \' T( A2 c4 N8 s) e cmp ax,0F386h
+ F; [# Z% \, Z4 H; N! Y jz SoftICE_Detected
* [9 N7 @0 B% k9 E3 a+ q% @7 ^, r2 S7 @* D2 R6 O6 p
' h% q6 {$ @9 y- Z% H9 a=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" s1 w% ]! w( e5 L app like this:
% @" v* ^# a5 _2 x: e: n0 L% e% V* e0 D, P4 F! |) g
BPX exec_int if ax==684 h+ U0 {5 V$ W. ^; `9 Q0 z. \- D% J
(function called is located at byte ptr [ebp+1Dh] and client eip is
1 p7 Q! f* e: p. r0 x/ y7 ?& y, S located at [ebp+48h] for 32Bit apps)
. n' G3 z2 {7 L; H* P__________________________________________________________________________$ {7 O; y0 Q$ T5 {
. W* x4 G' ? ]
& S. {9 M e7 V/ V c! G
Method 08, |2 E2 Q2 D, z$ y; V3 U P* U
=========
/ J' c7 ]9 W& A3 f" w! O/ [! l) i) o: Y$ X9 d* \) _
It is not a method of detection of SoftICE but a possibility to crash the
' x; u* B! A9 f" Dsystem by intercepting int 01h and int 03h and redirecting them to another9 m5 v' H1 ]9 Z% F2 Y8 `
routine.8 ^% W+ ?7 v$ X8 ~9 Y- P) q* Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ @: G, c4 j0 q. K6 zto the new routine to execute (hangs computer...)
9 p$ ^/ {4 R% M8 p
( e% J1 {& a2 m1 m# r mov ah, 25h
2 k9 ? H/ g# u$ Q) @ mov al, Int_Number (01h or 03h)
( U2 N9 V! p- B( W( r8 M7 ` mov dx, offset New_Int_Routine
' ^4 C0 C( g$ T% E" E int 21h
1 T" M* b- a/ t4 B* z5 k/ F) G, s7 y1 g# A
__________________________________________________________________________2 O( k- S* D O* R9 X0 p) v
6 d8 Q6 c4 ^0 ]6 L
Method 09
3 k( K U6 P' u& e$ J) ]! m, S' H* _=========$ x4 l, i0 v. P X+ o
: y# {: p+ @/ ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ Q* `5 V; X' R' s
performed in ring0 (VxD or a ring3 app using the VxdCall).( @" `& u8 o1 `$ ]' U+ }
The Get_DDB service is used to determine whether or not a VxD is installed
) O6 U+ x& }$ p5 K1 Hfor the specified device and returns a Device Description Block (in ecx) for
9 A& {- ?: N) O7 R# Rthat device if it is installed.% i1 F0 Z* T1 l& V. `
0 h" c4 v0 \) C5 o) [' R
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) a+ i: S n/ O* `8 L
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 a9 h* d7 |) f, j
VMMCall Get_DDB9 U4 {$ k: Y: \% v$ K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' p8 S+ m7 n9 f3 j) p
4 U& f# b& T, r+ ]3 {, \1 ]
Note as well that you can easily detect this method with SoftICE:! |8 _6 j* m E _8 J
bpx Get_DDB if ax==0202 || ax==7a5fh& W6 g: h8 W1 @8 k7 B u& l
4 u) b' b2 k% \1 d7 K2 f* Y
__________________________________________________________________________
" m* ~( |, |# n6 C9 _
# x, X. ^- {! ~Method 10
: t, e& a+ }2 R) ^=========1 p3 F$ {9 A) C2 i K
/ z: j6 D; K& p=>Disable or clear breakpoints before using this feature. DO NOT trace with' J, c3 [* ?- O6 i( I0 i1 ~
SoftICE while the option is enable!!5 n. I( @/ ]8 w6 H4 t- M
" E) E0 q: ]" l
This trick is very efficient:
7 ]4 ^2 G' O, B8 Z; m4 l- E& bby checking the Debug Registers, you can detect if SoftICE is loaded
* O' m. ?# U+ d: y9 S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& \4 V) c7 l1 f7 f
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 s$ R' f; U/ u% k0 _, nvalue (in ring0 only). Values can be manipulated and or changed as well
" Q6 @- M- g6 x9 d+ @! i: @(clearing BPMs for instance)
" N" @, n) j" x- t$ p' O
0 [4 A5 u& @: N9 l9 e__________________________________________________________________________# I( U8 `( m/ t
) A' p2 S7 d7 \/ E4 b: n6 e+ [Method 119 X( t( ]/ K5 p/ l }! N
=========, N5 n3 J/ Y1 Q; R/ [
* e/ O4 e' G- b6 R, tThis method is most known as 'MeltICE' because it has been freely distributed8 ~3 ^4 E$ \4 [' y
via www.winfiles.com. However it was first used by NuMega people to allow
7 q) i# R- J0 d, V6 ISymbol Loader to check if SoftICE was active or not (the code is located2 | A$ P9 h. ?7 |, p5 l0 [- \* @
inside nmtrans.dll).* b! J/ y W3 G+ M
Y7 ~, a [1 a
The way it works is very simple:
& Y7 C2 M, _3 x- `* o* D# uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% j9 s5 U7 z# h$ o; Q$ s
WinNT) with the CreateFileA API.* Q7 t: r) x! c/ x; w5 L- G0 V
( t8 Y% Y; k6 R7 K- p, z3 p
Here is a sample (checking for 'SICE'):
! o; E7 P% B0 M/ P% ^8 N& ^
( |- {% z. W: tBOOL IsSoftIce95Loaded()
- G) w5 Z; u9 Y: ]: c9 m$ b{% C+ g: o) Q! n: d# c% q j6 L
HANDLE hFile;
' @+ z' Z5 Z$ t: s S z) Y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, v0 o) t- M# J6 ` FILE_SHARE_READ | FILE_SHARE_WRITE,
7 j, [% B9 ^8 u0 b" u8 G NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" Z9 ?* B! h/ p% `) Y& Y9 R if( hFile != INVALID_HANDLE_VALUE )
0 H( F- E8 H8 [( K: t {
9 x0 H8 ^$ i3 u# V" Q* [% v/ Q" g CloseHandle(hFile);" l4 h1 t5 A/ O0 S E$ q
return TRUE;
. t, y7 {+ I% y0 l3 n) G7 H }
: g7 c% ]3 a) o6 s return FALSE;
, z6 m V$ g' e6 s7 p2 W}
; Z0 m- n. N( h
% K- n2 V3 f t6 C. W9 ~; OAlthough this trick calls the CreateFileA function, don't even expect to be
8 n: f0 C1 @# i3 y9 Oable to intercept it by installing a IFS hook: it will not work, no way!
9 }6 O* {" A8 r' {1 y. W4 gIn fact, after the call to CreateFileA it will get through VWIN32 0x001F% f& R4 w2 p. J! s. }# ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& J' S7 k1 v4 X3 ?' b& A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 ^+ Y/ M l& k! m
field.& g7 B6 n+ J% `( e" p2 K0 k
In fact, its purpose is not to load/unload VxDs but only to send a # y0 `8 S8 K" H: G- V5 g- N$ d
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* w! F) x+ P$ F' Y* e- \
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! w& O( d1 b) f# G5 c* e7 j9 ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
O; V/ ]& p7 I2 l$ ^3 [3 Z9 fIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 h0 V: R3 ~% D# }( s" w8 lits handle to be opened and then, will be detected.' s' U, C$ K. G! S
You can check that simply by hooking Winice.exe control proc entry point7 G3 `* l8 ?8 t0 F7 N5 T# ^
while running MeltICE., y! K; ?- F8 l: N
) |. Y! Q: h9 ^) g f
/ [3 F P/ V3 g$ d! j: |+ ]0 Z 00401067: push 00402025 ; \\.\SICE
) e& q; u$ i7 B7 Z$ ~; n, t" Y 0040106C: call CreateFileA
7 j1 J( _5 m3 U1 m1 X 00401071: cmp eax,-001
& @ h: n: k* ?& ^+ ]5 { 00401074: je 00401091
* b g! V: V! D1 y2 ?* u
8 d$ p" t, Y+ b6 E; w0 B
; k; J5 c: |! \2 M$ ]There could be hundreds of BPX you could use to detect this trick.9 i3 @# B; }. d4 o: @+ T, {
-The most classical one is:' l! d; F- c* }5 \* W
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 X9 B# _" a/ g) e9 [/ j9 @ *(esp->4+4)=='NTIC'
6 a2 L6 h/ V* p- [4 c
, U1 o9 W0 p% Q* l* x& t-The most exotic ones (could be very slooooow :-(! [3 l! \) n$ O" q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ ]& M+ ~6 ^# t9 y ;will break 3 times :-(
% R8 l( f, J* X/ G& e% k( A' c# L- I
; R& }: t3 b6 H t$ S-or (a bit) faster: 2 _! Y5 M) n+ `+ Y0 H1 ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 k) r8 @3 x9 h
2 V* |+ F# S! |; _" v$ [
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 y% [9 c4 _8 C u
;will break 3 times :-(' v- o) W( m M5 ^
% a- i" S! o( _) L5 d6 C
-Much faster:8 m# f$ I; \* o* ]) i2 \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ z5 v5 C5 ?$ _& ?7 W
! ^4 i* S1 |3 E) R; ~' ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% H6 s# `2 R3 p9 _: y0 mfunction to do the same job:
6 Y$ m K. J8 A9 y0 \" X4 F. V2 @$ }7 t' s1 e, S
push 00 ; OF_READ
8 h1 P' ~1 A9 P/ c mov eax,[00656634] ; '\\.\SICE',0
: n% O; N8 C' C push eax
' s3 Y) A/ b* t* g, e' g call KERNEL32!_lopen
; j8 h/ y2 Q# S G inc eax
2 k6 ?+ [( ]) o* n jnz 00650589 ; detected, ^1 S/ s3 T0 r. [4 t# g, D
push 00 ; OF_READ+ _. R. U1 r- N7 M) Q1 p( V1 |
mov eax,[00656638] ; '\\.\SICE'
9 P& b" p% F1 n W n! C push eax
' C/ K! C$ X# A P& B: p' D call KERNEL32!_lopen
, ?3 o8 ?5 }6 w8 m5 l inc eax
/ N$ e/ K8 P3 [" E0 W jz 006505ae ; not detected
; Q% { C3 P t$ D: H3 x! d" t3 v* l$ w7 h% @
' ~$ ^, l: n3 q7 N
__________________________________________________________________________" T% U8 w% x0 n7 H
" X' e8 f/ B# |# d9 ]Method 12
' H1 ]4 w0 N8 m; X N- |( Z) S=========
0 ?4 T' L$ Y* d s& t( T0 O$ \5 i% l' o4 B/ c* V6 U
This trick is similar to int41h/4fh Debugger installation check (code 05
! o% @' E5 ?. \1 s, U" s& 06) but very limited because it's only available for Win95/98 (not NT)' k$ }" V# K8 I+ q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 e3 V& u" \4 D0 V# x1 S; L. _- h) D5 K' e- i. i/ C5 i
push 0000004fh ; function 4fh) q8 }2 ^* |3 z$ c- ^
push 002a002ah ; high word specifies which VxD (VWIN32)
8 g+ _' S: d& |4 ^" N5 Q7 }2 E" } ; low word specifies which service. r1 v* I- W* d. i( I. U- {8 k( i
(VWIN32_Int41Dispatch)
! k8 d( K3 C( b) Q& _9 @' Z; I, B call Kernel32!ORD_001 ; VxdCall, U" C/ `9 s6 v. `; H5 U" K
cmp ax, 0f386h ; magic number returned by system debuggers
) S% W3 K6 G5 y( L jz SoftICE_detected8 E% Y! h1 M$ S& h
0 _ K4 {+ ?1 ?' N+ m& G- \4 E
Here again, several ways to detect it:; R# q3 ^1 E$ B( F
9 x/ J/ d. x" I1 `$ o BPINT 41 if ax==4f
8 c7 k( ], `) E3 J1 B& L. c5 M* F2 O7 A
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ @2 l, M; I% G( N: J
+ |0 S) ^4 h% l4 q" b# \# { BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 Q7 x; a5 c* O
) L! _2 ^2 T- G' ^9 _4 L3 ]; J7 M BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 f9 j/ K9 ^ c9 a
+ l/ v; x$ h4 \9 ]5 I) p
__________________________________________________________________________
R# M7 w- m" {; E. `) _1 d6 m7 y, `2 D
Method 13 p+ ^; x4 V) C6 F. p
=========" d6 B# ]. ^! F) n7 Y& H; p- w
; S1 u! `$ B4 y
Not a real method of detection, but a good way to know if SoftICE is6 E; n8 y7 v* t0 S& D7 N+ d/ A( m
installed on a computer and to locate its installation directory.$ H% W% P2 D5 A: e) {$ {' F
It is used by few softs which access the following registry keys (usually #2) :
4 p V: ]# S, d7 [! N6 H
$ v" J* Y, u }6 _) E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 L: l& G1 F/ \/ c
\Uninstall\SoftICE
5 P* @+ a6 O0 R G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 y0 E8 j* ?+ n. }4 ]) v2 k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 i/ s2 F0 \* f( z! l
\App Paths\Loader32.Exe' F' g' v5 S1 ^" ` l" R& c% L
* b: W( m! K( a4 [7 p
( {1 N% ^) F& Y5 I/ k% k) _ j% i8 fNote that some nasty apps could then erase all files from SoftICE directory
" u1 a/ S9 z$ g8 \- }(I faced that once :-(2 i- F5 t+ M ?- a3 i
8 [8 }' k8 F: V0 Y& |Useful breakpoint to detect it:" [. O, x) g& @8 G! q6 x7 T W6 q4 x
; m b, W( c1 g6 K7 V1 r
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, l: g7 g$ T; T1 l5 k3 \6 o2 b; v/ `6 N; k* h1 I* s* k; ^
__________________________________________________________________________ d# g! M5 n- s0 H; A' ^4 Q) I
9 }" J. [8 q7 h) _& \) y/ y: ?
" n5 J3 B y% H! I- u
Method 14 ( v3 [2 c) @. P
=========
: b9 }. L+ q. |' W; c+ Y+ W6 i _; b/ b, ^% }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& z* g: [* J: ]" d! p( }is to determines whether a debugger is running on your system (ring0 only).
t5 q) X/ D9 z0 I
, t( g* K6 l/ q) L0 I8 Q VMMCall Test_Debug_Installed
% J N* r4 f# r m# A8 N je not_installed
. S# D' O9 U1 t3 K. A7 A) [! ~0 ?9 Q8 n1 Z! Q
This service just checks a flag.
, N* H* T9 D% ~& ~6 E; R) g5 v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡