<TABLE width=500>
: n3 J' ^9 _ ~2 E* t& H<TBODY>1 U6 @1 j5 d/ V) ^
<TR>
* r2 i0 ~! F9 z4 t' y% y4 q/ r$ d! |<TD><PRE>Method 01
; n$ v7 n6 T! b$ |=========+ M/ d& C; B1 X$ A+ Z5 @# I: n. q) R
9 N/ k$ K2 r8 k: U5 `3 q4 I. x4 h( j
This method of detection of SoftICE (as well as the following one) is
; m5 K/ z5 U; |1 F: b0 xused by the majority of packers/encryptors found on Internet.
. v' u6 h) B) `5 Q3 E# V! @5 LIt seeks the signature of BoundsChecker in SoftICE5 @3 w! x7 d0 g* N* L
8 ?1 E' n; @) T$ r mov ebp, 04243484Bh ; 'BCHK'9 l, I) S; P5 @$ O6 R! E7 S* d
mov ax, 04h
9 C7 l: s R! [$ N5 R7 N% m$ c; u' W int 3
. q d4 ]" x/ d4 o7 g cmp al,4# B2 \% L: |3 {$ G, o$ g4 w
jnz SoftICE_Detected% z; C3 |- ~) t1 Z& _& z
_0 X4 D! Q! o* @4 R
___________________________________________________________________________2 x* r( O) t" _3 i/ D+ t: `# i
4 q5 v0 t- d/ D! v, DMethod 02& U+ N- ^* u, K) C6 B) z7 o
=========
+ o! l3 n* e0 f; k9 p) I
0 y3 ?5 V8 {- F3 v: G4 a8 n$ FStill a method very much used (perhaps the most frequent one). It is used
# q4 c+ y% q6 F" s* M1 b5 c# \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' \! C7 y7 T7 v4 nor execute SoftICE commands...
3 Z% a, Q6 d7 |& LIt is also used to crash SoftICE and to force it to execute any commands; w# ?( V* w( r( ]
(HBOOT...) :-(( ; L, ]" h( M H2 w. m1 y0 z! k
# V2 j R* R6 S( d
Here is a quick description:" l0 w |. M6 S; }. [9 F4 ?
-AX = 0910h (Display string in SIce windows)
" P8 P/ |, b$ S$ e5 A. X5 ^6 t( ^-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 A0 N; G" [" Z# W1 T-AX = 0912h (Get breakpoint infos)+ ?: e h; B5 M2 R
-AX = 0913h (Set Sice breakpoints)
; _ L6 {6 T6 [9 ~; S/ d-AX = 0914h (Remove SIce breakoints)
: C6 G7 E/ j' R* L. y# S$ g, b5 j! M
Each time you'll meet this trick, you'll see:0 x( K8 ?" ]) _# D+ `
-SI = 4647h
9 [* y! j# {( j2 ^7 R8 H& i-DI = 4A4Dh0 H* s2 p7 m$ V8 O
Which are the 'magic values' used by SoftIce.
8 r' j: z& d, g: SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 W H$ }1 q5 O0 i: H" U& _% I: |% B$ x6 H d
Here is one example from the file "Haspinst.exe" which is the dongle HASP& C* t5 }0 x; Z% h
Envelope utility use to protect DOS applications:$ }" Z9 o3 _2 k/ j
" g% w* _3 m" \0 }+ A9 Z3 V. N
* R+ x& f* _! A7 H; S% x4C19:0095 MOV AX,0911 ; execute command.: e3 [4 _# ?/ E" P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) |) n e% _, N/ E4 o
4C19:009A MOV SI,4647 ; 1st magic value.
5 R* k' A7 `2 u5 c: A9 u/ G4C19:009D MOV DI,4A4D ; 2nd magic value.
) a8 X3 n3 b; N, ^2 t' X4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); w' k W8 ^ R* X) z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, m7 S/ m4 X6 p2 `2 \
4C19:00A4 INC CX
4 m3 J4 a& W( O" A, m' `4C19:00A5 CMP CX,06 ; Repeat 6 times to execute p7 G7 j& J, Y, I6 N
4C19:00A8 JB 0095 ; 6 different commands.9 G6 R: d$ a$ _, d- [
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# I2 U/ z% n G
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), r9 b( l& z& C% z
" a2 U9 s, p- bThe program will execute 6 different SIce commands located at ds:dx, which
2 B Q/ j; j( K. p7 |# q6 ^are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." M& | i% u, M$ Z; J, j& z* S4 H5 u
4 B; w7 v0 J) d# {" `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) n* R- u' N5 j4 l6 b' \8 Q; M: U [___________________________________________________________________________
# G3 J4 [ f' c1 @) ?
. p1 G4 b0 I5 a |) `( \0 b/ u2 y/ a6 t( _& O2 S+ J5 n C
Method 033 G/ y6 S1 g1 j
=========1 R" x2 l ?2 {" b' w2 `$ j
0 _) ]/ X: B- a; x4 qLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ j5 Q3 o s; t! A" `+ i" Q(API Get entry point)# G) v& t; p8 p2 x% X/ e
5 b5 a0 F1 |% B: _
( l0 A! r! l( J7 k; {, F$ V xor di,di2 j; n. y+ u. M2 f
mov es,di4 _; d3 Z1 C/ `' @
mov ax, 1684h
2 V" J% b# A9 C8 F mov bx, 0202h ; VxD ID of winice
" n: T0 W4 T( Z& Z int 2Fh
, P v4 Y" P. `" \% h mov ax, es ; ES:DI -> VxD API entry point9 j( C4 w: @+ I' _6 o" m
add ax, di* `1 L6 @" \9 l5 z3 F
test ax,ax1 L4 l9 |: |' E3 Y8 u
jnz SoftICE_Detected, t4 u* h7 u/ D1 [9 R: {6 m
6 W& S" u! p& z: Q* _6 v& c
___________________________________________________________________________3 I+ `; ^1 L% Q' b! f
: O5 {/ V1 b7 P/ OMethod 04
, b' @/ d/ z8 p" w# k2 D3 Z) a% c=========2 n, P& g% J8 J
; ]/ G$ J; ~% aMethod identical to the preceding one except that it seeks the ID of SoftICE' o9 k- ~- m) ^3 U) Z4 c4 \
GFX VxD.' D4 v5 s2 u; g0 _0 b. x/ c; \
) b; Q4 e# w; S# g" T xor di,di
* g& M9 g- J f% s5 S) D/ u' u* U, p mov es,di) d5 H2 \, g7 x3 h
mov ax, 1684h
) s+ G- j8 \3 U7 o* H6 Z mov bx, 7a5Fh ; VxD ID of SIWVID
+ ^& J* ~; d- r- s+ h) d int 2fh0 Q* v. q* E2 t! b. s) X. A
mov ax, es ; ES:DI -> VxD API entry point& x) l: a$ m F9 y# |
add ax, di0 V. U3 M9 E% e5 Q8 X
test ax,ax
# Z# d4 Q% w5 k+ r, W! @- O! L jnz SoftICE_Detected
5 q5 y; j! c2 f2 B6 e+ O2 q- P7 Y) | c% `/ A6 g
__________________________________________________________________________3 j$ }) D& J0 E) c
9 L, K9 M5 g1 x1 s
( F; Z1 b2 b) R" ~3 V0 JMethod 05
# ^5 p7 z- C- Z% R1 t=========, j3 `% w' ~0 f) b4 B+ X
, d5 X2 Z3 C/ B8 R6 f# U7 F
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 @" u( D# c# S+ xdebugger. It calls the int 41h, function 4Fh.
9 h$ o! c! v( |- y8 B2 P& UThere are several alternatives.
7 } {7 Y, B; M! U8 w
) S. z1 t' W' n) \ o. S/ PThe following one is the simplest:
; B9 d5 \+ b% O3 h3 H- E5 V# ~
P8 H- X5 R* B6 o/ p mov ax,4fh6 ^# A. d: I! Y9 z) {- T1 `
int 41h
. ~4 t6 ^! h& o# p cmp ax, 0F386
2 F" g6 P( n5 m% K5 ^ jz SoftICE_detected
( d- n9 q1 _- j! E. g/ a
e, c2 ~+ z; N. X2 l7 A! N0 o% D; A* j( u o p- H* k, n
Next method as well as the following one are 2 examples from Stone's
) p, S! p1 X4 G7 ["stn-wid.zip" (www.cracking.net):5 v) [- U7 g" E* v8 P- f
3 s$ t0 n+ V. `1 N5 g& ~ mov bx, cs
) N$ s/ \% b% X$ @0 ]) ^ lea dx, int41handler26 Y# J" |) a h: i5 h* x
xchg dx, es:[41h*4]
* z/ c/ ^1 ~0 q' X" l xchg bx, es:[41h*4+2]+ y1 \; A9 c6 X3 g0 `
mov ax,4fh
, I4 H. b5 Z# |. p; N* w* p int 41h0 N0 C1 y" \" G' ?
xchg dx, es:[41h*4]! t, C, J# `/ R4 b, E& N
xchg bx, es:[41h*4+2]
1 {/ T$ p8 E: l& | cmp ax, 0f386h
8 p" Z8 p& @% R jz SoftICE_detected
$ e E3 t% ~2 a2 u j0 v: a; Z! j* E, E |( Z
int41handler2 PROC- W8 }7 O! s, k
iret/ ~2 l7 R" B" J- f2 v; a
int41handler2 ENDP2 f' b* b, r4 u3 c
, `' A- Y! ]1 {# W0 U, ?; U, s
6 e6 i9 t) ?! F2 u& |_________________________________________________________________________
- O9 y, K$ ]$ _5 b. ]) |9 v" s' d6 \8 b- h( w6 R1 p4 j4 ^$ V# \
6 s* C3 c( J; R+ i, ]0 }1 \* yMethod 06
# w0 Y, h! x4 z: V=========! F- F, ?9 i6 y9 s2 ?. w/ D T* j9 q5 Y
' ~" j$ ]8 I$ F
( \. H7 r5 I9 ]) w2nd method similar to the preceding one but more difficult to detect:
3 o9 ^$ @( N: O1 {! x( |* @9 S9 v: A+ V% i1 q& l
, z1 J4 l8 B; X3 F+ E1 q# k( O8 @4 _int41handler PROC
; Y0 h8 @- T- y( H( @ mov cl,al
) n, k: k) w) r1 \" ^0 ]; M iret
' S4 m6 r- ^) M5 O# r9 R+ ?int41handler ENDP
6 ^# b }. E5 b3 r0 N
! \3 {1 T5 J/ t2 l. [$ j
& S( _* p2 G5 T1 e. u xor ax,ax
9 ^& C3 T! H+ o/ b9 w8 r$ `3 B mov es,ax
& f$ M: j6 j# l$ F" z3 ~ mov bx, cs$ C1 ~; y7 D8 d" K" e2 Z$ ]
lea dx, int41handler4 }1 i7 v4 [' E
xchg dx, es:[41h*4]
: {* g% j% Z. |$ E) {" z7 u xchg bx, es:[41h*4+2] T4 j4 @- M3 E' ]+ v5 ]
in al, 40h
; s5 U( w6 g' k" i xor cx,cx0 `% s5 e* g% |9 _
int 41h8 |. `" u4 n2 l
xchg dx, es:[41h*4]+ n( w8 J a* ]
xchg bx, es:[41h*4+2]
& M9 A. b3 w) h cmp cl,al
2 N8 o$ p6 E6 V |; o0 r4 C2 { jnz SoftICE_detected
7 X/ ?( P& L5 I" Z1 N# h8 x0 N7 U. Q: ~' L: _' v5 M; @" P
_________________________________________________________________________
+ n: b% }$ L' X: f6 }
/ s4 J3 A3 g& |6 \% jMethod 07( L3 U# G3 \0 n% k4 }1 `# |; U
=========
) q3 i0 [! n" ?' |* b0 \/ N* p% [+ t% V1 M' n9 x+ v- W, e9 `
Method of detection of the WinICE handler in the int68h (V86)1 {/ k2 N \9 o" e5 X, w
( u$ K% u4 h$ y) u y H' X
mov ah,43h
5 b( s4 T" Y9 s/ `: f: }( Q3 m int 68h
- }2 v2 p. A# L- H- t+ N5 E cmp ax,0F386h. Y% o) O* J" G7 |
jz SoftICE_Detected
$ |" i% y# @" W1 v' C! _& O5 r* Q' Z9 t& H! ]5 o0 p0 |+ U
! a, g3 M+ O7 Y% j* H' L=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 ^( L# D" e2 S6 i. V
app like this:4 M3 P0 K8 E2 b4 P( Z. s& Q
* T. ?6 {; F! o# `1 ~$ w3 u BPX exec_int if ax==682 ]8 r% D Q3 e2 [& W( O" N3 t
(function called is located at byte ptr [ebp+1Dh] and client eip is+ ^; W6 P5 P4 Y# I+ U& k
located at [ebp+48h] for 32Bit apps)+ @4 a- F3 \8 ^- U
__________________________________________________________________________
# i3 K1 A* O7 U/ {. r! _2 E, I" s1 r: i. r
! A# _1 v$ t$ QMethod 08
. J; q9 l0 R8 U) ]! g=========
( ?+ c- v d! r# [; k1 q
2 t+ [' {+ t1 L; b7 f- Q# XIt is not a method of detection of SoftICE but a possibility to crash the
& ^- z' K/ y/ K# y Lsystem by intercepting int 01h and int 03h and redirecting them to another# L# u3 ]+ }) V$ s A
routine.5 y/ l# m; e: x2 I. W$ k& O6 o3 ^
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 ^& ~6 @. }+ `+ c/ R* a7 l% `: x& Q& B
to the new routine to execute (hangs computer...)
& K8 q5 y o/ s6 \' J1 \( E
# @8 d" N, L1 D0 f: w mov ah, 25h
2 l/ m+ G0 I& `% I+ M; P# w0 j mov al, Int_Number (01h or 03h)
) |+ O0 Z* \% W* j mov dx, offset New_Int_Routine% s J" h$ ^/ U
int 21h
( Y0 E( t+ T- z) r( A: ]6 c6 v3 c
__________________________________________________________________________
6 C9 g8 F! H8 u3 k- d$ p
2 r! K: X7 l1 p6 I1 IMethod 09. F9 k" z7 ]* @+ |8 L2 W; |- Y
=========6 w3 [! j+ ~( K1 `: T# v( b e
; B: X* N6 J ?+ m& i; H# h, z# W
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 b8 K, `7 Y5 H
performed in ring0 (VxD or a ring3 app using the VxdCall).
" W& M* Z9 S5 D" Q8 h, LThe Get_DDB service is used to determine whether or not a VxD is installed0 k' e2 W: K# Q+ r% O6 }- |
for the specified device and returns a Device Description Block (in ecx) for; y3 ?+ x1 z& ]9 m& e4 g: c
that device if it is installed.
$ V1 i$ Y# p9 {. w: c0 }1 p; v; o, Y$ L# F; F
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# _7 z9 Y2 [+ u9 I; G/ p0 \6 O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). X7 h! _& c9 E5 g% G
VMMCall Get_DDB) G% e1 V4 U+ k7 b4 g
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) w/ W4 _- s( q/ A* x" E) U
: f$ v6 q5 V' G7 t
Note as well that you can easily detect this method with SoftICE:1 P m9 y/ q/ W9 ]2 ~0 {1 v9 E
bpx Get_DDB if ax==0202 || ax==7a5fh
- q* {9 ?0 c5 {4 o! u" W! ~0 ?) ]& ]5 W, d" N! g
__________________________________________________________________________
3 T1 b" E; G, G4 ^/ L. }) b ?" p$ I, a. G
Method 10
) U+ o" c v# {; ?) T8 Z* C- p& ?=========
{0 E1 E" w1 q# F( ]
5 z8 _2 x9 }/ b& D6 C7 e! P=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 S% {, x; N' n4 h( ~6 | SoftICE while the option is enable!!% B. L0 X; u+ L/ [# [) z9 o8 K
# `, I/ |* I4 l( y W" b, wThis trick is very efficient:
8 H5 u; ]0 Y0 o8 V" m% I+ x- h$ Gby checking the Debug Registers, you can detect if SoftICE is loaded
* Y& W W8 w$ C4 \& [& A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- G/ g# V7 T1 L* ^
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 N6 r6 W! ~ A" G% ? t2 u/ \; F3 Evalue (in ring0 only). Values can be manipulated and or changed as well
1 W$ u6 d# P5 F0 d z2 j3 [(clearing BPMs for instance)
5 Y: J% s- {. T5 t' f' X
7 p; [9 g: M) j7 |8 @__________________________________________________________________________9 h# J/ w: F& r8 K: k
/ t5 O' q" R1 ^& C4 g2 u
Method 11
7 J. l! e7 \& i- E$ E=========
+ x4 _* c' r( ^$ G' ]" C& _/ k/ b; a/ V' {
This method is most known as 'MeltICE' because it has been freely distributed
+ a0 N8 R- j" ^* R8 ^via www.winfiles.com. However it was first used by NuMega people to allow+ H0 r1 f% Q+ }# q5 h1 {) x
Symbol Loader to check if SoftICE was active or not (the code is located
" i* k: a, s0 I! v9 J# U3 Ninside nmtrans.dll).
" f! B; `* f" O% c) w" Z$ S
/ C/ ^* Y/ f0 W' ^8 O7 v) EThe way it works is very simple:7 Z- m9 j7 [( |/ ? W: A1 X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 N$ e. u* P% _& {2 ]) uWinNT) with the CreateFileA API.4 Q3 A- O# {* U
, D' Q/ B3 c) B& [: q: m! g0 r" z
Here is a sample (checking for 'SICE'):; T7 V9 {+ w3 \2 ^
1 J9 R7 i5 V# x& n; W- wBOOL IsSoftIce95Loaded()
* T- P, o: j3 |9 B# [& x- @{8 f: F I7 u0 A
HANDLE hFile;
, N3 h$ ~! Q C0 p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ j- K" C' }4 M FILE_SHARE_READ | FILE_SHARE_WRITE,
! U! i/ s% q& G. P NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) w$ h, F8 X: `( B$ N0 r
if( hFile != INVALID_HANDLE_VALUE )$ `# w4 q! |' E3 k* M. H0 o
{: }7 F% E9 S' R1 W' H3 r$ O
CloseHandle(hFile);9 Y! l( J% e' p8 l* h6 j' _3 ~
return TRUE;, C; O; c: h! U! X5 _
}! N) Y9 s9 G9 w+ r
return FALSE;( o! V( I2 f. w
}
( g! Z" }1 j \0 G1 A) w+ z- z3 a9 T' h' n% Q0 Q* P3 k
Although this trick calls the CreateFileA function, don't even expect to be
. f0 P9 f7 l* X2 `! h5 X9 ~# cable to intercept it by installing a IFS hook: it will not work, no way!
' S1 k. o. W/ qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- J: O( H1 c$ f/ D. L y4 d' |4 Z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* e( q8 n4 g/ t$ h- X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 W9 t7 j* [2 l8 M3 I* Yfield.& M' z& n6 G! K, U4 J
In fact, its purpose is not to load/unload VxDs but only to send a
' L, n/ h5 A+ g; K% jW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 c0 x0 B( Z; B: I% {9 Z1 R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: D4 U: E4 R' L, H5 I, \to load/unload a non-dynamically loadable driver such as SoftICE ;-)." H: {5 K/ i5 ^' x# o" Y8 `
If the VxD is loaded, it will always clear eax and the Carry flag to allow R2 I5 k. g. m4 P3 k
its handle to be opened and then, will be detected.( i, k' T- e, U# g
You can check that simply by hooking Winice.exe control proc entry point
0 I1 P+ E* {& @1 N+ Twhile running MeltICE.+ m5 w3 D. T4 z+ `# }
5 i. a9 k0 J/ t J
. ^# R& D R n 00401067: push 00402025 ; \\.\SICE% o. O0 s# u2 R$ c& U/ I- Y+ y5 g# w
0040106C: call CreateFileA
8 i& x9 y2 s& P4 \# c 00401071: cmp eax,-001
9 v3 _/ t8 e3 M: ~; ? 00401074: je 00401091/ V" V, A) U1 O/ I
" k) o( n6 h, ~; M
7 U V( ^5 w5 kThere could be hundreds of BPX you could use to detect this trick.: C) ^: ]0 @* [5 O
-The most classical one is:+ H5 \( E5 e+ D! O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" |2 R4 [) O) W# l4 w% I *(esp->4+4)=='NTIC'
" ^2 b) L- x# b$ n1 d" H/ \3 N8 I' P- f/ P' W2 f
-The most exotic ones (could be very slooooow :-(9 B( I: m7 l ^, s5 {5 U; e- V
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - R* @0 L& ^0 h
;will break 3 times :-(
1 ] ?2 g# l5 e" t# d, U. m- h2 V: |
* ]; `. u/ X2 ~! Y0 S, v. f# R-or (a bit) faster: + N' S/ B% q' F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ V5 A) B' _+ v2 `- a0 y, A4 `* ]
( ~, ~; g1 h, i# {" a0 n/ F BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 g1 @0 @, }& a# k0 r, M W, }- L* k
;will break 3 times :-(
) m I: R7 s# n5 I
4 Q5 O; P1 }* s* i% w. S-Much faster:8 N1 o: T) S2 n
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! ]6 Q* ^: z0 m9 i; w) A% r! f0 c" L0 Q' E5 h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 M, a1 K# H4 X. T J
function to do the same job:
6 h3 K' d$ ^5 Q3 m" H& m
! P; R" |9 ~" Q/ u5 H" @ S push 00 ; OF_READ
6 z# I7 T# r& j B$ R mov eax,[00656634] ; '\\.\SICE',0+ S' d1 w6 q/ v- ^
push eax/ I: F) O, t4 |7 a
call KERNEL32!_lopen4 A9 W. ^ R: H$ v3 F& k8 q& I
inc eax0 q9 U3 z" m# q: h! m2 h% q* y
jnz 00650589 ; detected- H5 L/ Y& \3 Y( n% S9 x$ |6 Q
push 00 ; OF_READ
6 s) c3 h* h( L& S; J" T mov eax,[00656638] ; '\\.\SICE'
; w$ Q' O/ G# w3 }: P! J7 Y push eax4 I/ G% \* ^7 ?
call KERNEL32!_lopen$ [6 t2 t+ B, C& o
inc eax4 ^5 L y% c& N+ | T
jz 006505ae ; not detected
, s3 D2 k' d0 w' R% i+ n2 F& V% m2 C7 y
) v9 r: C% G1 i6 A3 o8 g__________________________________________________________________________
& Q4 `1 ?4 c$ I8 H4 F/ \ @* }/ _4 i' B$ Y; f7 e9 f7 s
Method 12
Q, C. f+ a- y=========
. c# P$ v1 i* J8 S
* |/ W2 E7 j+ V( dThis trick is similar to int41h/4fh Debugger installation check (code 05
. Y! q* D/ M9 G/ _1 Q8 f& 06) but very limited because it's only available for Win95/98 (not NT)
7 z* O0 T/ \; p3 Pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* G+ f1 G$ Q/ A `. ?; m, R' c( f7 n: @$ H# [
push 0000004fh ; function 4fh
- E- M+ v1 b0 p9 F# m3 b push 002a002ah ; high word specifies which VxD (VWIN32)8 r' x# s& v. J, J% Z% H$ }4 U
; low word specifies which service+ K) }3 w$ b6 h/ Y+ v }' W
(VWIN32_Int41Dispatch)* Y) C! d/ K+ \5 V; O1 {
call Kernel32!ORD_001 ; VxdCall' x0 k( Q5 |' J( x5 i0 A. b& {
cmp ax, 0f386h ; magic number returned by system debuggers# I& q% m$ |6 G2 y$ Z4 L! v
jz SoftICE_detected
/ |! ?- m3 z. a: R; ~9 y
, I- C1 s# h: [Here again, several ways to detect it:7 N/ p3 F- d( |* s: x- M
L) D5 F- G. x8 Y7 h2 ^+ A
BPINT 41 if ax==4f. R0 I/ H0 C( q- k: j/ s
2 e# K' l0 ^. i5 b; \5 @ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; f4 M" K# m. m1 ?' y2 Y
8 a% T7 G( @9 x* U& t BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& _8 U4 K& a: [! O# O- U! f
9 m8 ]: W5 F% s4 e. `$ X/ Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& S$ ]& q) z+ q! F+ H
& b) ?, d I: ]- D
__________________________________________________________________________
& y% h5 [" N1 [
7 }* h7 q6 K/ b6 M- GMethod 13
/ D8 e- V4 h4 I+ b) [9 n=========
3 M' P. g$ Z" Q8 p, z: a6 j! r$ J' w0 E2 z0 t
Not a real method of detection, but a good way to know if SoftICE is
G1 S+ `7 Y1 A Ginstalled on a computer and to locate its installation directory./ e M, o2 f% N+ c# h
It is used by few softs which access the following registry keys (usually #2) :
) ~# { O z1 [/ z3 J( ~
6 l [- X0 ^, S3 `/ g# s" x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 S$ m- {" Y& [( E; W- X+ i0 d$ J\Uninstall\SoftICE5 I* E" b, d/ J! E
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 N6 O" J) {3 |9 w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" m1 e' z0 H, R5 I4 a
\App Paths\Loader32.Exe
% k0 j7 v0 t$ [1 @+ z
# a1 h2 ]9 X. o [- K. L
: _, h$ `+ R2 R! h. B/ oNote that some nasty apps could then erase all files from SoftICE directory ~" ~4 x( a, k7 x; I
(I faced that once :-(: }3 {! W+ n; y1 _6 Y
( B* O" a. a1 h" B4 g
Useful breakpoint to detect it:
4 g( J; Y# s; M* x8 g
* w. s3 W @7 b3 F0 U BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ d8 W/ l6 o3 p1 Y! O7 n$ i( w0 @" n9 Z' `% b
__________________________________________________________________________
$ c# S8 D9 b6 x- g2 V4 d3 Y9 Q7 `. W& y, H$ Q- E/ e
* }" Y& q' Y1 Z8 q7 d$ }1 A5 }Method 14
: y1 ~' N' F6 h. S=========( c% G1 _9 M% }0 z8 t9 q6 U
5 o" O( `& R) }4 L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: |! \6 ]. Q+ ~3 I0 t6 ?: Ois to determines whether a debugger is running on your system (ring0 only).7 R, H' I |0 k% c" d2 Z$ k) Q; i4 m+ a
6 j/ `5 Z( _$ c1 D% }2 Y VMMCall Test_Debug_Installed
0 t# T/ B. G3 m B/ m6 x* X# c je not_installed
- @0 U/ M ?. c# k/ ^8 l9 l
5 K' c4 |! P8 G- c9 j' m% K$ S& X) h8 ^This service just checks a flag.
( l) S$ C" t0 ] t. ]</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡