<TABLE width=500>) h: n, [9 Z: y& |+ p
<TBODY>
$ ?+ C% U5 t X9 S" D8 D' V<TR>: |" `* q9 O5 }5 w2 h. T! \( u
<TD><PRE>Method 01
9 S. B+ Z7 c& i=========! N8 O7 ^8 W0 d
/ |" }. k h0 f6 u7 b1 [+ u- UThis method of detection of SoftICE (as well as the following one) is$ _8 q' Q8 n! @2 C& c
used by the majority of packers/encryptors found on Internet.
Z- e3 E$ a& b- ^6 k0 zIt seeks the signature of BoundsChecker in SoftICE
! M) g6 S E; ]0 V, N* N
; s# ]3 `0 M! G2 q3 ^7 D mov ebp, 04243484Bh ; 'BCHK'
; J0 @ g7 e$ s9 q0 K* f$ L/ _& z( }0 E mov ax, 04h$ N1 h( O+ F) f
int 3
- o. L u+ \8 o/ Y: { cmp al,4) p0 d1 v" @- Q _
jnz SoftICE_Detected
& |+ @" ~ R) F/ p
q8 r- W& P( x [* }___________________________________________________________________________
1 N8 |; V# }# l0 f+ l5 e# x
: h8 f& z! |4 f7 ^/ W/ RMethod 02
- S7 n$ c1 }/ t+ O) y! r- b' U=========
* V$ x/ H8 C/ Y3 Z6 R' s' n
( m, i! f: p3 Q/ g7 g4 sStill a method very much used (perhaps the most frequent one). It is used& ^( b6 G8 z- ]$ E
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& R9 t }6 {1 s9 G4 E8 Ior execute SoftICE commands...+ e8 J- W; g& P3 C5 S4 N
It is also used to crash SoftICE and to force it to execute any commands
9 }" d( }1 L- P8 i8 g: d6 X; u(HBOOT...) :-((
% k% c9 w0 t/ E2 B' n" c: o7 M( J2 a4 i/ ], ^, I2 m
Here is a quick description:
7 c$ Q G1 e4 [, Q$ |! q4 X7 _-AX = 0910h (Display string in SIce windows)* a; R) B) G& r% f0 ]: K
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 s: O" H2 J, j& @. `$ k: K8 \" @& X-AX = 0912h (Get breakpoint infos): x% Z+ ]% h5 c4 C7 M# f: _) `5 A2 d+ r
-AX = 0913h (Set Sice breakpoints)
* d3 Y9 ]2 \9 m-AX = 0914h (Remove SIce breakoints)6 Q U B- ?9 r3 E, \ F
9 h- |# w% o% r, G Q, [Each time you'll meet this trick, you'll see:
1 q! g. V# r4 o( R-SI = 4647h' F7 L H9 w9 E; }1 e
-DI = 4A4Dh% W2 m2 B& M8 d8 q2 X( A+ @$ t3 S
Which are the 'magic values' used by SoftIce.
$ _, R, e) k+ f" ?1 T$ R7 E3 AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 F5 l7 Z. c7 Z% ]; e
4 b0 |, r, n( k* q0 U+ d
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 }* y/ g7 Z: ^- f) R9 c
Envelope utility use to protect DOS applications:) a; V7 z% l0 U
2 J2 J ~+ T9 K# N$ l
" ?: c& g' w* E& h/ ^. A- [0 v
4C19:0095 MOV AX,0911 ; execute command.6 H# _! y' }( F
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& k Q7 H4 X1 P) h" U @. P4C19:009A MOV SI,4647 ; 1st magic value.+ e' J1 \; K' [5 V0 m, P5 z9 w
4C19:009D MOV DI,4A4D ; 2nd magic value.
: G# i3 c$ F, j W. v6 q+ Q1 ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* g5 R2 _( p% ?& w, K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 e9 B" e ~! V2 u2 k; O4C19:00A4 INC CX
/ h& F8 N: Q9 `4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 `2 x( |9 [4 D% y
4C19:00A8 JB 0095 ; 6 different commands.
j7 o/ R- \+ s2 U* I4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 p1 A% z3 p, v( V( J
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 e5 A _; B v6 J5 d
4 a& F% y# {% ZThe program will execute 6 different SIce commands located at ds:dx, which8 l3 V0 d' j$ T3 K! Z1 W( U8 ~5 U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 E0 g3 ^4 h6 U1 Q9 `! D5 a# Q* L( ?6 s% w; j
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( @; F! G. [; D! Y5 z
___________________________________________________________________________7 I3 _: I3 Q) V, H6 Q
3 O! m, C" m$ E& k$ j; j
! X8 {# `5 n& }3 }4 D" Z* z- |Method 03* j! K' y) ~) P' l0 d
=========
& b4 O8 _6 _, U% |: w3 `$ w, ^* B, W3 j+ M8 ^
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 ? o# _) h: j9 o
(API Get entry point)
- D- r7 B K* G# b F$ I
9 R6 y5 B8 K0 i7 h2 s, E: v+ d, E+ y8 p
xor di,di
, Q9 _9 T B3 r2 A9 |. g6 u mov es,di
: u4 \. T: H( ]# h0 I' s mov ax, 1684h & I, m- g$ O" a
mov bx, 0202h ; VxD ID of winice6 X8 S0 X0 l; _
int 2Fh
8 b2 o) a" a- d# w5 H- R3 M! s mov ax, es ; ES:DI -> VxD API entry point
- @/ }4 E8 P8 E; q8 J add ax, di
7 h- J `2 a0 _8 x test ax,ax
* j# F) r5 w, |# j6 @- M& {! {& D jnz SoftICE_Detected' ^ a0 b2 I# \, ~
@ n' o7 L0 B3 D; `4 W/ T8 Y. `___________________________________________________________________________- c7 i6 T: M8 D, m
- i9 B% e. Q- }8 h6 wMethod 04
, k& Q$ i$ E6 ~+ K/ }' m- `& T=========0 i' c! x- c; R" v* v3 d m9 ?9 F F
# W, ~$ w9 ], d- _1 ^9 b, Y4 b
Method identical to the preceding one except that it seeks the ID of SoftICE4 X2 @1 M% ?/ w. ^0 M& s
GFX VxD.& |7 x4 w e, M4 w
. W$ _. B4 f/ k: O4 O xor di,di
# D/ Y1 e# \. d T+ P+ K: W2 i K mov es,di
9 m* F$ {) j/ A) T; d y0 O mov ax, 1684h 0 d. }. }( K! ^6 W
mov bx, 7a5Fh ; VxD ID of SIWVID9 N) W5 f" J7 k0 R9 V
int 2fh# _5 n% s. k! f4 }
mov ax, es ; ES:DI -> VxD API entry point
4 F. m( S# K. Y# }! H% O add ax, di
" }4 P5 Q" T G% l$ [$ c, n test ax,ax
; W M2 ]+ ` r9 \& N& c jnz SoftICE_Detected$ X# t: R( G( `. Z: z) S0 T
& ?( h0 r0 z1 S) [__________________________________________________________________________: w5 y3 B) Z2 V/ p0 H
1 d9 z7 i: Q* E7 K g- d B
; `& q. f, p1 M4 Q2 T
Method 05
^8 q1 H( v- n=========
: \7 d3 {2 E% a; P* W$ {- a2 d$ _1 h. \2 Y2 [$ Z. u' a: Q: H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 l/ [3 i; b- l* M5 adebugger. It calls the int 41h, function 4Fh.
G6 T7 N) h+ E' n& X6 }There are several alternatives. * Q; }% z( D- P6 K* q: `4 N
3 u5 y. ~& k9 h# { d5 CThe following one is the simplest:4 g' s' U! e* U% a8 D
, T/ Q6 d i. H) y0 B j# F( p
mov ax,4fh* V- [0 k2 m1 |' L, k! m9 l
int 41h
& U t6 Q* \3 ^+ @- U cmp ax, 0F386
, `0 U4 J1 U" x5 ?# {% f2 y jz SoftICE_detected% Z' M8 r0 @! E# c; q
; O& W; e% l) Q
9 J( K, H" A# z# K0 e2 t% V; Z/ rNext method as well as the following one are 2 examples from Stone's
( r1 n; p$ q) R$ [) Q& I"stn-wid.zip" (www.cracking.net):0 n9 n' {% O. x% u% z) T7 Y9 Z4 a
* ~" F6 g4 C: x4 ^- `' @4 Z# K mov bx, cs
. I R' g# p- r; e5 z; |, u lea dx, int41handler2 D/ y a/ F! O2 z2 w: A/ c4 _
xchg dx, es:[41h*4]
: {0 Y- D) _: H, X' X xchg bx, es:[41h*4+2]
2 U" K0 `! A8 I mov ax,4fh
g' P' S3 e, V0 q# @$ v4 Y int 41h9 m7 _ Y2 Y; f0 z( a7 b h0 U
xchg dx, es:[41h*4]* D+ ~ j( ]+ z D# k" X
xchg bx, es:[41h*4+2]
: n8 k$ X+ w3 U' r9 m cmp ax, 0f386h6 X0 e+ ]: |% O1 T* ]# y$ X
jz SoftICE_detected
! r6 S8 i* U% y+ m O# u* q- I* X1 y! P
int41handler2 PROC% [; C3 n( y2 E* ^2 ?; V
iret
( o' P. F) W3 x+ Rint41handler2 ENDP
% _) q- `4 Y9 l0 j3 ^, o9 R9 g$ C/ I z- s3 p" a0 {: h: v6 v
6 i3 X/ ~4 I5 N& q. c_________________________________________________________________________
9 [9 I6 H r' ^! e% e% m
: Z; C6 w$ k* d
, w0 Z" O8 ?% ~! rMethod 06
( n5 {$ _4 k# y; Y' ~1 F& k=========7 z% v5 ~( P/ t' X7 z9 c$ h4 g' C
- y% |, s8 k9 M$ p
+ `* m3 U, C! W0 I0 \/ `& ~2nd method similar to the preceding one but more difficult to detect:6 z) k& X$ |4 I" l5 z7 [6 o, `
2 ?" ~: y6 x0 b$ n) m
L' J6 f' O8 w0 Y' Jint41handler PROC
/ k f: h# k; T: i. d6 \ mov cl,al! \- S; y2 E% _5 J' K2 ~" r2 Q
iret) ~: G3 Z2 W5 `' `+ n
int41handler ENDP
) u8 k8 S# Q- a4 w# g3 K0 m
; C) Q$ v* L/ f( p L$ C' ~
) l- W3 W+ R, K2 n# ] xor ax,ax& Z% H% u! k7 a% M
mov es,ax8 n2 g8 O' V- p& n5 ^
mov bx, cs
3 T. j' [. b/ z) l lea dx, int41handler
+ r6 s4 A" I5 P- B xchg dx, es:[41h*4]
! g- m# N3 e! ~- u5 ?% k$ ? xchg bx, es:[41h*4+2]
- g* _" R; l4 y% N6 `; ^ in al, 40h
; p) v. s4 c6 s4 I$ f+ E1 u% W xor cx,cx
- T9 W7 C1 M8 e4 K0 R int 41h$ d+ a0 y* v* V( O6 h
xchg dx, es:[41h*4]
5 @1 R+ l8 g3 b# [# [ xchg bx, es:[41h*4+2]
$ V( _* a. [+ ~6 ` cmp cl,al7 C$ p% h5 o; L$ E( m6 y. }* @# B" a
jnz SoftICE_detected; v* @8 D) P6 U5 w8 z; L% p
: ^* Z5 l- S2 N
_________________________________________________________________________
5 `* g8 E# T# D: _3 Z
3 R, y8 ]" m* U! S( R1 ~; ?Method 07
9 K, L* S8 g$ m4 {5 h=========
6 T! ]6 u( n- w$ E0 F. N! [
6 P' u3 e" R. Z8 tMethod of detection of the WinICE handler in the int68h (V86)
" ^3 F2 Q5 x' z1 v9 V; u) b. [* P1 e( x4 {, C2 w; ~9 z! }
mov ah,43h4 }$ F! [* [4 w2 F
int 68h3 r8 H* c! u; u* R
cmp ax,0F386h
3 {9 [' h8 @2 P8 W% n1 r: F jz SoftICE_Detected# x, m! v. \: X' N' H
3 P% P |1 g% q9 S5 U
- r- [. l# H9 A# B2 L2 K=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 u3 d% _& I+ j& I3 {! m1 `
app like this:' B2 G5 R/ g, S* A6 i9 x
2 w' z! G; c( t) y8 Y) l, j BPX exec_int if ax==68$ {, {( K5 x3 ?+ `
(function called is located at byte ptr [ebp+1Dh] and client eip is
+ Z }% t1 u8 ]8 f8 S ~: ?7 a located at [ebp+48h] for 32Bit apps)9 A4 Z' z9 z' s. Z2 B5 n( c
__________________________________________________________________________. V6 D" I# M6 y+ I
6 @8 T: O& l- G
/ ]8 j# m+ C3 X. ], q" XMethod 08# C+ O5 K9 _7 {0 `# U0 X G' ?
=========
2 o; P: v a9 }5 a: C& q t; D( P
. ?/ \# j8 j7 f' rIt is not a method of detection of SoftICE but a possibility to crash the
! B) M- O+ B- s' ]9 `system by intercepting int 01h and int 03h and redirecting them to another
5 n I4 p; ^) [! ?4 Lroutine.; {0 r& U. Z0 x Z4 D& o B% q3 k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( e1 l: m( a1 a- y" \% F& oto the new routine to execute (hangs computer...)
9 p- T0 X, t6 G9 T, _6 O/ D0 A$ ]8 G6 i; x, B
mov ah, 25h! U! G d b3 |6 f% j; U
mov al, Int_Number (01h or 03h)
& i+ K; Z2 @+ G1 H mov dx, offset New_Int_Routine2 O. u9 v* j1 m- L/ I& I8 h; j
int 21h
/ A+ g& Y5 q( [3 E: A1 \
+ B; e) ` r2 U$ f5 R: A3 ^ U, [__________________________________________________________________________$ x2 j8 P: l/ ^7 j
- J' s7 x% {/ @0 z$ IMethod 096 Q1 {, d, l( }( j9 w
=========. `. w+ y" ?" L0 h2 z3 C
, w: k d" X. h9 u' IThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 t) n$ N, p2 _% A) X3 G* ]1 kperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ y5 v1 R" @' H* q# b/ K! WThe Get_DDB service is used to determine whether or not a VxD is installed
+ G! A. o" p8 S4 |7 M1 ]1 E. Afor the specified device and returns a Device Description Block (in ecx) for% a: p* J' d8 ~; t& Z; s
that device if it is installed.8 `. Y6 U- U- S" v8 p I; |
9 h& P1 [. @8 N) h* h* n v- _; `
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( J/ e( }; c) v! S4 {& {" i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ {1 S5 ^) Z0 X( H/ k VMMCall Get_DDB
1 D6 t9 x2 A2 f( B( L: k mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 j3 g# e! K; _- u% J0 E$ g
/ b5 d G. f, j1 NNote as well that you can easily detect this method with SoftICE:+ b# M6 k9 y5 C
bpx Get_DDB if ax==0202 || ax==7a5fh) `9 Q; H5 E* \' ~
7 F+ H+ o y7 e3 H9 T) }__________________________________________________________________________
$ j/ C% F9 G$ _5 a" V- u, v1 \/ a. q: K6 ]5 Z: x7 f) o
Method 103 O! G: X! a2 {, ]
=========1 T1 d8 @$ v' A# K
+ r; o1 H8 G4 }7 K" N=>Disable or clear breakpoints before using this feature. DO NOT trace with
, C( c5 C! c5 M" [8 k7 X Z A SoftICE while the option is enable!!
" q2 ~6 \& {" p# u* p0 h" z3 @7 y9 M0 C* A4 c p) T
This trick is very efficient:
6 u4 b8 p0 W6 x3 m3 [by checking the Debug Registers, you can detect if SoftICE is loaded% f7 {" m& o) s" Z7 x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# d) {% Q) R* Q3 L
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& @* G5 S/ ^1 b) qvalue (in ring0 only). Values can be manipulated and or changed as well
# p; H$ M; q B& z {% r# H# u(clearing BPMs for instance)" h; F+ O5 C% n2 ~0 f: h7 H
2 r" c8 P% w% i1 r. S) U
__________________________________________________________________________
$ u' Z- k7 I$ _/ Q/ S$ P* J# c! Y. D% q$ [: W) F) q
Method 116 W; {2 ~+ I) n) ~
=========3 B7 C! b7 p" b# N% [5 a
# L! b( @* r# vThis method is most known as 'MeltICE' because it has been freely distributed
' S& s% @; x' A* ^6 |) \& dvia www.winfiles.com. However it was first used by NuMega people to allow7 i8 g0 c+ N/ ?. ~! q
Symbol Loader to check if SoftICE was active or not (the code is located# F- ~, D3 ^1 F h
inside nmtrans.dll).
& }/ l2 D9 ~# b1 N. ?# W9 p& ]. N6 {/ z# u1 A$ J6 J v
The way it works is very simple:& T, _, R, F" M. W% C2 F- n& r# Z0 A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 \5 F! f, Z* }, X% R" _* Y8 B) tWinNT) with the CreateFileA API.
( g, H% f3 ?1 {$ u# G
2 l2 b3 H1 G- Z; R5 CHere is a sample (checking for 'SICE'):( N% B4 j% I& m, d9 Z; w6 E
5 b& s# _. j' n" l1 X0 u" L$ ~- b
BOOL IsSoftIce95Loaded()
6 \% y3 f3 C+ Y5 l: N$ y. \ ^{. B- z3 G5 J7 n) Y) _
HANDLE hFile; 9 f& W1 Y2 V- D1 i+ E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. B4 l0 B8 B1 t! @2 Y, ^- e9 ^2 A
FILE_SHARE_READ | FILE_SHARE_WRITE,8 d, R# |/ t" s, f. n; T
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 _- x9 {! Z7 N* L- d if( hFile != INVALID_HANDLE_VALUE )
* y& ^- X" \" ~* z$ B# \4 p4 @* g7 ~ {9 }1 [4 @7 |% D' Q B, q! m9 l
CloseHandle(hFile);# D/ ^# C. K; p m& A$ ]
return TRUE;
0 B+ h# X# H9 D, I: u$ i$ i }
* I: K9 r- F, \2 |4 g' l return FALSE;$ `) W. v! H2 c% T
}. s' {7 z+ {0 g; w3 \
+ ^( u- T) ?7 ^, Z N- E) M- MAlthough this trick calls the CreateFileA function, don't even expect to be! M/ P- X# B4 Z; j! [$ ~5 _
able to intercept it by installing a IFS hook: it will not work, no way!
# p& H: q* Q& J: @! j, uIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
* W+ i+ `& p- a/ v3 _service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* _6 f, c# J% x
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# m+ f6 ] l2 n; w" d" mfield.$ S* k, ~# I6 d1 r. h" F" k
In fact, its purpose is not to load/unload VxDs but only to send a ' X# N9 y4 g3 H: R. u; w, L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ }1 Q$ J/ c9 V+ a. J5 ]: jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 z0 L1 ^! _+ k# g! J d+ Gto load/unload a non-dynamically loadable driver such as SoftICE ;-).1 x E, v; |& o" W: L. F. L: N
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* m* H- S! `8 c1 @' d1 fits handle to be opened and then, will be detected.3 ^4 h+ B" f5 z |& {
You can check that simply by hooking Winice.exe control proc entry point' [+ d' [5 A- W1 K
while running MeltICE.
9 q. o, W# b+ U7 X9 ~" l. |' H% A L' A: J& [2 h
; A' I& U& M8 D2 h2 g+ W: n
00401067: push 00402025 ; \\.\SICE
2 D5 N4 x' F! H: @/ ]! S 0040106C: call CreateFileA
2 I0 z# w. h. P r 00401071: cmp eax,-001
6 I+ ?) }9 E( w7 ^ 00401074: je 00401091
- Q$ \7 E+ k# Z. R3 u3 B
) ]+ M1 q3 |) B( @* m! s# k0 l
T# U- v( h1 s3 O4 i4 ^* p5 DThere could be hundreds of BPX you could use to detect this trick.
+ U: Z/ x' r2 S. d6 j3 O-The most classical one is:+ {3 C) d" Z! y" r2 P. R- x
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' H% l. F _2 x3 n9 N *(esp->4+4)=='NTIC'7 D8 b% I! T3 S5 \! M" Z
% e+ V) K2 C& ~& \- u( S- [7 q
-The most exotic ones (could be very slooooow :-(/ t& z% \) W9 H: f' `
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: l9 D v) N2 |9 R: a ;will break 3 times :-(
! i- |+ [! q s0 g# S5 O$ e; L5 s8 j* j; A0 c/ D# n
-or (a bit) faster:
1 u- \; }! n6 @. l BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: @4 D5 C: Q* N3 w) Z7 V3 k4 P9 ]* V8 V1 w# C! G: R8 M# n8 I G% \ q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 I4 s$ g9 W5 ?0 b ;will break 3 times :-(
: M8 |7 W8 ^6 R6 n; S6 W+ b s2 `$ l1 l1 X
-Much faster:' c( Z- U8 l# ~
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# l1 h! f. j5 P4 j: T
* L6 L: t# o, Y0 h/ kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen( z9 o: _( }3 u0 g
function to do the same job:2 L# F2 F$ \+ q [
) p0 { a/ P! x0 r+ u push 00 ; OF_READ& C4 o! P1 G3 a2 R
mov eax,[00656634] ; '\\.\SICE',0
! L$ r) [7 d' n% J push eax$ ~' \" T' H$ B5 E3 q
call KERNEL32!_lopen# C* _+ D% `4 q, c
inc eax
9 }+ \, ?# g% V jnz 00650589 ; detected) p: f8 ]$ v1 a# y
push 00 ; OF_READ+ {. q1 A, Z' [. B4 L5 V
mov eax,[00656638] ; '\\.\SICE'
" w; L+ ]7 L7 r, v9 F3 u* O o push eax! s& B! h+ R- \1 z" D
call KERNEL32!_lopen( V4 A$ E2 R) I6 B
inc eax5 k0 g( E7 j5 Y) Y' x8 U
jz 006505ae ; not detected
8 n# u2 S; x& e# s
2 c8 m' d: j2 Z/ X* T3 f6 p
. B) `& a) \, J8 z1 P# w__________________________________________________________________________
" l% |. W4 Z0 v. i9 \" a& S( ~7 I/ X1 W1 Q
Method 12, ^! A( ^7 Z" I9 H, g
=========
+ y$ J. k; F( `. A; E( @9 @0 X8 B* C) Y6 o6 N' j
This trick is similar to int41h/4fh Debugger installation check (code 054 }1 i- P$ J6 \+ s( O/ I% \
& 06) but very limited because it's only available for Win95/98 (not NT)
9 B$ k* L7 i& v1 Z6 {# las it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: c+ K+ R& [5 v R, |4 c
& T$ l2 F, t, _3 U+ _0 F2 i0 K6 w push 0000004fh ; function 4fh
# d9 U" A8 p. i' ~! p2 p push 002a002ah ; high word specifies which VxD (VWIN32)
; E& E" V0 g$ e) f2 B' N1 e Q! } Y ; low word specifies which service' p" c% K2 D8 P% ^" |
(VWIN32_Int41Dispatch)
. L! z/ u( q/ M5 d# s' T* ~% U call Kernel32!ORD_001 ; VxdCall, @$ k6 }' ^2 E* W* X
cmp ax, 0f386h ; magic number returned by system debuggers; T" _. K+ ]7 y' j
jz SoftICE_detected
! M0 |8 F! U9 j: P% D" `
' H Y) J; V4 z: ]6 l3 ]) Z! hHere again, several ways to detect it:
# k9 d4 L, r5 m' u3 u1 {+ w4 \3 ?/ w- n+ o9 L- |8 L: J
BPINT 41 if ax==4f
1 L) Y( ^5 g7 Q3 q- C, B! A" P
/ l6 ^ O( n& B8 @8 M BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ ]7 f2 V( E9 s" a- T5 _7 O5 o
! ?- W" |; J' _$ q& N BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 A; m5 B. q3 h, N, R# i6 K3 q$ _
6 ^- K7 o7 n* Q' O1 Y+ {
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 g, \- P: f/ Q4 [3 y' {0 H
( J# u+ p l% B: e__________________________________________________________________________+ `3 g3 p# X" J
* B2 {! p; \* {9 e; h
Method 13
2 P5 I9 |8 D: S) P2 f$ O8 e8 j=========
1 y: K2 J" w- g8 z# x% C; T5 n1 N# Y( v5 G/ V: J; g, u' ^7 z2 c
Not a real method of detection, but a good way to know if SoftICE is
1 P- K1 h+ ~5 C3 S0 c7 U% G( Hinstalled on a computer and to locate its installation directory.
$ |# s( E/ N! \3 ]1 k9 R& DIt is used by few softs which access the following registry keys (usually #2) :6 ^8 j9 A! H( T- }: F; u+ K; B( o
: m5 R2 B' ^. i9 O
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" _2 W- J; {4 l5 D9 ?$ h\Uninstall\SoftICE
, W7 f; h3 x# f& X-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. B( E# N$ h; O- Z7 Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 S! T5 ~4 k; p8 |, r\App Paths\Loader32.Exe
1 I4 G8 ^7 x+ W4 y* l& }: n$ O
% X a" l* F( t" {& i/ D+ v: j( r1 y2 l( K+ k. t
Note that some nasty apps could then erase all files from SoftICE directory
/ c; q! q0 Q- u: U6 y( l(I faced that once :-(- p# @2 N+ M: T% V. o
% M6 J& v4 q$ g
Useful breakpoint to detect it: R3 A) U2 S% u$ N; b% m
V# K) a% F$ p6 n" e, g9 q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', `$ ^3 r9 ] D( P# x* l2 W2 U; k
% Y/ D" K' T; Z# ~* Z( w__________________________________________________________________________
) \( D7 v. G/ X' Q$ n: [$ K+ T& P) o- R" {) t# Y$ u. t
: o5 H' ]0 o. o& @8 Q
Method 14
5 a, T) @1 r' ^2 n- i. z=========
- m- u0 q1 T& Q. m6 w2 r
* {5 k3 y3 R6 T. i+ P' i9 YA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, l: r- x) [+ g3 i7 m9 a
is to determines whether a debugger is running on your system (ring0 only).
/ a# j1 E5 R/ b7 D7 u
! q" K9 G1 j3 z5 O0 @" p$ T3 \ VMMCall Test_Debug_Installed
. i9 T! `3 c/ S0 T/ k8 S$ t b je not_installed
" ~; \% T+ J# @: n0 R8 v! k+ M6 K+ e% _- h3 [9 o6 z# S
This service just checks a flag.
7 J1 U6 W2 x2 n3 A7 Z( e</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡