<TABLE width=500>
: T+ f: p5 T! `# f! |. e+ x<TBODY>
]" J* P2 M& h- {5 t. l<TR>
* O2 r, c8 b$ l6 N' g6 Q<TD><PRE>Method 01 0 @9 E2 a$ e. O ~! `( f
=========
0 U3 T7 h# G0 _2 R0 j: W8 k8 K$ F5 i4 R4 W4 G
This method of detection of SoftICE (as well as the following one) is+ Q5 K) t! U3 l1 V- M! u
used by the majority of packers/encryptors found on Internet.1 ~8 i% j7 `" L# J8 [1 Z! _
It seeks the signature of BoundsChecker in SoftICE
7 }( S$ A2 T. }( w- Q* u
9 ~- A9 r6 j" m5 G" ~% E mov ebp, 04243484Bh ; 'BCHK'
5 P9 F+ Q$ Y( N9 t2 f" N: D mov ax, 04h0 j+ z" z; a/ u- Y
int 3
/ P3 h" @9 {# _( }* [ cmp al,4
8 ?& ] U+ P0 a* R8 Y1 }$ l$ `$ \ jnz SoftICE_Detected v. ?2 Z5 a' A. {, M+ M; X2 N
3 Q& E( p ]' `2 u) a0 g___________________________________________________________________________
+ x3 p0 a2 p) w$ j: I* T6 ^, T4 B" K! n* k1 L3 G, ]
Method 024 m/ `) f) {3 u1 i8 M# W* O( y. z
=========
% [% q8 t; l/ M, s; {! O7 F2 q4 }# L" r/ ~
Still a method very much used (perhaps the most frequent one). It is used- ^ w7 h3 w; D3 ?+ p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,: Q) ^* M: F' ~8 S
or execute SoftICE commands...
* S4 S. x7 @2 Y' a' cIt is also used to crash SoftICE and to force it to execute any commands
( T" J' t0 {& p+ D& V(HBOOT...) :-(( $ S5 t, t s* x
! |& @! A4 q) s# t% `1 `9 S
Here is a quick description:& O! B; Y; R' S9 x/ j- J
-AX = 0910h (Display string in SIce windows)8 V+ I2 a# i0 X
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" D% c4 L7 ~1 B$ d
-AX = 0912h (Get breakpoint infos)
, @. `9 `- @8 a6 b# S/ O9 ?-AX = 0913h (Set Sice breakpoints)
/ s! O9 x% w# |" Y% }1 r3 _4 H-AX = 0914h (Remove SIce breakoints)
* B; I+ ], m Y7 \+ f: ]% F, w. w( m/ [6 M- h
Each time you'll meet this trick, you'll see:
* c M( `8 H# ~( p6 R2 O1 L6 n3 X-SI = 4647h
2 h" o9 m$ d0 B* t3 N-DI = 4A4Dh+ m) ^7 c& Q, n, L1 N
Which are the 'magic values' used by SoftIce.$ M/ m, ^. K. d# a5 y" n& h
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ l: C. b' r6 A. h: o- V
6 t+ u3 B% q' P& o' G3 ^Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ B# d! {6 b1 P1 s& IEnvelope utility use to protect DOS applications:# I. U0 a6 D3 j! ^
& X. c+ z* Z* |. w5 O
: w/ ?2 R2 P" G' l! g7 O
4C19:0095 MOV AX,0911 ; execute command.
- X3 H! ?$ w5 ]7 C; H3 U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 n0 V h/ F9 {2 j8 o; H) _6 k
4C19:009A MOV SI,4647 ; 1st magic value.
$ ?. k; y$ \& A) s9 Z4C19:009D MOV DI,4A4D ; 2nd magic value.
: @* K& G* s2 Q `, T T; z( W+ |4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ Y3 A$ @% p2 r' \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 ^5 l$ j- I0 u
4C19:00A4 INC CX
& r0 L( @& N K! Y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 g' r/ L0 E5 h, Z
4C19:00A8 JB 0095 ; 6 different commands.
5 P' F% B4 \' e1 O _4C19:00AA JMP 0002 ; Bad_Guy jmp back.& O4 A- M( q* |" x/ g4 s" x
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( o, O' S, S. N- A' I
* g' k3 _0 G# c) J/ V
The program will execute 6 different SIce commands located at ds:dx, which
) i% s# I% L+ O) [+ a& q Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 }2 m9 }. [( I8 ?" Q9 g4 h. o+ X4 {3 o1 x3 @0 l' L% N+ T5 {& H1 I9 T7 t
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
^4 z! Z4 W$ x, e___________________________________________________________________________' W% b, R, ?( a4 k1 ~+ ~6 a7 @- w
! g! S' P. Z- E3 Y
( L' r) I7 ~! \8 I# v; c' i, {Method 03
$ X& Z/ z1 J- @0 i) |9 O( R# `/ I=========
; d) r6 a& l1 S& t. n! N, ~# N# L# T k# M, X4 n
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, J+ A- ^+ M9 E9 V' g( T
(API Get entry point)4 Y: o8 ^* F2 h! t8 p
/ {! Y4 F/ [, x8 O' H
W x5 |3 ^9 M* f% ]- S h; U; @ xor di,di6 v& u( C) Y, v# r$ r4 T4 b
mov es,di
N1 x1 q& {4 L; a mov ax, 1684h
1 ]. O/ V1 k. q) o mov bx, 0202h ; VxD ID of winice
' D+ J+ t% e. o4 E- l int 2Fh
5 _( i7 E6 x. ^9 ` mov ax, es ; ES:DI -> VxD API entry point
5 ^- D0 K, Z0 K+ f; Q add ax, di/ ^! f3 N0 U6 Y) T! j/ Y3 @
test ax,ax4 |4 u& J4 v* j e! d( V: j
jnz SoftICE_Detected: E, h1 |+ _2 d! a* V1 t8 N" L. T
+ ] [# O. a( M
___________________________________________________________________________) v/ {1 ]6 H: l4 j% J" q1 q
1 ~5 p6 Y1 v% B5 O
Method 04
* h- u9 } n$ q=========' e+ x; X. @8 k! x
) h3 _( \7 ?4 y4 _' m9 u6 G8 TMethod identical to the preceding one except that it seeks the ID of SoftICE
2 s- ]1 W7 P9 R- k( }7 [GFX VxD.
; H6 t0 K" o$ D: F
! ~3 B3 i$ _. A' G$ }8 o9 s, A xor di,di# c, E; @8 ~" e% c
mov es,di' }4 R, C& l8 r' w( D9 M h( h
mov ax, 1684h & C6 l8 [0 G9 i
mov bx, 7a5Fh ; VxD ID of SIWVID
9 o ~" N7 L2 I+ i2 h int 2fh% \/ O) ? W; @+ y
mov ax, es ; ES:DI -> VxD API entry point$ L* R$ \9 [' v; U) p& w+ F
add ax, di
/ i6 ?$ m3 X* }/ m7 F- S, E test ax,ax% g8 }; {6 B1 Y2 n; g4 o& g) K
jnz SoftICE_Detected, v" h3 @- }, a2 _! {+ f. B
* Y: A* R7 w9 I9 r
__________________________________________________________________________
4 {% n7 K6 c S' R4 }0 n
4 T& c3 d; C$ z3 P. N" S4 ^. L/ v5 }" ], t" j1 O9 S2 |# E
Method 05
# t' ]" B5 H" d N2 d0 B9 d=========! [" a6 m$ b7 ^6 K
# o: s5 T2 e1 N
Method seeking the 'magic number' 0F386h returned (in ax) by all system- P8 }! R |& {3 B. F* ^* C$ C& `
debugger. It calls the int 41h, function 4Fh.
4 P2 _. O/ c1 }! o+ |There are several alternatives.
2 o5 u7 f3 H/ ~ X- L) M1 x& E/ b D/ r
The following one is the simplest:' Q/ b5 P) h0 D+ ^6 l. H
^! ]5 d( S, j$ }% u+ |9 p mov ax,4fh& a% _3 W4 t$ {
int 41h0 Q4 q' [- v! j0 n( ?: D
cmp ax, 0F386
2 Z9 K6 j3 V2 t( _6 l jz SoftICE_detected. G$ x4 h! `- p; q
( |) o+ f) p% w
, G4 g4 W2 i! P g4 FNext method as well as the following one are 2 examples from Stone's 4 U8 `! p; y v1 K: p! y
"stn-wid.zip" (www.cracking.net):
3 ]- k8 k- r& b" f' Y- X# C8 D w6 E/ c$ l6 O7 g
mov bx, cs
7 L+ Z) y2 |+ ]* K" ?$ O lea dx, int41handler25 ]: f2 k! C+ o- U
xchg dx, es:[41h*4]
4 d8 i) F& z o# r xchg bx, es:[41h*4+2]8 s9 G4 t/ }3 I# h2 D
mov ax,4fh% I6 y& j( s w+ |
int 41h
" x0 } O+ K% C2 ?: y xchg dx, es:[41h*4]
# t4 H4 M3 y) L; X xchg bx, es:[41h*4+2]' N. ]9 K+ b4 s3 f
cmp ax, 0f386h- p, C0 l3 p2 J( m1 [5 x
jz SoftICE_detected' K4 S7 A, a- S$ P
! V7 }) C- }+ bint41handler2 PROC
1 O5 A- R" q. y; i iret% ^/ W& q7 J3 p( t- X* ^7 a. S
int41handler2 ENDP- l# m$ x! C4 ~0 Q, c
6 f0 k" }' C: S- B1 I4 B% _
3 j8 s9 P5 \4 o) h o1 x* D! }3 D5 Y_________________________________________________________________________
2 _0 t# |+ B' g+ w' k ~0 s3 L" G' w- b& V
0 z9 w/ Z' }7 N0 X, B2 a" eMethod 06$ l% X6 H l3 H p+ ]
=========
) h: t, U* W C/ w7 o x$ H
) @4 j5 I( o& M, I3 ^' v% W3 y. ?6 b* c' u/ F& \: F5 _9 e s; D/ |* c
2nd method similar to the preceding one but more difficult to detect:" a9 ]6 v0 ^, T2 N" W/ X
' n& E+ \: C" `+ t3 L" X3 o3 [
3 z! w7 N' ^) k) v* H X! C6 Oint41handler PROC( G4 U1 p$ {, n' `, p( q7 y
mov cl,al! E _* x8 n- F
iret
& q, Y3 e: W u, f6 Yint41handler ENDP: l3 Q; W4 t6 B) M1 L( X, Q0 |
8 t8 z: C4 [, ]& }4 _: s5 W& p& ?5 O$ C) h* q
xor ax,ax
$ c' h# f7 z0 M) n mov es,ax" \" J' c. b2 r8 p5 O
mov bx, cs* I7 o* `7 ?+ Z/ s( W5 A
lea dx, int41handler; N% f4 ] }( {* F, h J2 ~8 V+ V
xchg dx, es:[41h*4]
9 W. `' W- ?1 X: r7 ~ xchg bx, es:[41h*4+2]3 \7 X8 R; J( }( z+ P$ h
in al, 40h
8 b# v6 ?8 v6 i$ L" k9 l xor cx,cx7 ^& n$ N9 s4 D1 _/ K6 ]9 S. U
int 41h
! Y, J; h2 e8 [$ ^ xchg dx, es:[41h*4]
3 \# {: L5 J+ [7 }0 l7 f/ | xchg bx, es:[41h*4+2]% b8 N1 a @1 v+ [* j9 Z! B
cmp cl,al% d$ B5 o, n* u& J! l5 x
jnz SoftICE_detected2 O1 u2 \5 Z) Q S/ }
$ \6 ]/ K9 w. c
_________________________________________________________________________2 P% Q1 y- C- g6 S; x" n
; T& \1 l2 C2 V$ w. AMethod 07$ x: s) R4 D# f
=========
; Q8 O2 @7 q' ]$ e
0 t3 H* f. o% L1 a7 G, UMethod of detection of the WinICE handler in the int68h (V86)( U+ v1 D/ V3 k; t& P, o) g; k( b
1 E$ l5 |, Z# f7 ?0 u) v1 m mov ah,43h1 [" r8 H1 d6 k5 m6 D( S8 Q
int 68h$ W8 R3 r1 C) V U! y( ?& r. d T
cmp ax,0F386h( {0 |6 t+ X2 H% R1 z1 V
jz SoftICE_Detected
, O) T7 k0 u5 @1 T
5 ?* f) l ]3 L9 s5 c3 @3 U/ j6 c2 _, k' A. }2 K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: u' Z, X, J+ M8 D! v app like this:
* Q$ I. Q+ i5 N3 a6 Z. x5 V" y4 |- f$ \6 c
BPX exec_int if ax==68
: e7 P1 W/ u& T3 J$ l (function called is located at byte ptr [ebp+1Dh] and client eip is
- ~9 z8 y7 \2 o4 }3 H! C7 o" g9 e* S located at [ebp+48h] for 32Bit apps)* D$ U- ~" P. z- {) [0 t
__________________________________________________________________________
. e& ~1 ?) r8 J' O+ C( G
* L. j2 d; ~9 b5 v' f, u
1 p N% }. ` W( LMethod 08. w4 g. G$ d0 R9 T4 f# y
========= f+ ?( \: D2 r8 Y9 U
! o9 B6 m0 o2 T- k0 S- c% o( h
It is not a method of detection of SoftICE but a possibility to crash the6 `$ t% i% q; N1 k! I
system by intercepting int 01h and int 03h and redirecting them to another
' e7 I Y( I5 iroutine.* x: j$ p6 ^: ]) j
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 S, Q7 p- Z, @0 gto the new routine to execute (hangs computer...)# |. _( j2 C+ ? m$ [
0 J( F# Z# F1 T7 I' O4 T mov ah, 25h
% z& G" m$ B( X8 K mov al, Int_Number (01h or 03h)" t' Q* L; x$ |5 M
mov dx, offset New_Int_Routine
! z7 ]1 ^+ m0 f4 F4 y' T( j6 H int 21h
4 W7 y, \! v' P+ O ?* ~( ^- @- x3 p% M; E' x& }
__________________________________________________________________________
! ~( {% Z* F- u$ F/ z$ X, f/ \* j# H- E; W P
Method 09; T% J+ ~0 j& N% K* S
=========% O2 a9 ~% N! [3 f% J
7 u \8 N+ Z! [: P- p2 K, WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& S; B; z: v' G9 J9 w
performed in ring0 (VxD or a ring3 app using the VxdCall).. Y4 l" i: W& d5 [; r% Z
The Get_DDB service is used to determine whether or not a VxD is installed
: A$ U" C! A/ f( pfor the specified device and returns a Device Description Block (in ecx) for! M C9 U/ a' f7 n
that device if it is installed.5 L& j4 V$ ?- g8 Z' h
- e; v# E/ j$ V: N2 t mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 o! ]' ]" b ]5 q5 { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); Z) W8 ? h, h3 L
VMMCall Get_DDB9 j: R' c' H `( u8 A5 C& t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ D* d* m! w5 K8 Z" ?6 p) l- p* N; W6 b8 r
Note as well that you can easily detect this method with SoftICE:
3 o- v. |8 N0 j$ ?* W2 } bpx Get_DDB if ax==0202 || ax==7a5fh/ Z" X$ W4 z+ P* \/ w4 Y6 G
2 ^4 y X7 w0 u4 ^+ I A- {* a__________________________________________________________________________
. a* E' Y( {! A; n+ r5 a; y( n7 N, B$ N) v, L$ b/ `9 n3 j
Method 10
+ a: N2 A% _2 M/ z=========" N% H+ v/ h8 K4 c# \. x
$ N; W2 z7 I" r
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: Q% m e5 I5 i2 w4 u$ l8 S5 k SoftICE while the option is enable!!# E& K5 l/ I" n$ `- d [
* \7 a# \, i2 {9 c" Y# Q5 l* tThis trick is very efficient:, _7 N3 B7 I$ |0 q y" f: W
by checking the Debug Registers, you can detect if SoftICE is loaded! ^) C; v% ?+ G V( T8 l% f9 A
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% {# a; q6 D* {- x* jthere are some memory breakpoints set (dr0 to dr3) simply by reading their
, w5 n# v, z& ~. A& w8 b4 svalue (in ring0 only). Values can be manipulated and or changed as well* Z- q: H* V0 P) C$ T; @0 T! M
(clearing BPMs for instance)
" t9 y7 W2 }/ k$ a: B' u. B" B: b- K5 ` M3 t/ W. w7 Y- I
__________________________________________________________________________
2 G% p9 U: H8 i4 R$ M/ E' f
( T! N% {8 K6 [3 J5 a* m* `Method 11
/ L+ w# d& s0 E5 f! @) k=========
: h) K4 T1 s6 Q/ V6 k! o' L4 r$ h# ` J$ P6 \
This method is most known as 'MeltICE' because it has been freely distributed
' J- m N- M o7 L( u8 Y0 yvia www.winfiles.com. However it was first used by NuMega people to allow
/ j( c4 s- G% J) u; }Symbol Loader to check if SoftICE was active or not (the code is located
+ F. J& u& x( H4 M2 c6 vinside nmtrans.dll).6 t$ P; P+ s0 Y, w( [2 @4 i- m; j
* M+ J, G; ?! A$ k' c' JThe way it works is very simple:
( j4 {; [9 ~9 {+ M ]It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 h. k6 C9 p: S9 Q2 O2 R1 d; X4 b8 f
WinNT) with the CreateFileA API.. K9 A: h4 U' p. G" _
+ ^& S) Z l* g3 B9 \: c# n4 WHere is a sample (checking for 'SICE'): x* g/ E; R, U l- ?' G
+ w4 k# m0 D; e- Y( o$ m WBOOL IsSoftIce95Loaded()
b6 G" g1 {* [0 k5 _{
& W" ]9 z7 f5 s HANDLE hFile;
3 \- @) f% _% Q' P* v+ k hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 T; z# @. E* A2 w FILE_SHARE_READ | FILE_SHARE_WRITE,9 p2 _( I+ X n; a( ^2 F9 S5 C' \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% t* E* k7 b' [7 i1 K- i. G
if( hFile != INVALID_HANDLE_VALUE )2 B, z! r U E4 s1 G7 V" E
{% s0 _1 [5 p- v% @/ G! u- x
CloseHandle(hFile);" a) C( q1 `. ?1 D. ~0 P0 x: s
return TRUE;* ?6 S: Y. b0 e) K: A
}) I! A2 I" t7 S
return FALSE;8 T- n3 _: q, p5 I
}$ t# L1 }/ M9 Y L' e- D. L3 R
% s: o& A& a+ W% \0 Q- x9 d
Although this trick calls the CreateFileA function, don't even expect to be
8 f/ j: t# Y1 x, e2 |# G" S+ d' e. Jable to intercept it by installing a IFS hook: it will not work, no way!/ @& _% b2 m; X$ U8 f5 d5 i) A& b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) B1 a6 J5 r& fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 y) D) h" s% k! y5 ^
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: A4 U+ R/ T6 gfield.
0 V) l3 l/ \9 u2 gIn fact, its purpose is not to load/unload VxDs but only to send a I; R4 A! Y |0 ] b- [0 k
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! w8 c* u0 U- B. M j' d! E: t8 [# dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& m" o" n) ^" R, Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).8 L, @8 L5 e$ y
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 F8 U$ D; A3 ?6 X/ X! @: A4 C1 M
its handle to be opened and then, will be detected.$ f8 l1 W, A9 Y# r' h7 V0 n( e$ V
You can check that simply by hooking Winice.exe control proc entry point
9 ]' m- X( ^8 o, u( ]6 P3 E& Ywhile running MeltICE.3 H8 ^* L& m3 [# Z
7 j' A, E z: x3 F: l
2 \ l5 O2 h2 e) N 00401067: push 00402025 ; \\.\SICE
' s, q! ^; }3 ] 0040106C: call CreateFileA* o1 G, c" E7 \6 i5 y2 H
00401071: cmp eax,-001; Q" ~: G3 C9 l }! x
00401074: je 00401091
# X1 M; ]) x" {: f; h o$ A7 e- U) E1 ^, t* l9 [7 V- L
. H2 Q5 o1 e+ H( C9 ^7 K
There could be hundreds of BPX you could use to detect this trick.
" U; L# T" e* a-The most classical one is:0 @, j9 [9 F X7 _
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 ~& ^, I" O* X8 q, l *(esp->4+4)=='NTIC' _, M3 }/ R! f0 F! V
& q d9 S5 c6 `' a2 n: \-The most exotic ones (could be very slooooow :-(
# t$ i+ ~6 {, L& J BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 D1 C' _- H% V: |. X ;will break 3 times :-(5 n' m/ a5 w. F0 f, y9 K
! R; ~' ?$ G5 @8 H5 q' f
-or (a bit) faster:
% o- W' l) V: H% R4 D: s BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 \9 \4 s' Y7 P- Y) b/ [* R" o' [ k5 Y/ r, ?9 Y+ g
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) a9 P2 l+ o6 N9 D7 K ;will break 3 times :-(
7 W+ F6 X: i) \- a) v4 z1 U
9 B( Z$ ^4 P* n5 {3 u* ?0 @2 y1 I-Much faster:& U; D1 y. e' l! \9 Q; j" x6 U5 Z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 _8 D. S+ h. ~0 E0 t6 b# {. F, Q$ w6 p8 B& ^# ~( Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 o! y( N) d! W: xfunction to do the same job:/ q3 g4 w( \, @* s
& {" x; n1 D' A5 n _ push 00 ; OF_READ u3 Y- ]% V" W2 H1 G! T( i
mov eax,[00656634] ; '\\.\SICE',0
4 b" R# @; h4 ?" P9 u0 J z$ { push eax
8 r; c( h+ _8 ~# k# ~0 C6 Q call KERNEL32!_lopen- h/ \* U9 C% J: q% L% O
inc eax" _3 T- X+ [# w
jnz 00650589 ; detected
# z( n) {0 g; B9 m3 ~ push 00 ; OF_READ
1 d4 r8 l: H# D& [9 y2 o1 W$ [: D mov eax,[00656638] ; '\\.\SICE'
& M# k/ C+ ?& P" b2 l push eax
0 t. D7 K O6 I( J6 R6 Y4 T call KERNEL32!_lopen
; }) S# h, y: `" I9 R inc eax8 T1 j. L4 K' {/ X l1 N
jz 006505ae ; not detected
0 B0 A9 c9 p2 g9 T9 ], A% J0 K& J$ s0 A# k; o. M
. {6 ]- N. a' X& E' u0 z ?6 C
__________________________________________________________________________
% b0 f3 @; S% i; M* `1 x, ^7 k+ G, c5 c4 U! e* X. w
Method 12- ~0 e: y6 y7 Y1 Q' r" u/ u
=========) H- S+ S" r/ ]0 W0 _/ ^
# t( _6 u+ `( c8 W3 y, sThis trick is similar to int41h/4fh Debugger installation check (code 05
C# i: ]+ ]$ q) I0 x8 I$ Z. x& 06) but very limited because it's only available for Win95/98 (not NT)# G8 ?% S0 t& }5 U; j! p5 l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ Q+ T' ]# g8 m: }/ f6 _2 r3 ^) A: y- `: a0 E5 ~
push 0000004fh ; function 4fh
7 g% t& j7 ~7 [ push 002a002ah ; high word specifies which VxD (VWIN32)
) v9 X2 q% @( B# ?# q+ W ; low word specifies which service g! {; @5 o4 ?" W
(VWIN32_Int41Dispatch)5 G) w' v! ?3 z# [; A& d
call Kernel32!ORD_001 ; VxdCall2 C! |1 c; V4 S8 G; @ X. p y. H
cmp ax, 0f386h ; magic number returned by system debuggers
3 |' z( |9 @( u+ m, z6 E" @ jz SoftICE_detected
/ y& Y) y7 B/ w v+ \2 Y# I2 e+ x5 r2 a2 G
Here again, several ways to detect it:7 J; @- i8 C) v! l& q
& Q8 a, d- \9 B5 p( q) X, T
BPINT 41 if ax==4f
! s/ ~+ L2 V+ I
6 E4 u7 n2 y8 C0 b7 }3 I5 C3 u BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! L9 x% ~7 E. }- h' A; U* t4 ?, n3 T) K3 w7 b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 S/ h6 W) L5 W% W) \
4 m$ f2 l& ?7 ^% e: Z: d9 f BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ H# _) M. r9 U4 z. \% L
8 j7 _1 M( s' z }
__________________________________________________________________________
$ H8 r$ a& k% Q. t2 q
0 Z% e [" }, ^Method 13$ N+ H9 h! Y7 K+ `0 K/ a1 f" |, L7 j; p
=========
# l4 |1 `5 J. B/ {6 F" p- G2 l( g( M8 j1 W5 g2 j8 |
Not a real method of detection, but a good way to know if SoftICE is
' J% q9 g1 `6 ~2 E8 H& Linstalled on a computer and to locate its installation directory.
. u! p1 p# |- L- @+ e6 y" XIt is used by few softs which access the following registry keys (usually #2) :6 D, x' h( o4 i. v9 n7 g9 u
5 u5 {9 {! X( S1 F. R-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 K5 v! i% J/ W/ V- f- ~1 _$ x' b
\Uninstall\SoftICE+ e9 r3 S8 E/ e6 m8 g) k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) ]$ D. E4 y( w0 s-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; f6 x: `1 `9 z! X% o+ v; E
\App Paths\Loader32.Exe
* J0 q2 N8 K# j3 s
1 O$ O& h7 J; ^% B+ K$ K. P. x) P4 q4 |8 E
Note that some nasty apps could then erase all files from SoftICE directory
1 b5 L& ^$ L+ C' D. p- s(I faced that once :-(
* }8 F; k& x( V+ o( { O
& M. h8 t* I( ^, u& nUseful breakpoint to detect it:) q0 [& r) n9 q% h; d
7 X0 ]+ A4 U+ `' G1 G+ y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 S1 y, d- n6 G/ ~/ T* S
& }0 k7 I/ R4 T1 o: Y
__________________________________________________________________________
9 {8 A1 k) B; b9 J' o( A$ o7 c$ N: K, f& ^3 J; @% n
0 c# F1 ~- M: {Method 14 ! n6 L X) f% ]1 B
=========
- i$ R/ m; c( M8 f# y6 W8 L: s6 _8 F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ Z( b4 G: H$ O" G; i! Yis to determines whether a debugger is running on your system (ring0 only).% ^" q/ e$ k: C1 N6 }/ l
* C; a& ~* h6 j+ q
VMMCall Test_Debug_Installed
) w5 W+ O0 D8 a4 a3 [1 \' u- | je not_installed5 q/ `( R: W, y' L" u
0 w" r- A8 U4 e' t: Y5 e; [
This service just checks a flag.
& W$ X& I6 I2 |! |</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡