<TABLE width=500>
' h& t- o) X6 s% H2 p8 o<TBODY>8 I1 j. L8 Q& u) K, R
<TR>
: w0 r0 W' @& d4 q$ O0 Y+ @<TD><PRE>Method 01 & v$ X6 {5 n; G$ Q: o' B
=========
0 M' n3 m. x0 b9 F$ M
/ z! p! Q/ F4 J- w, EThis method of detection of SoftICE (as well as the following one) is
, r' ]. d( n7 Dused by the majority of packers/encryptors found on Internet." t7 W: j* W/ o7 v9 o% e
It seeks the signature of BoundsChecker in SoftICE& t0 K6 ^7 ?8 _6 h
. x7 i; z* G! i) L3 |% I( d* H mov ebp, 04243484Bh ; 'BCHK'
# ~" `$ n- Z% c; z- f" u mov ax, 04h& d' y$ _5 R, G# y, F
int 3
1 d* W* h) e. B2 _ cmp al,4
" O- |1 Z' V/ b4 R jnz SoftICE_Detected
: \8 _+ t) b9 x
1 l( f3 r0 J S4 T___________________________________________________________________________5 U' K9 G* \0 y
5 e# U6 M" H* s" W
Method 02
# {5 t4 ?- r) J7 i- z- f* K=========( o& {, D/ E# @( R: b; _3 z% X' y
$ d- P( ]9 f* y! I3 o. C
Still a method very much used (perhaps the most frequent one). It is used
3 S/ ~3 H: l) Y; g& R8 j" f+ u, zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" @3 r+ ~% F. u- a4 xor execute SoftICE commands...5 K U" u( }3 Q/ J* a
It is also used to crash SoftICE and to force it to execute any commands
+ E+ l" `& p. I( Q; I& j(HBOOT...) :-(( D# b4 n0 P4 A" A# d2 J
& {; }/ ^* M5 S" {
Here is a quick description:
# v& M/ @# A' _, e) X; f6 p. K" F-AX = 0910h (Display string in SIce windows)7 H, P9 ?# O4 y2 e
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 B0 X: f) B$ f. O: M* R
-AX = 0912h (Get breakpoint infos)
6 M& h P$ v1 S) C U ^; z-AX = 0913h (Set Sice breakpoints)
6 v9 ]9 @9 A- K7 c-AX = 0914h (Remove SIce breakoints)
5 ~' h( L F( A; o* e" h3 c2 d1 ?8 \% R4 C/ t+ y6 c
Each time you'll meet this trick, you'll see:
' _! h& C' U8 O# @+ ^9 Y-SI = 4647h- v( D) N/ x/ k# |3 e$ f) T
-DI = 4A4Dh
) Z P, f& a$ O! }Which are the 'magic values' used by SoftIce.: c: c! I" @+ S) o
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 X. b9 _+ `: B3 {- }1 s
- G: a4 u, }. a+ v3 i' }
Here is one example from the file "Haspinst.exe" which is the dongle HASP
) r$ ?7 W8 m+ B8 v+ `' P1 b, U- l+ p7 EEnvelope utility use to protect DOS applications:6 F# y" B0 M3 R# j0 D
I. }7 J" o& U/ z9 d ^
9 Q7 l, h' P v5 _4 S4C19:0095 MOV AX,0911 ; execute command.
! i( j- y4 A' ~* u9 N6 k/ F4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 N6 I* p* A+ ~8 ^2 ?( d3 _. h h
4C19:009A MOV SI,4647 ; 1st magic value.
9 S! a! E5 U" w4 j \4C19:009D MOV DI,4A4D ; 2nd magic value.8 |% F( v7 Y. |: w6 \ E
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( ~/ C2 @: L+ V. f' ?! f7 a* s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 b0 t( i' ~3 {: T; g
4C19:00A4 INC CX
4 c! Z0 l8 K. w4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) j2 f- K2 g6 @0 R4C19:00A8 JB 0095 ; 6 different commands.
* j2 B& f* `5 S9 S: f4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ M5 n3 z3 _- j+ G1 q! r: D. |
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 D! v5 G, ?. }# R
6 T, N- R4 [8 N b: SThe program will execute 6 different SIce commands located at ds:dx, which% x- o' g" B5 l% P! B* |
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 d8 X9 P! n4 a- U4 k7 A3 w+ p2 C* Q3 z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' i) X" }( U& r" c* {
___________________________________________________________________________
4 t1 m+ J: }0 h, y3 A5 S9 j8 w1 L9 a
t8 [/ }% @: f" Y8 b' U
Method 03
* H# x$ `3 b. t=========! w- ~/ c$ t! h/ @" t4 @; q
9 Q: l* [; R/ j8 ^
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ x5 A7 @( f& G* M- ~9 C/ \6 {9 B(API Get entry point)
1 l& B- z5 C: n + p& o1 B* H. Z; r
3 L1 }7 | R# i+ E3 w: J" t xor di,di
k5 a. j" r6 N. m8 m2 ~ mov es,di
2 P3 E3 k2 M ~7 H9 L/ u/ } mov ax, 1684h
J h; B4 B% R: a/ E mov bx, 0202h ; VxD ID of winice( n+ L# U; P c- n4 a& v; r
int 2Fh
& _6 B0 m5 K) C8 D- j9 d# b mov ax, es ; ES:DI -> VxD API entry point
! F3 |- \5 q6 [0 a+ e8 ` add ax, di
C) e& S, r# i# r2 t$ R5 H test ax,ax
% Q+ d4 p2 `' _( d3 d# K, ]& e jnz SoftICE_Detected4 I+ j- ^3 Y6 d4 \
: O& G4 r+ c* J1 l0 y! G
___________________________________________________________________________
( m- S" E F/ L7 d) O8 \, c% o/ ]. ]8 g$ l- K) j. r/ d
Method 04: l; f i! A2 q) b. J, w
=========
. F8 ]. r5 \% e5 M7 {9 d) }, J; L' t, \% i% `
Method identical to the preceding one except that it seeks the ID of SoftICE
" S- ~' M& D7 g( d- V: A* aGFX VxD.
) H8 ]! O' w. f1 q
' r8 ?2 x3 t `+ c xor di,di
8 g5 b! s' ~/ e& H8 b: i4 v! e( ~# S mov es,di( k) _1 k9 ~2 C1 ^- h* }
mov ax, 1684h 2 t; C8 \, P6 a& d; ~* @
mov bx, 7a5Fh ; VxD ID of SIWVID
j; F! ?6 l2 y int 2fh& S+ x8 L* H! i
mov ax, es ; ES:DI -> VxD API entry point/ ~& t, R: {8 |& u1 @& L9 T' R
add ax, di+ y0 m! i- j: T) z" M
test ax,ax
& X$ D! ?; O& X" [ H. w2 L jnz SoftICE_Detected, R- ]2 _" S2 H& {" D1 Z! e
3 y7 }6 G, {& n8 A$ g
__________________________________________________________________________# c! X) E; ?* x8 \" ]& ~$ i6 S
$ G% ]0 |. \7 b; u* X* u! F
' n# A. B: O# s
Method 05
( k6 \. } H7 I" S6 {# ?=========
! h& I# I9 E3 y% M: `9 B1 k; u0 K* P" P; q! J
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 U; I, r- `/ s% f# W3 ~* w/ gdebugger. It calls the int 41h, function 4Fh.1 W4 n2 w0 Z. E/ j6 _
There are several alternatives.
4 Z0 P! ^* W. _: _1 l" `4 E: H, z& B
: L% L/ R' \4 m0 t: p. `! j5 H+ UThe following one is the simplest:
+ b7 T! d# }: g9 V( }- t7 R8 X; o% F; T7 s/ z/ l8 A
mov ax,4fh# ~4 p" T: B9 E q
int 41h* c4 R' s! Y+ F+ L
cmp ax, 0F386) u l3 g. x! b% l; d( ?! W' A
jz SoftICE_detected
. U) d* E6 p7 o+ v& k! V. ~! y7 E1 C; Y" P
. R: w2 k* R. V! {" T# I) V _Next method as well as the following one are 2 examples from Stone's 2 a- y4 J' y6 }! l; M% E4 L$ N
"stn-wid.zip" (www.cracking.net):( c/ \9 {+ J4 M9 A
: L$ d: \+ |; m3 ~. H& @( C; u
mov bx, cs
' m4 Z% V$ a: u: [! t- B4 |, F lea dx, int41handler2
% Z e/ H% N) |; b xchg dx, es:[41h*4]8 i6 H8 a* ?* V5 K4 h# z
xchg bx, es:[41h*4+2]$ Z0 M) m3 k, C4 M8 h
mov ax,4fh: s8 _4 F( e# |2 V- v9 I* k
int 41h. S6 ]3 k6 @- Q; u$ b
xchg dx, es:[41h*4]
8 Z; `6 ]/ J1 h xchg bx, es:[41h*4+2]7 w* g% }: l: ^4 J8 i4 _" @2 K
cmp ax, 0f386h8 j z1 O5 ^. u
jz SoftICE_detected& K, k1 u$ G/ s: S( {
- j& h- G L3 R! @; c: ^6 Y; {int41handler2 PROC4 Y- ^6 ^8 N0 }# t: p
iret
0 u5 C1 b c! o0 ?- Q3 rint41handler2 ENDP6 e) |; x% H6 J" w# {
) [" ?& @8 M- b+ ]
/ o4 S, r7 x6 t) m- Y6 h_________________________________________________________________________
. h K" O- x7 K9 s, @ x( C5 a: N/ c# m/ D
# S6 g3 n; R4 ]# b
Method 067 p" y3 U& F/ g& p8 Z, Z
=========
! I& D6 k4 ^& a1 x* t0 t0 i0 T1 k; |' q7 n% o3 E+ B3 U
5 ]8 g D! q, ^5 `& @5 B0 w3 Z2nd method similar to the preceding one but more difficult to detect:7 A. V; {+ e9 c3 f+ ^& E# N
) e( u1 D- `+ ]/ j
. I [' ]% Z% a4 |& {6 W2 ~int41handler PROC& ?0 R( V' i6 `* J/ d3 t; g. `
mov cl,al# u) `. S+ \9 C, W7 E& z
iret8 q8 g& Z% s0 T0 x! }
int41handler ENDP
5 J. `, x V% O5 A% M( O$ C/ ^/ M. p& t" H. V
3 g6 |9 t" A& j# [+ k' }
xor ax,ax
9 K1 Q) {3 q) ^( Q8 E' p+ e) ^; k mov es,ax
b: A1 E; q9 f! e6 J/ a; c mov bx, cs
, u; d! ~. V9 G0 `# j2 }' { lea dx, int41handler
: S$ |$ ?( H7 ?' o& U9 L G$ O xchg dx, es:[41h*4]. j: K, J/ \; y
xchg bx, es:[41h*4+2]$ c7 e$ X8 c. q8 v
in al, 40h
: [# s: S* O- A0 W xor cx,cx3 D# T: @5 q3 O8 `! \( c# h$ r, [# t
int 41h
, }( [4 L* i7 v# e1 [+ Y xchg dx, es:[41h*4]
1 T* M7 |. ~3 s xchg bx, es:[41h*4+2], V: [! m: s; p. L, i; t p
cmp cl,al' Y/ x, U& O; \2 q* S% @6 C
jnz SoftICE_detected+ _& ?4 J5 ? L8 C4 a- ~
0 v# `' H# f% N( T6 s: n, j
_________________________________________________________________________
2 _- p: n6 _) L( \" c7 H* U" o7 |, r1 `( v' C4 ]
Method 07/ t# p5 ~# {# N% o5 q( F% h$ O1 }
=========6 z) v% s, i* Y! h( ?/ U
- d" N1 [& a7 z/ d2 p/ W& K4 W5 q9 a) G
Method of detection of the WinICE handler in the int68h (V86)
( T% M" W# O4 z$ j- D
9 `* m+ I7 z. g mov ah,43h
: u# f7 G3 R, d" I& { int 68h
4 E" @" E; @3 z. k* P/ }9 Q cmp ax,0F386h: c' m# E4 A$ p5 K: z/ c
jz SoftICE_Detected7 e# q- d# y7 k) }) z) V$ _. s) L' \
7 a- f5 J2 d+ n. `" F1 \. ~/ _' y' C3 I$ j
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' g4 H% B3 Y$ I8 L2 p" g/ G1 R app like this:+ w; m4 I8 H+ D9 p6 x6 o
. F2 w( }$ I5 \5 ]3 q BPX exec_int if ax==687 Q) j7 B H+ t) c7 f2 t
(function called is located at byte ptr [ebp+1Dh] and client eip is
2 f; R# B8 ~: ~% a* c1 U7 Y% K located at [ebp+48h] for 32Bit apps)
2 T% c- H. l! m9 |__________________________________________________________________________
$ m9 w. `0 z, l$ {: c3 n
7 J5 s2 `: {7 P) S
& O3 s$ n) b, G) J" s; @% n4 M: iMethod 08: [* B) g: \9 j5 _. W
=========3 p3 q" r$ D! I( E8 ], B9 J; h
& o0 O+ `1 V* }" u7 Z0 y0 c5 l( X
It is not a method of detection of SoftICE but a possibility to crash the
; X8 l3 u; B; f* \8 `. Gsystem by intercepting int 01h and int 03h and redirecting them to another( e- {# N% E/ A" d
routine.
4 H. {3 Z4 }. ^0 X$ nIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! q- @7 R- g4 ~, q. Z, m3 [7 j- c$ r
to the new routine to execute (hangs computer...)4 |+ B3 P( |2 K" J8 {
( l7 k; c# J/ w
mov ah, 25h- v' o- o! S+ B1 ]' D4 v
mov al, Int_Number (01h or 03h)* T+ g) h( c! |, G0 F* _
mov dx, offset New_Int_Routine7 s! W. K6 O) A% B( Z
int 21h
1 B6 I8 ~+ f1 s/ K/ [5 U' ?' l2 [' J0 |8 U9 y' V4 w
__________________________________________________________________________
1 s) X4 }, y& I3 l$ I6 I% J' r* w) j* q/ ^
Method 09
; W r) y+ b: K# t* [=========$ ~" k' X; x# J/ r* K0 ^
* g) m% {; o7 c3 Y' _/ J6 Z" MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ w$ K: o7 ^8 [+ I# J1 z8 s9 R/ F
performed in ring0 (VxD or a ring3 app using the VxdCall)./ M7 }9 ?3 h A2 L5 ]6 C- M$ Y1 h+ G
The Get_DDB service is used to determine whether or not a VxD is installed) ?/ x* Z, z! _# S4 {: p% p
for the specified device and returns a Device Description Block (in ecx) for* z5 c' @1 r8 e# ] G. E2 T
that device if it is installed.
+ L" y8 z, k5 X: h0 J+ A
+ _, V p9 f0 T, F3 w mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 L6 q$ C0 W# J8 x2 Y, \ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, Y* B, [: j* x( @3 _& I0 l VMMCall Get_DDB% a" j1 U" u& [7 t2 J. Q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, i' v. z; a1 R' l# q0 u
* h# \. G1 Z& Y _' G4 g
Note as well that you can easily detect this method with SoftICE:# d3 ? l; U$ l$ h5 J# N" H
bpx Get_DDB if ax==0202 || ax==7a5fh9 q: f1 K, v4 ]) B% x& F
# I$ s+ Z$ D K: k% y
__________________________________________________________________________: k5 k# z% {. X
j4 x" z6 F; E5 dMethod 10* J: H, l2 p0 b: R8 I
=========
8 H. n X/ S. c8 I) D
: C+ O6 Z+ e; h( s: ]# `. l=>Disable or clear breakpoints before using this feature. DO NOT trace with
: {# S( s1 W* W5 w7 I SoftICE while the option is enable!!
8 r) S% m' i7 K& f% ^; f/ g V* y1 D3 l7 }8 Q# N
This trick is very efficient:. Y1 y( n8 [# M2 b; L0 F. ^2 @( J; h
by checking the Debug Registers, you can detect if SoftICE is loaded
$ q- Z9 W3 m- c% j4 S5 ]6 {(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 U& I+ r6 a7 i6 Y" K2 nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
8 f7 k& J; L1 i$ l& avalue (in ring0 only). Values can be manipulated and or changed as well9 E2 [* m! }/ S5 v% b' h" J
(clearing BPMs for instance)* X$ J7 C: I* R* N! w' K# r
# p# K9 g. K; i: `* D. U- \* N__________________________________________________________________________
1 E- } P1 v5 X* D i! b1 m; W, u x% D B- j) ^4 B8 ~9 n3 m/ ^9 \
Method 11
' ?. b6 H" m9 M! c: O: ~1 m7 A=========. p5 B6 r' }) E+ k' p# i# J
3 A$ l9 f" i; TThis method is most known as 'MeltICE' because it has been freely distributed- P# D0 C6 W0 H' i
via www.winfiles.com. However it was first used by NuMega people to allow
5 C9 r5 g0 k" l# f8 U/ vSymbol Loader to check if SoftICE was active or not (the code is located
* B( k) }. B; X; e! D. _- zinside nmtrans.dll).. Y& ?3 w. F- j8 g( M h. V
/ C9 {' y( s4 o L& }& Z
The way it works is very simple:
; Y2 d- D% f% ?9 A& H; l; ?& ZIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 }( U' v. {+ T/ y: C+ @
WinNT) with the CreateFileA API.: | K- o0 G0 P6 s8 a5 J# K9 w1 v
6 s+ l. i% T1 N8 H$ X6 F8 S0 kHere is a sample (checking for 'SICE'):: [0 e' v0 e( u* F
5 B s# E0 u( r1 q% mBOOL IsSoftIce95Loaded()
1 B4 y4 Z* L. Y" i6 ^2 D5 M: Y8 w{
: c* w/ B7 H% M% q! Q% h HANDLE hFile;
3 u' D: I) W i hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ C0 Q9 Q, k( U- {7 i, N' u W
FILE_SHARE_READ | FILE_SHARE_WRITE,# c! u1 ]- P# |+ E( @. l- S# m: Q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 L0 I; y V6 T w if( hFile != INVALID_HANDLE_VALUE )) c9 x# Z1 n& f( c
{
* h& w: T+ k: u, s0 H- ]6 @ CloseHandle(hFile);
) N0 [1 R1 Z; s* \; W8 q/ N9 \ return TRUE;
- _3 [% }. |2 k8 ?( J }
0 r5 N) X) t; d9 L4 F, M& V2 m' C return FALSE;
' L. f t- ?5 W% D3 O7 K}4 q X8 J- J- }$ E
, Y- t3 C& F$ x* B! T4 W9 |Although this trick calls the CreateFileA function, don't even expect to be
& c9 y1 g; A- \ t' ?, ~. r/ table to intercept it by installing a IFS hook: it will not work, no way!
( I6 s+ W+ H/ W6 J: QIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 o6 x' B" v- g4 Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* U6 z: K. V, U/ S- U$ ^, x: x
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" ?, X! q, g6 ufield.% `, R* J- \/ ]- y- X- z. M i
In fact, its purpose is not to load/unload VxDs but only to send a
J( d; _1 ^; M. B! V: N7 SW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- G/ x3 Q% l. M6 _to the VxD Control_Dispatch proc (how the hell a shareware soft could try2 H% O {7 ^9 d3 b8 |( ]
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 k, {/ X8 d$ jIf the VxD is loaded, it will always clear eax and the Carry flag to allow
3 x' ]( e: Y' r$ h3 @. hits handle to be opened and then, will be detected.( s9 a; n; t9 T0 X/ F) w
You can check that simply by hooking Winice.exe control proc entry point1 ?" w3 G' \6 N; r* R; ?
while running MeltICE.
& g8 j0 A$ l+ |1 n8 a& W# Z9 l& |+ T1 b" U# G) e
: B4 P# L2 i9 `* o" E5 P6 `, |' q 00401067: push 00402025 ; \\.\SICE9 A" [1 @% N q+ \4 Z
0040106C: call CreateFileA
+ I9 f2 s8 Y( H- K, ~" U 00401071: cmp eax,-001
; t" w) r: o: o9 V9 B4 C 00401074: je 00401091! _ C- X$ c4 V, y! l+ e. b6 T
' q' }$ n( e* j* }& i$ r
: \" A. l/ C) } MThere could be hundreds of BPX you could use to detect this trick.
3 u4 ]" e( f9 d! ^-The most classical one is:
+ w8 J: y- O1 N1 Z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& ~6 R/ K5 }; Y6 l. O% D1 ~6 X
*(esp->4+4)=='NTIC'
+ X# l4 W* o- B5 F f: x% _; \" v) A5 d; j. D( |
-The most exotic ones (could be very slooooow :-(& ~4 x" N# |4 O, M7 D$ m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' Y# H/ U% L/ m# d" x5 m0 }0 Y
;will break 3 times :-($ h) v7 u U/ T3 P
. R. s( @% l; s$ u. \3 m6 }& {-or (a bit) faster:
: W$ `2 e* k+ j! a$ f) h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 j+ b' T& N7 b
& L1 o4 C# A6 Q: c
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( j9 Q* S& c7 a j; ]! o8 R2 \ ;will break 3 times :-(
% A5 I& I$ c& A- ~* f& j9 e9 g9 M/ Y. v/ r) i: M; T
-Much faster:
4 d8 f4 U, e7 v3 u5 S) e BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 B$ I- H" e6 h+ O( F
: @( }: M& x9 H* c0 v' p) P6 rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 E( e7 A1 ~7 |0 V6 s6 Vfunction to do the same job:8 K; V: v* j( {4 l. e
; {& K1 N3 l* S7 y. o% T push 00 ; OF_READ/ v; p" J& Z N; N; {/ D( N; X
mov eax,[00656634] ; '\\.\SICE',0& K) d# `9 n7 Z( q9 M
push eax
9 _! \7 m) ?; o( a call KERNEL32!_lopen
$ W8 U4 w% a; ^2 N( ^: f inc eax
0 l$ F s% `; Z0 h* [& L: [' W jnz 00650589 ; detected5 E0 k/ p4 \: |$ j4 M
push 00 ; OF_READ
; d: x& X4 G7 I mov eax,[00656638] ; '\\.\SICE'
/ w) Q7 `7 ?8 n& G push eax
( @, ?. o- J2 n3 h call KERNEL32!_lopen
* E$ a2 O3 _ J9 B inc eax8 g0 z3 _# N, S4 h o! ~
jz 006505ae ; not detected3 B8 }! T& ^4 m# Z: P
# @2 B& y$ {& C! l3 P3 a
# o) V% g$ D2 x5 P& j
__________________________________________________________________________" B2 f: o1 C1 t, ]( X
& v& A5 d- F" l1 p# qMethod 12
# H. P# ^8 a; D8 p0 b; Q- O=========
) \2 ]+ j) k: s
1 H" w2 }2 ]6 N: y1 TThis trick is similar to int41h/4fh Debugger installation check (code 05( Z( J& q: k# ^& B v& @5 X1 X
& 06) but very limited because it's only available for Win95/98 (not NT)8 C7 n" M3 N+ F4 J1 s. d- k3 ]* P
as it uses the VxDCall backdoor. This detection was found in Bleem Demo., \ k6 m, e( r4 b
; v4 L2 L N( Q2 I8 p# n
push 0000004fh ; function 4fh5 h5 r, H R- c+ J& l+ L
push 002a002ah ; high word specifies which VxD (VWIN32)
$ b5 W A3 h1 u, [2 C6 U ; low word specifies which service
' t3 L5 [9 X1 W( C) }; N9 D- t (VWIN32_Int41Dispatch)
" o* \/ Y" U5 Q! |$ | call Kernel32!ORD_001 ; VxdCall; J4 p% T A3 a8 |) i a% ?
cmp ax, 0f386h ; magic number returned by system debuggers
$ y w0 M" E5 f# g P jz SoftICE_detected
; k& U+ N4 V% o Y) g4 o9 R z% I; {3 x0 o
Here again, several ways to detect it:- v" M0 P* G9 D" h( p# J t
: e; b% C! y1 ]$ y$ J% k* z, p
BPINT 41 if ax==4f' [, f _# V( _; {' K4 x
. [& ]# R* b# p3 k, X2 l BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( w8 J0 ^- {# \8 P: C ~! }' o2 J' H6 }, W: m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! B" w1 |) r0 M) T+ L& d
; k/ c& a; I+ M' i: } BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; _5 k) B/ ~. T# }# G6 r7 U; x
( | W) A# M9 y7 L
__________________________________________________________________________. s# O7 n4 H- E
* c$ A' h, L" o6 {0 }- x
Method 13
$ ^) I1 ~8 }# X1 e3 S/ j/ r9 l=========7 M- S* N! R9 {! k. R5 [" s4 E
3 i4 H( D( E g: D/ P: F: V! p' TNot a real method of detection, but a good way to know if SoftICE is
6 G) N1 m6 f- ]' U' Tinstalled on a computer and to locate its installation directory.4 K! o& e- ]) e' A( K# ^* P( z
It is used by few softs which access the following registry keys (usually #2) :
% N. ?. \8 m* m+ E; _
7 y& _$ D' g/ X8 G4 J-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 U4 \) |5 P6 Y! a
\Uninstall\SoftICE# i; v$ p% k4 j- R
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 O- r2 R% F0 p. ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 O. X1 Q4 K( T. q* }
\App Paths\Loader32.Exe
0 i \7 }2 k% r ^2 B' x8 s3 Z
! m3 Z: ^" I% X. |. W) m3 N- l9 H/ v* W v
Note that some nasty apps could then erase all files from SoftICE directory
* D8 D3 u- g w" U" |(I faced that once :-(/ _; L' W, N& A3 ? ]
! g1 r$ R* E, d6 p" Q! YUseful breakpoint to detect it:% ~! A# a8 \+ m& x
0 f8 m* \* [9 k/ Z$ Q8 k: ~, W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ i( p$ K0 j* n" r7 \, n0 Q; O1 R d/ |8 r, F
__________________________________________________________________________" g) i/ j4 |4 N6 e) w! D: F' z
. J5 _% B4 ]2 O
, X& o: @ C) B, x$ B
Method 14 " n. Z: F& Q0 `# ~' N0 p) g
=========7 x0 j% q5 t5 n; O% l
/ W% H4 [2 {9 S5 u
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 v; C- a i- |# F; X# ]2 F
is to determines whether a debugger is running on your system (ring0 only).+ E+ c1 P) V5 }5 J
; |2 F8 K& F7 b3 J1 k7 v VMMCall Test_Debug_Installed
) v+ ^$ u. s6 X8 {* V e je not_installed# p* |* O" P3 D$ x2 J
7 `& O# {, [: P, }4 }
This service just checks a flag.
6 @3 c, L/ O' R6 Q3 t</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡