<TABLE width=500>
" K2 M4 M+ j0 x! |8 @6 r<TBODY>
' x o) f1 y0 M$ d/ r5 r<TR>
# {$ c9 {: a9 T( a0 a0 a<TD><PRE>Method 01 - @$ f& Q& M* R
=========$ H0 ~$ Y6 y2 N. |
" m3 @1 [* l4 h% n; ^; UThis method of detection of SoftICE (as well as the following one) is) ?$ h: i8 z9 `. ^
used by the majority of packers/encryptors found on Internet.
' G; j- L4 f+ f3 l+ VIt seeks the signature of BoundsChecker in SoftICE4 k0 ^1 L. R8 j7 H- E: K" H. m
0 H* s- Z6 }+ W% b0 T8 P s mov ebp, 04243484Bh ; 'BCHK'
+ U! C- m6 L, I2 g3 C mov ax, 04h# ~3 d( u/ |! X% |% u# x
int 3
% r6 }8 b+ V( M7 M5 i cmp al,4
+ B: Z; z7 Q( C jnz SoftICE_Detected8 g2 A/ D( g O# g* l
) ~; g: H2 f6 e6 `4 t! D___________________________________________________________________________
, i0 P$ U+ b/ B+ a1 |0 r. L2 N- O
Method 02
3 J1 X* R) H( e- n* U4 C' z, X% A=========' \8 F4 |! P6 v9 M; ]! r8 C$ Q
8 n# D% u" b1 T) v7 Z# H) aStill a method very much used (perhaps the most frequent one). It is used
, s9 [7 F* u+ @; `( qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,# k& _8 [+ t, z" }
or execute SoftICE commands...
$ h' w' _3 K% c& z8 xIt is also used to crash SoftICE and to force it to execute any commands; s4 G' `% {, o
(HBOOT...) :-(( * p9 n$ ~3 @) C( y+ l
5 S% |4 f1 K# f* b8 `' h8 ?) R
Here is a quick description:0 A6 h' B: w- a0 J
-AX = 0910h (Display string in SIce windows)
) x( F, [( L* F' O! \* `2 r-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 V" C) |. J* T( f-AX = 0912h (Get breakpoint infos)
q) l+ D7 O% }3 @$ k-AX = 0913h (Set Sice breakpoints)
( D+ F1 \# }6 x- C$ {8 |+ H- K-AX = 0914h (Remove SIce breakoints)) n# p) y5 c1 I: ^/ x$ c& U* W r
0 G2 D- b+ b6 f3 p. q: k. }$ f
Each time you'll meet this trick, you'll see:" B2 w- f( ~8 |' M7 Q4 E U
-SI = 4647h! w9 D; l5 Q/ a9 H, }' X
-DI = 4A4Dh
9 `* G. R9 X% ?Which are the 'magic values' used by SoftIce.+ M9 W) B! R9 U9 D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 Q% D4 v$ G# e
# M; ^) a& F4 f
Here is one example from the file "Haspinst.exe" which is the dongle HASP: j I! j1 B2 |+ R
Envelope utility use to protect DOS applications:
8 B1 a* u2 {* N# ?; s- B3 T
: T% U+ ^! y7 _, ?1 }5 ]3 R
5 L8 i, i% W v% f2 I$ s' s/ j4C19:0095 MOV AX,0911 ; execute command.
" m( U2 [& R: c. U, ?0 p. N4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% |4 L$ }% I8 B4 V) b# |* N4C19:009A MOV SI,4647 ; 1st magic value.
3 R/ `) K. W2 m/ J: S4C19:009D MOV DI,4A4D ; 2nd magic value.: D' k- C$ z+ f5 L. @/ L/ Q% V9 K
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 z6 d0 w o" v1 P4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" @# x, u9 `0 F% ^4 I4C19:00A4 INC CX1 M, y. j4 h& S% X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 i. `# {% h. a1 M" V' W4C19:00A8 JB 0095 ; 6 different commands.
, a; D6 B6 R0 v7 s5 r& G3 G4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 O5 K7 X0 ?4 Y ^9 j$ w2 ?
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 k$ C3 j; b% K# l! W4 B; s
* @5 ^9 }# n' E3 J" h* ]( TThe program will execute 6 different SIce commands located at ds:dx, which
/ T ^7 W! D) |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! z+ l1 P" k9 |2 q- x1 J
. x( c3 ^+ d9 t" y9 K7 k8 T* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ w0 r, h- P1 u) F G K) d) `___________________________________________________________________________& V1 G; P- t3 m9 R( A
2 i8 r/ ]7 S9 E* B: a# K& D6 w3 h+ I8 C% W
Method 03; b+ x5 K6 A3 Y3 e( q7 R, _
=========
) Z0 t1 z1 p- i7 S. C: ]" {2 N- n$ S X, V$ o
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. H6 Q# r3 U* H" p, X' V(API Get entry point)
6 Q' j0 V, a% @- x+ s
6 Z+ `0 S2 V4 w0 W3 p* Z. n8 y- C9 b7 e7 X
xor di,di1 o! y, p; d. u s4 \5 T6 H6 y
mov es,di
: A& N2 C! o" u8 U$ ~ mov ax, 1684h $ Y/ T( s$ ]& J
mov bx, 0202h ; VxD ID of winice7 X1 K; Y7 y7 ?4 I% B3 c
int 2Fh6 i9 O( o' Q1 y; Q6 M; ^
mov ax, es ; ES:DI -> VxD API entry point$ X e5 W5 D! p( k9 \
add ax, di
5 U: |' M+ q& z6 I1 ]8 A test ax,ax
# f* d, E5 b5 L3 y# s8 m( s jnz SoftICE_Detected% r# @/ [6 }5 ^. m( \% c% N+ x
# I! S6 j8 I7 W- G3 `/ H___________________________________________________________________________3 Q" {' r7 I- O( _4 w
7 o% K, N8 l! |; k0 Y. F
Method 048 h9 w) G1 b2 u. }* G
=========. [- f1 i! [- Y) H% A" n
) N) M5 j4 Q! {, f2 l
Method identical to the preceding one except that it seeks the ID of SoftICE3 b, ~! r) \6 u$ x4 Q" V
GFX VxD.; e8 x* }( H/ a5 n* G; o
: k1 _* y U) v3 ]# M4 r( S" d
xor di,di- V6 O$ y4 e- Z& s
mov es,di% ]# W" T2 H1 u# B& O5 E$ B
mov ax, 1684h - _, Y! \% ^% V* X! ^. b
mov bx, 7a5Fh ; VxD ID of SIWVID" z: [5 H. A% _' c/ D& v
int 2fh
: D6 J9 @1 ]! S: M" x/ N1 K# ` mov ax, es ; ES:DI -> VxD API entry point6 X) k" h* C% s/ `) d! p
add ax, di
9 f& n" e) a8 N5 E3 y f( s7 u6 e5 E test ax,ax5 ?- `3 u, l9 ` Z! o# s: e
jnz SoftICE_Detected0 ^/ j: }! g3 @: g3 {
2 {, l) ~3 n9 B) K3 C2 ~: P& G5 k8 B
__________________________________________________________________________
6 u/ r6 |( P$ |( A7 a& q- P2 e$ e
e, q9 x; r6 P* ?0 U L0 v- _6 N W+ q1 F
Method 05- N# X' v' H" r0 W5 Q8 M4 a _, q) |+ h
=========4 Q! c" K# Z. M2 F. K/ g' M
, w/ B( _2 R6 V. Z) XMethod seeking the 'magic number' 0F386h returned (in ax) by all system( W' ~* Q8 B( R$ z( x7 D; y
debugger. It calls the int 41h, function 4Fh.6 M9 E3 l( Q% |
There are several alternatives.
4 s* p0 z4 Q2 X' A8 S2 o, q* M2 n* F
9 @& S/ |+ f/ `# `, AThe following one is the simplest:& A; c- I1 M+ S5 T# z4 C5 P
( D! d7 y8 X3 e& X8 x
mov ax,4fh
" `1 V0 ]$ Y, D int 41h
! [- q: C2 H: w9 p+ r+ L" ~1 _$ f cmp ax, 0F386
+ B# c( O$ Y) ^" G3 k jz SoftICE_detected
8 t# ^9 u* l7 j5 b ]' _$ D: }/ X* {" o
/ {# O4 ^4 K$ k$ t. s9 g8 E: WNext method as well as the following one are 2 examples from Stone's 4 M# @- F7 R0 R, G) h
"stn-wid.zip" (www.cracking.net):. \) n2 H& o. F' ~) d* t
! F) c. i: c, m) e
mov bx, cs
2 O! h/ X0 b5 ~. X lea dx, int41handler21 ?: F& j2 ?. g2 ~
xchg dx, es:[41h*4]- b# s: d9 o9 c4 E+ c
xchg bx, es:[41h*4+2]8 T% {& o S7 q. }
mov ax,4fh
m& h" l2 ~+ q int 41h
# Y H' w, e* v3 F! j, l xchg dx, es:[41h*4]
8 {- r9 R6 Y* k0 h+ b xchg bx, es:[41h*4+2]( U$ i1 L$ a7 z: e
cmp ax, 0f386h
0 ^! D% N+ n& `; j, e) \ jz SoftICE_detected
& |3 F( m+ J9 Q; X$ o- s8 o
6 R/ O9 m) ]" N! O6 N# v0 ?8 I/ W7 jint41handler2 PROC
V) J& f$ L0 \6 c0 ?8 r& } iret! u. y' r4 d+ ^+ a$ q7 X
int41handler2 ENDP' _) Q" T. c' R) e& Z
+ C0 c* S2 _& i$ E. Y/ i
( H& b9 w. D! [0 U_________________________________________________________________________
0 r& f5 [+ h' E. `6 J8 a. ]+ z: L, g+ X9 O
0 g5 b6 k7 H/ [! e% q& p; W# zMethod 061 v3 `! a/ D- n
=========1 S+ H5 o- F I, K+ T& z
8 b( Q# q5 l0 G5 j0 T. q7 H4 w: l; f( W+ K4 O& ^* x0 ?
2nd method similar to the preceding one but more difficult to detect:
3 {4 t$ T( o+ y" Q/ d
' \6 N- j0 N6 U( _' e& B( U. N
1 t3 R- F& O. pint41handler PROC
+ e, K- S0 f3 I4 M3 { mov cl,al
! c" ?) U8 @9 m- c5 a1 Z iret& B: d k( [ Q* x( I% U) ^; L
int41handler ENDP
; s T( |. ]( p
9 d7 {* }( r" Q y" u# W$ T1 Z: Q0 N, m4 f
xor ax,ax
2 m- h9 I' f- g% D. x* X mov es,ax0 q0 w0 a; a; U1 }1 F8 f* J
mov bx, cs+ M9 d4 B, U# o# m9 S
lea dx, int41handler3 k7 ?9 u. c* J, p
xchg dx, es:[41h*4]# y I/ v9 E4 [) F
xchg bx, es:[41h*4+2]/ f# ]7 {" @! m; y
in al, 40h$ v7 L- b- f, f) O7 {
xor cx,cx
) l) V% F% F9 O r int 41h7 s& i; t& o' A6 V' A* a7 N
xchg dx, es:[41h*4]
/ }! L! i0 l: D( c( G xchg bx, es:[41h*4+2]
2 X( r& [6 D8 d cmp cl,al r6 ?+ d5 J3 R7 r3 n) H6 O* n3 I, D3 m
jnz SoftICE_detected& ?9 ?/ ?4 c* t8 y6 n, _2 j
: Z. e& s# D: h
_________________________________________________________________________
& q9 _/ C# ^) J8 a
Z; L' @0 W' A6 f7 f- g& XMethod 07
7 }3 _; f7 W4 N9 `* @=========) S7 J# Z$ }' F. p, e" y& ]
% ^: M4 z* x7 z9 c, I+ ^6 F
Method of detection of the WinICE handler in the int68h (V86)* w8 C" {8 |. M$ Q9 a Z: {+ w. t
4 a! V F S* p" t9 R
mov ah,43h
3 d6 b. Y2 n' ~ int 68h
2 Z4 `& d' Z/ S G7 U cmp ax,0F386h" R& C A1 `+ @
jz SoftICE_Detected
2 c% Q1 o5 o0 m6 T( m8 l0 C6 Q. ^) @ i: R/ R
! W5 x! e: A0 X' k" k& [0 _=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# Y) A& t. w. y9 [& q) q0 j app like this:3 c) @" w: F8 o' g- l$ ]5 b9 ^
4 p# W/ h, v7 \ BPX exec_int if ax==68
) p6 ]3 A4 c; m6 ^! f7 H$ j (function called is located at byte ptr [ebp+1Dh] and client eip is: p- V3 z/ P. \, Z; e8 u) u- b
located at [ebp+48h] for 32Bit apps). ~5 R4 ~9 }; T1 M
__________________________________________________________________________' d8 {( ?# K( A: E; L' f
' @* o8 `' L. x! G' u. U9 b1 A% X
2 Z9 |5 D! l$ a' iMethod 08
5 V9 k& D& {: |* U* k8 c8 G& x: ~=========
! ~" u# w& l/ ?; {: q
) Z8 ~) Z$ @: ^# z& j; hIt is not a method of detection of SoftICE but a possibility to crash the4 v1 R$ ~9 X! X P% g
system by intercepting int 01h and int 03h and redirecting them to another! e4 h+ _! m/ `% s r$ g
routine.
$ N9 u1 W! E; ?" Q0 jIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 a, D5 n9 w- mto the new routine to execute (hangs computer...)3 a4 P' s M8 o3 T1 T8 I1 U, R. H
+ N# k0 `! i/ v, u# K mov ah, 25h
7 n# q5 G6 | l% b7 S0 G mov al, Int_Number (01h or 03h)
1 t/ [* ^' u% x6 A2 L ~ mov dx, offset New_Int_Routine
1 q" ]% b ` e int 21h% X# N7 r9 e& j2 K! z) _/ C
: X8 X5 g, C$ r: c- v$ S__________________________________________________________________________
! S+ f% u$ @1 k: T4 j1 K Y
' T X4 Z' p$ A: Q$ ^4 SMethod 09$ z, k; N8 {" K( \: _: ~+ [+ o6 `0 E
=========
( m4 G* r" w4 r& l, y8 W0 ~6 \) o6 _5 J" d2 z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" H& b4 b- h1 F' t/ e8 L
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 n& U: ? _: K" Z( L4 C! W) H6 qThe Get_DDB service is used to determine whether or not a VxD is installed1 ?7 ~" g# y) {. Q" d1 X1 u) B- n/ i: b- R
for the specified device and returns a Device Description Block (in ecx) for
. b& g: E9 i2 t! nthat device if it is installed.
) {9 J. O2 e$ ~$ d1 _ ]0 {) n: F7 J9 N' ]% _& Y4 H4 a0 y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 r( T- C2 h- c' v0 p' s+ \- v" d mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: `2 k& B- D% r' [4 w% N1 } VMMCall Get_DDB: x8 R: m4 T; D& d" F! \" `
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& F* G% i! ]0 y( B
* J/ W2 e6 ~, i2 j& t3 i7 m
Note as well that you can easily detect this method with SoftICE:- @ r# N5 K! l. W3 W0 t0 P( o
bpx Get_DDB if ax==0202 || ax==7a5fh# D' ]- N& h3 U
6 x* m7 a% t, R- x4 D6 |% N
__________________________________________________________________________+ N/ j! d: e/ \% x+ J
1 }2 M+ d) G& R" I2 D; o& i k
Method 103 S$ y9 c: X3 z- q
=========- |1 y( o- e( O9 I r0 i
# H' ]* V5 V3 x2 j( g: y. X=>Disable or clear breakpoints before using this feature. DO NOT trace with0 ^! K" l, @! V, l
SoftICE while the option is enable!!1 { W8 r9 m. Y: a" F6 D* m! ]
- ^' G- P) i1 F7 y/ I$ m9 UThis trick is very efficient:
5 Z6 I0 x5 y% t% d7 Xby checking the Debug Registers, you can detect if SoftICE is loaded
' {: A5 | \' `, _. ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ H( o) [. _% `6 S% J& U# R; Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their% N2 }* F. r6 O" o' J
value (in ring0 only). Values can be manipulated and or changed as well
4 @- k$ |0 q. y' a0 o! c8 J- i(clearing BPMs for instance); \1 B/ i: m* R& c2 v4 N f. M: I
/ E7 {4 }1 O' G; s! h__________________________________________________________________________. ^) L! k$ O: s4 f$ ?, x* D
% G% p- E8 p% Q E( V8 m x$ L5 m3 I
Method 11
+ l( ]8 f M3 N=========
2 K4 E3 K- J6 ^; v9 x6 h
4 _1 p2 U+ V& q3 cThis method is most known as 'MeltICE' because it has been freely distributed
9 t, T# w6 m' Dvia www.winfiles.com. However it was first used by NuMega people to allow
0 Y5 ^" z4 }( X7 KSymbol Loader to check if SoftICE was active or not (the code is located
- B0 x' H; i# `inside nmtrans.dll).
' b5 b2 m- ^; N% T" t0 c6 r+ W
9 [5 X' _( x7 x5 Y$ E: x0 n, [+ b+ sThe way it works is very simple:+ @6 O8 x0 ?! T, S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 P: ]' q1 n* l1 YWinNT) with the CreateFileA API.# @7 r" L# {7 A; d& o* E
5 }( V+ [, S8 L C) e+ d5 G/ B- dHere is a sample (checking for 'SICE'):/ e" k) W5 J* T+ h) p& u( T
- f# E( U3 L8 o0 Q. u5 G4 p! q5 V
BOOL IsSoftIce95Loaded()% v. b& @. d! k$ G
{7 B Z4 M! V. c( `! q) S' P
HANDLE hFile; 9 ^. D) h: ?) u/ A+ {
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," Q8 @8 ~% v: \( l T
FILE_SHARE_READ | FILE_SHARE_WRITE,
; q& q& o4 ~, t3 U, c" P NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 e: l0 c" X& Q- C+ H$ ?
if( hFile != INVALID_HANDLE_VALUE )4 E& {: `1 u9 B
{: s3 k! }- [4 E- c+ V4 `2 ]
CloseHandle(hFile);5 |7 b+ H( D6 a% U4 G
return TRUE;$ D) r. W7 f7 o" j; u2 u
}
' s( C% j( z/ P8 A return FALSE;
. s5 g; a7 O; Q' `}
4 h% R( ` M" P( N
& F% m* |% O* V* {; f9 f" w, sAlthough this trick calls the CreateFileA function, don't even expect to be* d. ^$ o* N2 q7 s
able to intercept it by installing a IFS hook: it will not work, no way!
* s. `; i6 _ V' _/ D, E% MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
" S; H- y6 W3 q5 ^# b' yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 h& L8 ?# D4 j; |/ d$ A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc& m- \- j7 [. S, I" R7 c( C3 Y! S1 i
field.
9 E2 H; E1 }* ^9 kIn fact, its purpose is not to load/unload VxDs but only to send a % W( f' f* t( i. C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
x$ c( k3 y$ J0 H0 v$ |- Hto the VxD Control_Dispatch proc (how the hell a shareware soft could try( g) N X/ x1 W9 F% z$ c6 O( J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).$ b- A5 U1 M& k. f+ Q
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, @' F7 T* ?# ?$ W7 B; Z& ]" uits handle to be opened and then, will be detected.# {# g$ ]% p6 k- h! C: b
You can check that simply by hooking Winice.exe control proc entry point
. t: c. J4 r, j, z6 a4 F5 }3 g$ S4 {while running MeltICE.
' g0 A2 K5 ~" \' Z: V8 m* D ^) Q$ C Q
, i6 C/ z) j1 N& S) |: G- t 00401067: push 00402025 ; \\.\SICE
1 n a; W) \1 X! G" i% E5 K 0040106C: call CreateFileA
: L9 Z4 B6 }/ O4 m6 U! ~ 00401071: cmp eax,-0011 p$ x) o. w, G0 ^( W& e) r( _2 x
00401074: je 00401091/ h: I+ z ~ Z% h4 \$ q% k* T1 |
' r& c6 @5 b1 d; c
$ x- s( ]" i7 N. h" K+ x Y% PThere could be hundreds of BPX you could use to detect this trick.
* d4 p$ q y4 Y: A-The most classical one is:
0 `- M, `: l, Y! f7 ~9 ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) Z. w2 i+ E5 f8 A) A. m j
*(esp->4+4)=='NTIC'. C |1 K% C" W+ A$ n
/ a+ |& i8 @& `/ C-The most exotic ones (could be very slooooow :-(7 n; D* W" s$ m: m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( E7 u! ~5 r. f/ ^0 C( C' ]3 s
;will break 3 times :-(
2 D5 J4 _) {, i' q. j1 Q V% `* B" x9 O+ `6 |0 Q- o
-or (a bit) faster: & p' Q/ k c+ v* t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) U& m1 q7 Z$ j! Q1 `' u; u- ]: R9 e' z X1 f
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ r3 P* B( M, ^% z" Y ;will break 3 times :-($ s; x; D8 ^# L" y" @ W, n9 P
3 y2 y j, X% B( p$ p; A& X; T-Much faster:
5 l8 j8 E5 u+ Z5 L' v' ? BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& c8 n! g/ y3 e! Q( ^. `9 {# s. r7 a, C1 S( u! ^; q1 B1 A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 D7 V" r( `" f7 v' I& ~function to do the same job:2 o& f1 Q6 F& E; t0 {# {% T
$ y8 F' |, f1 s! `5 ]) ?- f push 00 ; OF_READ* Z0 t- u0 \+ v
mov eax,[00656634] ; '\\.\SICE',0
3 l8 l) e: c, r' m& m; F push eax
1 N' j2 p3 Z5 H' D call KERNEL32!_lopen
+ W% O& B" D. w- q9 O inc eax" k8 p- O+ V9 I2 G+ B; \* z( i8 t
jnz 00650589 ; detected
; I5 Z& g* }4 P7 U6 | push 00 ; OF_READ% d6 T ~7 `, t( w O" X L
mov eax,[00656638] ; '\\.\SICE': Y" _& f( r( L% v
push eax
' x6 p/ r: x/ ~" K3 J call KERNEL32!_lopen
& P; X; a# q. P inc eax& F" g* V! d/ {+ A5 p# w3 X9 m" Z
jz 006505ae ; not detected: t7 m7 C1 O/ ]2 i9 J3 f- S
2 [' p3 l+ G9 K0 }4 A" Y6 \: k. d
0 R3 n+ T4 K& a4 w$ E7 `" B__________________________________________________________________________
2 L0 o- B/ u7 a5 Y/ F1 t' U! M" j; G; }9 B+ b0 x
Method 12+ f, q1 e% _. C
=========. n& R! W/ e, z* B6 o, n- @
5 ]% O4 Y" j; L
This trick is similar to int41h/4fh Debugger installation check (code 05; ~. n* r, [3 o ]' ^' q/ n
& 06) but very limited because it's only available for Win95/98 (not NT)
; w a4 d( F- j6 |3 \! b0 ~+ o/ b" @( x: Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.- J# ]0 y: T/ F& n8 ?3 x/ k7 L
: e: [0 }7 W! y+ q- }3 a. r
push 0000004fh ; function 4fh
5 Q% D4 t4 @) K7 g/ W | push 002a002ah ; high word specifies which VxD (VWIN32)
" K, h8 g* x0 B1 A ; low word specifies which service1 [4 I1 ^& E' x6 [1 i: V
(VWIN32_Int41Dispatch)
+ [: o8 \$ e" Z" i6 X call Kernel32!ORD_001 ; VxdCall2 _9 ?6 }7 m4 T+ \, p
cmp ax, 0f386h ; magic number returned by system debuggers9 | n7 o$ Q% L- {* S9 e
jz SoftICE_detected
* G: W) y3 G( E9 N, D
) b0 X/ }7 P1 a4 c% dHere again, several ways to detect it:5 Z7 r( j4 j$ }8 _7 w: H
% b4 i: u4 U5 W- p* F' X6 e
BPINT 41 if ax==4f; w- }+ S. n7 c1 R7 q
X; }& |6 w6 N' T& r5 ]
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ ?, e& v/ j3 o* X( Y3 l2 b- h, g
6 J& u2 A' ]& S1 K9 v+ ~/ R1 @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: k/ \5 R# W7 }* ]: U& |+ P+ ]
, ^) f/ t2 o) a/ @8 o BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 h9 I+ S3 R6 l* j
, U) Z; D! l n- t0 A- p3 g8 T__________________________________________________________________________
* l. {" Z) F% S! P! C. ]; g/ k& G8 z9 p* ^, _4 b% W, Y
Method 13# r* s* b0 E F* U `
=========
8 T; c! ?4 n7 B0 f) W# S, [' h- D: M! M) p7 f% \8 s
Not a real method of detection, but a good way to know if SoftICE is3 P5 u; y3 H6 W$ n3 {
installed on a computer and to locate its installation directory.
: f3 p% L+ j' k; [ [2 BIt is used by few softs which access the following registry keys (usually #2) :# a- p2 F" ^& K- B% s, x
& c: [9 P/ X) K9 I; t2 z* h
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ d& z2 K; D' R$ c6 c) C\Uninstall\SoftICE
; ~% t5 b+ w! R( a, N/ l0 q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& x( O% c" } k-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 A+ s g! q6 L) Z# J% u" C9 s- F
\App Paths\Loader32.Exe
: p8 ]! t8 C2 q6 ^* J% F2 u
8 s9 I' x; i$ h2 i- b9 Z3 @ ?& J* {& h- [: K# B2 i" Q( |
Note that some nasty apps could then erase all files from SoftICE directory9 e- I }2 n1 x' X+ R- z" L7 Q3 ~7 j
(I faced that once :-(
* W! u7 C. _6 S# I. B* Q- e4 w/ t) {2 \5 D6 _. w
Useful breakpoint to detect it:$ {3 J ]- v( ?8 W' B$ A
# W9 M2 {' C8 ^6 O; j+ K, Y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 m5 d9 G2 d, O( [; _
/ |7 l) W9 \6 Q" j/ k__________________________________________________________________________9 H* G/ M0 r8 b0 |
9 h9 A' ?/ Q7 q5 G `
! v0 g! y0 I$ @$ T+ W& n4 kMethod 14 : ?2 C j& @& s$ \. [
=========
, B- h# x3 H( d( o1 K
% e9 |: s2 I6 m; Z: q9 A5 TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose k1 q7 D; m1 C2 D# u
is to determines whether a debugger is running on your system (ring0 only).
* I4 A$ U2 Y- K5 w
2 O0 h( e$ s1 Y( ` VMMCall Test_Debug_Installed
2 X7 e& l- P& W+ k# d) G je not_installed' j2 [' v) S( g+ d5 ]: J* e
! C* f/ ^! V$ Z7 G/ ]' \ H7 B2 L
This service just checks a flag.8 P& J0 v0 H4 M8 V8 d1 d
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡