<TABLE width=500>
+ E& V+ g m n& L<TBODY>
# w2 g" U) e$ l/ e$ e* `! S4 |<TR>; J) L" B: ~& t/ l( D
<TD><PRE>Method 01 " H/ ^* `* ]+ V% G7 B; T
=========( b+ f6 \9 k; f8 K8 c3 x
; S0 Q6 T9 ]# cThis method of detection of SoftICE (as well as the following one) is
0 T3 g( p; C f! e/ @used by the majority of packers/encryptors found on Internet.( s4 ` D9 b' `$ U4 a: B3 `5 a1 p4 H
It seeks the signature of BoundsChecker in SoftICE8 H8 E3 \& h0 I: p; X
, W" D( [) t) `! @6 p+ r$ e mov ebp, 04243484Bh ; 'BCHK'
! n) C% b7 t; \7 ^$ c3 q mov ax, 04h& _ {) ~: a4 w9 s
int 3 ( K. C4 o: w5 ^
cmp al,4
* d+ h2 t# z, S: A jnz SoftICE_Detected8 \0 Z' K5 Z0 |; ]0 d. w
% ?# k5 } Y. P___________________________________________________________________________
9 N5 J& Q" v0 k9 x
5 _+ [3 Q' g" p+ @2 ^Method 02
: d0 B9 z8 L7 r! f% s& o& u=========1 \2 o4 u/ K6 U2 d
$ {3 t/ _: }/ ~* @! h1 M
Still a method very much used (perhaps the most frequent one). It is used
. b: k+ T7 G/ Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,% \! l) G* n- F9 W
or execute SoftICE commands...
* s8 t' o& V9 M3 ^0 ]5 ~It is also used to crash SoftICE and to force it to execute any commands
9 `/ G7 d7 a/ u(HBOOT...) :-(( % b; ], x5 L" L
( G3 _: W1 L2 W; ?* S6 P- w
Here is a quick description:. H" M# k1 X2 K) }
-AX = 0910h (Display string in SIce windows)
9 E2 }. X! j; Q& L! E2 k4 U# `-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% a& Z: `# W3 S; C5 f/ A-AX = 0912h (Get breakpoint infos)# i9 T/ V Z* T: o* T- ~) @' Y
-AX = 0913h (Set Sice breakpoints)1 `3 b4 m* \4 f- Z# M. t& k' U2 Q
-AX = 0914h (Remove SIce breakoints)
0 A$ R f9 b% ~- l6 Y* j, d( f- ` T( h6 }- k' N
Each time you'll meet this trick, you'll see:
' G2 w! j M# T2 a-SI = 4647h# Z5 {7 k: O* {
-DI = 4A4Dh6 y7 ?1 b2 _. d' P/ h5 T7 w6 W! M
Which are the 'magic values' used by SoftIce.) Q' s4 S1 w- b$ ?5 {! v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 f% n. O% }" Q. n- j; X1 U" a% {. C
U+ I, f8 V# Q) B7 F1 E
Here is one example from the file "Haspinst.exe" which is the dongle HASP& I/ n- P9 |; [, c
Envelope utility use to protect DOS applications:0 N, J4 \6 C* {* U3 S
, V* T }* |+ ?2 R2 c5 L6 P" i# D! _* w
4C19:0095 MOV AX,0911 ; execute command." j: _: o* S6 y, V1 p
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 _; f& f) v( }
4C19:009A MOV SI,4647 ; 1st magic value.
% ^: w1 C4 \2 s6 b1 ~4C19:009D MOV DI,4A4D ; 2nd magic value.4 Q8 c8 Q" ?4 g- f$ f1 `6 @, r* X, J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) E( r9 O9 D6 H; H1 j. T. X. c7 D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' e3 v6 L# h2 l* a
4C19:00A4 INC CX
5 O, K8 r" p# e$ t+ m9 f6 N4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ c/ ~: g" L A. y$ \9 G4C19:00A8 JB 0095 ; 6 different commands.! }% Z: n! ~7 r
4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 D( I7 x2 t. P1 C1 }: F
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- i, d2 a3 `1 x4 N0 [
4 m2 R8 p+ @0 l2 O: |8 JThe program will execute 6 different SIce commands located at ds:dx, which$ O0 \. k: ^; t1 {& K2 @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 B- i4 y1 x) Z
% [: B6 l6 v, d m; R* Z- ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 c7 q$ m8 g- ^: j+ Z5 E___________________________________________________________________________4 K+ C( G. E2 d
+ c# A8 q6 _% \7 W' E7 C! k& Q5 l; ~, J) ] b9 v) b4 A k
Method 039 L( I3 j) F5 ]5 y
=========
3 g; J* N. s" U2 D. S1 f2 L2 o2 g- B0 s+ Q2 [" t
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 e; M% X# a. q+ ~(API Get entry point)6 W% f- x" M5 ~: Q W1 F) l
) x5 V5 e5 f6 P4 U/ a4 K$ M" @2 z3 O2 x0 y& f5 [
xor di,di
, m2 t7 H$ D& ?% x7 e mov es,di6 }! q) [! B1 q1 u/ Q" c
mov ax, 1684h + x3 ^8 Z+ u7 j9 u+ d6 Z; Q
mov bx, 0202h ; VxD ID of winice: f: j+ H/ d M4 z
int 2Fh' j- w: d- {8 d# o
mov ax, es ; ES:DI -> VxD API entry point
0 u# x3 @7 V6 Q+ {: J4 o add ax, di; l# m' ~, H' S( _* g: C
test ax,ax
4 _/ A5 `( _ A; I, K jnz SoftICE_Detected3 n1 Q& d. q7 ^6 R+ q7 l# i2 O
0 \- H9 @" a1 K5 g* Q___________________________________________________________________________
% y' |, w2 T" { [! @- ]7 s( [
( P! I9 p; J; E1 S) R! k1 g" l: V3 w& _Method 04
) X" s" ?9 j9 F& h+ m: X! ^( J=========$ C9 y8 y+ p2 E8 b. @& t
- F1 _6 N& n$ Z9 `! c/ \
Method identical to the preceding one except that it seeks the ID of SoftICE( x; x3 ?! t) F. e8 Y
GFX VxD.
' }3 \ X. ~/ T6 k6 }
) A9 @7 L d6 ?0 `# E. d, } xor di,di
3 X7 G4 F7 a( c' u' Y mov es,di
2 J) G, W! g- [1 Q' _ mov ax, 1684h
% o" c. L4 i2 h) I: G& k/ [2 o, H mov bx, 7a5Fh ; VxD ID of SIWVID
( Y; E/ a; S6 _: W2 L* }5 v int 2fh
; h# Z9 J2 y5 ?( v |) Y$ y! k mov ax, es ; ES:DI -> VxD API entry point [0 H; r- w1 G: f" {; y. a
add ax, di
+ ^1 v3 t+ }4 A% v# [ test ax,ax& w; \# t( f' u6 u5 @4 j6 o) d
jnz SoftICE_Detected
/ l8 i" l3 Q. k) E+ ~* v+ ^* N# S. y
__________________________________________________________________________
' f0 ]& S$ |4 u; N9 y9 U8 @
2 \* t- M1 E( e/ ~& u4 L- k1 w K( c3 c$ x2 V! A- f
Method 05
) o1 ^" A' m$ @9 H% [ [=========
3 ^9 ~* o2 _. \, p) y# h; N
* T5 S8 O, {% Q$ H+ r" HMethod seeking the 'magic number' 0F386h returned (in ax) by all system, R1 B$ ~' w' g/ H* O3 J2 D2 Y
debugger. It calls the int 41h, function 4Fh.* d8 x" p) D B4 R( [
There are several alternatives.
7 T8 a" ]4 y" h7 o& p% j- z
% \& w' T7 p3 lThe following one is the simplest:
, k+ n. q. w: D, k
1 b8 p' E# @; L2 A& ] mov ax,4fh! f# V, X* d& u( Q
int 41h9 D5 X' M# \3 w# T9 f( h5 X, A0 l
cmp ax, 0F3860 c7 Y1 }# c8 ]$ T
jz SoftICE_detected! [7 N+ {6 H% t
+ B1 ^/ q& Q+ \" b7 u0 ` v; h. e8 ?
Next method as well as the following one are 2 examples from Stone's
4 p' _6 P1 v3 h7 |8 |. I7 h2 Y8 f"stn-wid.zip" (www.cracking.net):0 e' j N( V; a/ a) F" t$ @
; I" [, T e2 h; R4 U; Q# L7 |& O# O6 D
mov bx, cs! F# E3 p0 L e/ [& c; z4 Z; [
lea dx, int41handler2
@, k0 y- B, S; w2 y xchg dx, es:[41h*4]
! L8 v) |& {5 N1 B, V$ u xchg bx, es:[41h*4+2]& m6 Z: ~# }& _" {3 t5 Q% y
mov ax,4fh( q0 Y0 f) F, S; U0 f0 t: m8 U3 n- j6 k
int 41h" r% L, P9 o% P, z4 J, P: y; ]
xchg dx, es:[41h*4]* w. Z7 b: e2 c+ R+ K* ~+ \; i' V
xchg bx, es:[41h*4+2]; O0 q+ y. O3 e# w
cmp ax, 0f386h
7 ]7 N0 }( P6 k+ t$ o- D1 \ jz SoftICE_detected
# O1 G( e0 H( x* O& [
, P$ _; O8 i2 R# O1 |/ \9 F& uint41handler2 PROC g8 v c2 ?3 x1 G
iret e5 b2 Y2 h# t8 t% i/ e( t
int41handler2 ENDP
]) v- h# O- _) }/ q2 x3 T/ {, x0 B, D! N, K
, G% z. Y5 L n9 m5 K
_________________________________________________________________________
. Y) Q! ~; s+ r; \3 h
4 u, G' `0 k5 t) u! }+ d, V# d
: R) H8 {( N& IMethod 068 q+ y9 F# e7 t5 {6 F) B
=========
( j2 `8 z4 b& Y2 j0 T9 s
/ @/ C/ z/ Z* G
& j( t/ a: O) T- S* u- o: D) E2nd method similar to the preceding one but more difficult to detect:0 D7 T8 `: g( H) a2 G/ Q; x
0 y$ C$ J* F2 W% J0 [" F+ E. n: k' w5 f
% c# J U7 p) H# W4 T6 @1 Xint41handler PROC9 v2 C2 f w/ W8 H$ S
mov cl,al
/ c, g' C6 q: p* Q iret9 p0 J0 c/ M/ Z% I0 L4 K; I7 V
int41handler ENDP
" }" d5 ^. b: C# w& \
% A# [" ~3 Y, k3 y8 B
- a7 h+ v/ D# Z' | l9 A+ L xor ax,ax
h9 a# k$ j$ j* f mov es,ax8 q! ~- C2 Z/ y; Y
mov bx, cs
' s9 i( c) ~, r, x8 s2 x lea dx, int41handler
7 |& R$ ?8 M9 g% f xchg dx, es:[41h*4]
) _/ I. i% B! T# n xchg bx, es:[41h*4+2]6 ~% P& k9 Y9 b: d
in al, 40h
: o" L( v. E0 E# s! v* o2 X) l! S xor cx,cx
1 N% q/ s) y, ?6 S- P int 41h% f4 F. ^& c. H2 B' }/ I, r; x# F1 c
xchg dx, es:[41h*4]
% O2 H2 y% }3 Y xchg bx, es:[41h*4+2]! b7 k! L3 X& ]! o" |4 V
cmp cl,al8 \' C% r1 J0 v8 x: o2 o- a# O8 a5 |
jnz SoftICE_detected3 G) }2 g' q. d0 r5 Q ~! Y
C2 S- l5 ?# l. ~4 @
_________________________________________________________________________
* a2 B) W" e; q! _9 T2 X( J: s
! ?) d, {- u$ I2 O2 K/ RMethod 07
: J$ o8 N# d( M- V' W: C4 {* f A! Y=========: j) b3 \% S9 e% [! j4 Z' `
+ d$ a5 @' M" o6 @2 uMethod of detection of the WinICE handler in the int68h (V86)
6 p ?. g( c4 P( @, ^3 w1 Y" m M3 q6 ~
mov ah,43h
* m- M" ^) a( t4 ~. Z int 68h
; w/ v8 F$ h- M* Q: { cmp ax,0F386h
0 Y* ?( V; N. b% k; [ jz SoftICE_Detected D0 o/ n( {8 w- K5 {# ]: }* O
" N( Z5 L6 y/ C
" v5 v) H7 h# o8 M# E=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 I/ C' n* E+ K/ Z; x- C% z
app like this:
2 K$ D. _( \2 S& d$ `/ e$ w5 {+ ` c" a5 l
BPX exec_int if ax==68
& W, a: s# a* H2 n* `# g8 k (function called is located at byte ptr [ebp+1Dh] and client eip is
* z% O# i! `# s1 _4 p6 y located at [ebp+48h] for 32Bit apps)
2 y6 a+ P# V) x9 }/ C6 p1 P__________________________________________________________________________
+ _1 U" z3 A, _- h4 F8 w5 r" v) M% }8 ~7 I" _
& T" m; {0 v3 w" ^( `
Method 08- n- U5 ^6 R5 Z* _ @
=========7 t7 ]( b" d; d) n
' [. A h/ _) b
It is not a method of detection of SoftICE but a possibility to crash the
2 e( d; w; e4 F6 |0 t. nsystem by intercepting int 01h and int 03h and redirecting them to another
2 L, ]% {; @3 H1 V1 Mroutine., u. b& V8 g A# i2 W o$ g+ F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 U S( K" S) C) j% c3 j0 `
to the new routine to execute (hangs computer...)
4 h# R4 }0 s" a- j& y0 ^/ T" C: A# r2 ^. e8 w( Z
mov ah, 25h# l2 l5 F. Q* V: A
mov al, Int_Number (01h or 03h)
8 H" d2 }% u5 `( r" m; N1 g( B mov dx, offset New_Int_Routine1 Z" Z5 c2 l( [0 W0 t4 k& P$ x
int 21h
5 j4 b! ` x% f; d- _$ S
0 s$ K2 v; [/ C7 K1 B% l/ R2 E__________________________________________________________________________
- J( M8 N' p8 g6 I8 E
4 m/ h. X+ a9 d# k oMethod 09% E6 K( s' L- e2 Y& S
=========1 k1 u$ e0 b# i5 Y9 C$ `
/ R7 V7 r7 n7 N4 t4 R" gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 K( c. R+ k* N6 { P# m
performed in ring0 (VxD or a ring3 app using the VxdCall).5 K% ~1 a) ^0 u |$ R% v
The Get_DDB service is used to determine whether or not a VxD is installed
, Y# Y: l: U5 `1 w$ q/ Wfor the specified device and returns a Device Description Block (in ecx) for. i# E& m0 ?, |, p1 O; ]# ~; U: A
that device if it is installed.
& V" K! c$ b4 b4 }/ r) o8 W
& v" E* @0 F+ K! Q* ]' X& q! x mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 ~, _5 o d7 v8 w% y3 X
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 S+ x* ^; X" r2 ^
VMMCall Get_DDB
) H+ l$ u& F4 b T1 j mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 m. W* g5 q" l7 U% V4 i. R/ [
5 Z$ M8 X, p0 b$ \" X: M3 bNote as well that you can easily detect this method with SoftICE:
( d7 J2 H' ]- E0 w/ F% \) b bpx Get_DDB if ax==0202 || ax==7a5fh
9 B) Q8 G- u; b% o0 I
* f+ d9 U( Y" ^__________________________________________________________________________
, E1 ?( P" d5 c4 c
3 o6 J# n7 g* oMethod 10
/ W7 f( Z9 }; [% k=========
) j, [+ O, W, r+ k' [2 \
, N- V9 ^& `$ x% w2 N=>Disable or clear breakpoints before using this feature. DO NOT trace with
# |, k5 W3 ^; ?& e+ _ SoftICE while the option is enable!!1 i" v5 l: ^$ B$ z& I
" b2 X* ?# E- ]: [* G! F. \" ~1 IThis trick is very efficient:
7 M0 D8 I9 A E. T# Bby checking the Debug Registers, you can detect if SoftICE is loaded
- Z& Y/ }) F9 z7 c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 I+ b/ @8 V. F/ U- O' R
there are some memory breakpoints set (dr0 to dr3) simply by reading their# n/ G- g0 X& n
value (in ring0 only). Values can be manipulated and or changed as well
3 y) ]6 N6 e( Q6 W( K2 P2 t m1 l(clearing BPMs for instance)
# e% ~! F+ E3 K1 U3 n% m3 p
8 g$ o0 d$ ~" {1 x/ T X6 B__________________________________________________________________________0 o1 z* l x' D- L
% A! N( ]/ s% M/ y" `; ]
Method 11
6 C t2 }- f4 ?) E$ h+ @=========; c J, M& g2 O3 V* K3 k) q3 G5 T- t
/ j) U. x) \& w: P6 DThis method is most known as 'MeltICE' because it has been freely distributed
0 n' {7 D( [$ k8 e) Uvia www.winfiles.com. However it was first used by NuMega people to allow
: Q* C7 i/ m* S5 E' |) kSymbol Loader to check if SoftICE was active or not (the code is located
0 Q4 w' C, p/ L8 p+ P* G" vinside nmtrans.dll).
( S& C; C" l& G
3 X8 e1 E7 a/ S* d( S! qThe way it works is very simple:
, ~: P1 U( e4 A4 vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 f! W7 { ]$ iWinNT) with the CreateFileA API.
. O8 B; ^$ u9 Z0 O* ?% k
2 o! F6 @: Z% `! E3 yHere is a sample (checking for 'SICE'):, [* u/ l9 Y9 a. d
3 R7 n( x$ w0 v0 ~6 J& S% EBOOL IsSoftIce95Loaded()
) S" s7 Y. x5 z+ D) Z6 O/ O{9 ~2 `$ R9 A4 i" w% L ?
HANDLE hFile; L D4 @9 L4 |0 h' ~- A* K# u
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 u1 E2 [# d, L+ a: A
FILE_SHARE_READ | FILE_SHARE_WRITE,
, B) C' \! q0 o5 b2 y% C& m$ s NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 d3 b, H9 S$ }3 E. p. \) j2 V- c if( hFile != INVALID_HANDLE_VALUE )9 k8 g" m: V5 s3 @8 M
{
: \2 k& A+ d' D1 w& @ CloseHandle(hFile);7 q' a- h t- [! l( j" O
return TRUE;
& `$ d7 A* I7 J& R' F6 \: { }0 J. y4 A. r' u) |% I+ q
return FALSE;
& a7 J8 \ J" O! q9 }}
/ W9 R+ l% T, Q0 u' N% T* ]# D# r. \+ X6 n1 o
Although this trick calls the CreateFileA function, don't even expect to be1 d* o* M( Z! w3 i- E3 ?
able to intercept it by installing a IFS hook: it will not work, no way!
8 M/ T# a9 s& l! H0 {, SIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% [4 Z/ { n, J1 Gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ }& ~" e, Z8 u3 `6 N! Gand then browse the DDB list until it find the VxD and its DDB_Control_Proc
; V% l0 I' H2 C: h+ yfield.4 c# R0 `4 j# m8 D6 f
In fact, its purpose is not to load/unload VxDs but only to send a
$ y; q! C% L/ L$ e1 o2 h6 ?! uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: k; p( R: d! m+ L; ?2 Oto the VxD Control_Dispatch proc (how the hell a shareware soft could try
- _' D+ N* X/ z; ^( Vto load/unload a non-dynamically loadable driver such as SoftICE ;-)., Y U& g" f8 w d& q
If the VxD is loaded, it will always clear eax and the Carry flag to allow
3 E2 h5 R6 C8 W# O, Z6 |# @$ kits handle to be opened and then, will be detected.
9 W$ ^, H$ j6 A7 ?5 CYou can check that simply by hooking Winice.exe control proc entry point* e, l5 P" B, H; R
while running MeltICE.: Q, g" P) S4 |- A/ x
3 j+ W0 u/ T3 M/ E8 p
3 ?5 S9 _- i# ]8 ?( R 00401067: push 00402025 ; \\.\SICE
4 I/ N9 R* O( ~( q/ ^/ o 0040106C: call CreateFileA5 u& f m$ b$ I* r+ v
00401071: cmp eax,-001
5 m* ^* Z" `* ` Q# \9 ^( V 00401074: je 004010915 R F/ P8 c7 a
+ @9 U @4 |3 S! {" O1 [
) B8 L9 ^: z9 K0 s: [3 G
There could be hundreds of BPX you could use to detect this trick.
6 A6 @' l* e; c( `; l-The most classical one is:
: G. l- O+ D: |2 \ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ U/ L5 f$ X, W( U3 A; U5 ]
*(esp->4+4)=='NTIC'8 V% k: X# @7 u! ?" ^2 y7 a) v
, t9 l* c4 e, R1 X) E# |
-The most exotic ones (could be very slooooow :-(
# D' c/ Y: E7 p, `; b! w BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* g6 ]. ^# @2 j6 K9 j3 u ;will break 3 times :-(( w/ K& T3 o8 H+ C8 _) t* P1 z; l
' T* Q" r9 w5 i-or (a bit) faster: ! e- g3 X8 h3 b# ?
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% s. \9 W) ]' B8 E
: x: l. s$ D. {, ~$ d. j- G0 D7 G BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 N7 O W2 I6 j ;will break 3 times :-(
/ X' o# }3 Z2 V1 [
8 b. F1 y) j# W0 g- e. x7 q( A-Much faster:
$ X/ U; ]" X! c( p$ K; [3 |: |4 ` BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 X) x% v$ H& d: j9 K
' K" {1 R+ L; `, v( vNote also that some programs (like AZPR3.00) use de old 16-bit _lopen( n3 p- T; k3 A7 A" t
function to do the same job:. k4 }) L) I( M, {8 _2 f
& o) T+ f" _+ S3 ? u# K4 ~ push 00 ; OF_READ- a0 I0 w4 `" A$ A7 x4 L
mov eax,[00656634] ; '\\.\SICE',0
, C+ C9 x" \7 z1 M9 w push eax
) h. M; U1 t @; w call KERNEL32!_lopen
' Q& v( j7 U s$ O5 x% d, T m inc eax
6 h6 ?3 E% s1 @ M. j$ x jnz 00650589 ; detected
, J" N4 X+ \" a5 Y0 d) P push 00 ; OF_READ8 ^2 |) t7 R+ O6 a" H2 L
mov eax,[00656638] ; '\\.\SICE'+ z# d$ B7 b o! \
push eax* H7 V0 n+ Z; K$ s' V7 S
call KERNEL32!_lopen
1 J& h `1 I/ i; _$ p+ ^ r inc eax
) [ c9 [+ Z, T2 L/ p, I1 l jz 006505ae ; not detected6 T) Z+ P K( ^, b* O
' \- L! W/ F: F1 y
1 s5 ^# ^6 z& J" c; Q+ h; E8 ?# b__________________________________________________________________________
: I2 \6 C3 g: R7 B0 C7 W
$ r5 C0 m2 N3 o c6 E( xMethod 12
% L$ |0 V; }) z9 E. f+ @: p=========& a/ g" m* h4 G1 D, @
; o% U4 o0 q; ^1 x# ^, i. Q" J4 YThis trick is similar to int41h/4fh Debugger installation check (code 057 Z9 N/ K" V% \( v X9 `. |8 W
& 06) but very limited because it's only available for Win95/98 (not NT)
7 c8 |8 I1 j6 K! Y4 Oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ _( K) P; q: L8 c3 J! S
) i# Z' H" l& _% E, J; l push 0000004fh ; function 4fh
6 p# N2 r6 r# h' S push 002a002ah ; high word specifies which VxD (VWIN32)& A8 e. m7 ?2 `! B! B4 a* W6 e. A2 L( ~
; low word specifies which service
, R8 e1 V: T6 s2 k; | (VWIN32_Int41Dispatch); w9 E. f1 S _. T2 m5 B
call Kernel32!ORD_001 ; VxdCall
) t" F, g6 w, t' \& ? cmp ax, 0f386h ; magic number returned by system debuggers: h* H5 o( G H& G* f3 f) Y1 \
jz SoftICE_detected
$ c9 z K3 w* X; Q$ O0 d4 Y% w7 `. n9 l+ E3 t3 D# g( b$ w
Here again, several ways to detect it:
7 X' s3 ` u( }8 h+ S
( a% c9 D; I7 ?: L7 Q! J BPINT 41 if ax==4f
4 Y( d/ K. l" B5 A# d& s& i& y1 k7 {+ @: m7 b. o& g
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 k! J$ r Q/ i0 ~5 ?- i# P9 ^6 l5 ~% ^
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' o3 c( t/ M# h2 a% L6 W
! @6 N. q2 o( \" h5 {& [0 W BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 s4 U0 Z$ B, s8 W6 R. {
& n2 U/ a# [! M4 V6 Z4 L
__________________________________________________________________________, Y4 J2 H- I7 |6 A1 {
R* G ~! X$ I O' x/ OMethod 139 f( n9 v4 k" {! F2 X6 ~
=========
4 `5 R4 A& G6 C. {1 c0 O
! k; Q4 a3 M( z4 o$ y7 TNot a real method of detection, but a good way to know if SoftICE is
; w- c2 \9 H9 M/ V9 }installed on a computer and to locate its installation directory. a: [0 u$ `# R) M
It is used by few softs which access the following registry keys (usually #2) :
: X# D0 P( l7 c" I/ l, u4 N: b6 R! O% P* q; H
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( w: G" J9 b# D8 N+ {# h3 \) M\Uninstall\SoftICE1 c; {1 l/ U0 y4 W- x. q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% ?; K$ @; v0 X! P! ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, g5 {' S3 _* K, C) J
\App Paths\Loader32.Exe
3 W+ C6 l" ?' L' Y% I
2 O4 r" a$ f6 y: {4 L, H
$ Q$ c5 P7 U7 u/ h: d: e- @$ u rNote that some nasty apps could then erase all files from SoftICE directory
$ @; c# h' ^1 b* w(I faced that once :-(. T% Y5 O; y3 v: N
: a9 N8 z" G7 K& b: {0 HUseful breakpoint to detect it:1 J$ v$ i% J& ]
% A6 ?8 d a# u0 t) U7 J2 z" S
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% g4 W* r$ Z& ^/ S2 B8 N9 o- H
, q" e. y5 C6 M; D8 @1 ^2 f& Q__________________________________________________________________________$ r z8 W& ^/ G! b& s% ~: P% {
2 E; C+ [6 k8 Z; J' j5 V3 r
/ a8 P& S5 h; |
Method 14 " ~5 ]# T1 L5 g' a
=========
j. v: v p8 W( T Q
/ L+ W; j7 A8 ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 n. V5 c2 k' F. [4 Uis to determines whether a debugger is running on your system (ring0 only).2 Y3 p W3 E1 A$ ^- q0 }9 _9 X
3 A/ ~( V7 K+ w
VMMCall Test_Debug_Installed
/ |# L- h1 @$ z' b3 _4 |6 Z je not_installed
1 g2 k6 d, u: _6 i \0 B
2 x7 Z, J$ ^) x/ }" v" W6 H2 MThis service just checks a flag.* v$ {( \: s1 ?2 l* f' W- V
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡