<TABLE width=500>
. t% i0 T. d" G N: ]<TBODY>
3 E( [6 {3 n$ x- _4 m<TR>, {) ^ ~, ^2 y: s. ^
<TD><PRE>Method 01
+ f/ _( h! Z/ a3 b7 F, F=========
) G6 u) h8 e2 Z, L! }$ _- R3 o: {) k" }
This method of detection of SoftICE (as well as the following one) is
. ^! Q9 t$ V1 W, V# ~" z; Wused by the majority of packers/encryptors found on Internet.) W) L6 i) l% F) T$ F+ x# L
It seeks the signature of BoundsChecker in SoftICE' z" Q( Q. W' s
* \. B0 [% q0 f4 D. G* Z9 B. H {
mov ebp, 04243484Bh ; 'BCHK'- B: x% `, p9 }1 p/ J% Y
mov ax, 04h, `/ d1 J' g$ m5 P4 v& T$ D$ D8 h
int 3
: w7 \# l6 C9 l: Z* n6 g j, x cmp al,4) Z; S% d! B' g( }" d2 K/ X+ f
jnz SoftICE_Detected
/ |4 Q) a$ S$ T' L. A+ e- r
7 `5 w1 {) Q$ T# X) Z; X9 W& t___________________________________________________________________________+ J' Y% N$ a4 W" a! k, L
7 J- D- ~6 X/ j* MMethod 022 h8 Z+ F$ l, Y4 F7 P
=========
p! G: E$ l+ m) ^# P% K9 o% H; h D$ D& @
Still a method very much used (perhaps the most frequent one). It is used% y. n9 }1 X: p8 t6 _, P# v T% `/ Q, n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 P4 E/ D6 g4 F( E# X% s
or execute SoftICE commands...
. L/ @) T0 R0 G7 R' e+ L/ qIt is also used to crash SoftICE and to force it to execute any commands
$ t" I" F4 U" Y x(HBOOT...) :-((
0 r0 @9 ?! J2 X* E6 _5 U! E
" D" q, F' w6 U. E3 `- @6 ZHere is a quick description:- @' O: t( g" T# j* C1 L0 o
-AX = 0910h (Display string in SIce windows)1 O0 \ a1 c* f' J$ A( ~
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' F/ D+ U; d6 c, {+ L( Z& w5 }-AX = 0912h (Get breakpoint infos)
3 k! E1 J- x4 o8 [! I" t: E: f-AX = 0913h (Set Sice breakpoints)- u- ^' P% k x; H3 S
-AX = 0914h (Remove SIce breakoints)6 p0 |6 k" H- _8 m0 }" l( K- T+ w
7 k6 e9 }( ^ g1 {
Each time you'll meet this trick, you'll see:& g6 }- p7 I3 T' k+ F8 O: e* ~
-SI = 4647h
- O1 D6 T/ H: s) q# C3 _-DI = 4A4Dh
6 ~0 s" Y+ f$ {9 K! WWhich are the 'magic values' used by SoftIce.* i* M: ~/ Y3 v1 m' U( O' e" b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 W+ V! g) x6 Y1 s8 E4 ^3 J* F$ F. E
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 W' c8 U' R8 R( Y2 Z) _& pEnvelope utility use to protect DOS applications: l4 p5 a2 z$ y$ [: P
8 d' t& b6 g1 R& F. N% L3 P: N- R! \8 ^, J9 F
4C19:0095 MOV AX,0911 ; execute command.5 _& [( y$ H6 G. E: j3 T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. j3 b" b- S. M0 X [4C19:009A MOV SI,4647 ; 1st magic value. c: H; v6 k1 s3 I: M: D; j
4C19:009D MOV DI,4A4D ; 2nd magic value.2 o6 A7 a& _8 v, w9 h- \( S8 t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 h$ F: i7 f" _- G: M: K& n4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) X+ M( x! K, L/ h& q7 _4C19:00A4 INC CX7 j, e& _5 |7 F, m3 @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% v$ r( i: P/ o; q4C19:00A8 JB 0095 ; 6 different commands.: D6 q! L8 q+ m; c( C
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; z1 [2 A: `8 a, H9 [& g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 z: ]7 l+ i8 B1 E: i, b4 i
' G7 R8 l! \7 G+ `5 F0 k
The program will execute 6 different SIce commands located at ds:dx, which
1 [+ A6 t' S4 B2 G0 ~7 ^; ?% O3 kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT., n( Q* K6 [- z' p
9 n7 U* k* L0 I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) p: C7 J& W* g; a9 ]" ?& L7 h9 m/ [___________________________________________________________________________
$ Y3 U# t# A/ V/ I" O
! G) ]( \1 \9 V/ _; \5 C `/ a# X0 s/ g' ~" Y) }! i% S M' E. q' H
Method 03. R% {3 J0 z0 _# n6 M) R
=========
5 z0 _/ a+ @5 M- |, p4 k r ]
6 S# F% s1 z a4 pLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ M g% ^" _- o0 G(API Get entry point)
0 k' u/ {0 k4 x( j: O4 h' s 1 c- N( m) l" Q$ Y# Y
9 Y1 b* k5 c9 V( ? d# ^ xor di,di
: \' ^3 s' @5 Q( O& u mov es,di
2 O8 x1 v" n1 v3 d7 Q( B. S6 @ mov ax, 1684h * ^3 e# I" G, T; U5 Q& H! f
mov bx, 0202h ; VxD ID of winice
! ]; \8 P: u" { int 2Fh2 Q1 r. S+ b, ]& s$ H4 _
mov ax, es ; ES:DI -> VxD API entry point
]6 `. h) v- p0 y9 v6 p: D* h1 l add ax, di. [# j+ y; a. G; I3 s: U ~
test ax,ax
/ L; Z* `/ \* u jnz SoftICE_Detected) j' F" c; h' t8 W) l8 F
! N( ^+ }& w) K+ v' c3 K
___________________________________________________________________________
3 H3 P' u# x, y0 D5 d
+ @0 x" g' o, U R3 CMethod 043 s# @; j/ T% }0 Q+ T/ [$ N
=========
, P$ |# F4 \" g& m! C. d6 F- M+ k: o8 _+ O3 P
Method identical to the preceding one except that it seeks the ID of SoftICE
5 @5 H# ? g( @, |. TGFX VxD.
" F6 j8 A5 E0 V E+ Z
1 L; w! ]1 v5 R6 ]. I xor di,di) c3 L) T, A. C* D% l
mov es,di( }: j3 x6 K( L+ b" J( B7 q& E
mov ax, 1684h
. f2 r# l1 Z2 `& G: B8 N" ^, d4 { mov bx, 7a5Fh ; VxD ID of SIWVID
3 E* r2 b+ { s9 m: Q( u6 g int 2fh% V5 g8 J7 q3 t' o6 x8 Q
mov ax, es ; ES:DI -> VxD API entry point4 O' n! V! d; @0 T% O
add ax, di
. h3 i8 u& K6 L0 J$ M3 O f" L1 J% C test ax,ax
, L. ?9 S ?" d! m/ S+ y jnz SoftICE_Detected
0 ~* r I; a' V }" r; t9 G
6 L+ G: s( w, i2 j- L$ C2 ^__________________________________________________________________________5 W( }$ b: Y2 e# C
) Q: h3 o9 M/ T* q( s7 @# i _4 y1 w$ {0 n: U T
Method 05
, @9 ]: F3 V! n) B/ t- c* t) G=========
! i9 E6 j( Z& Q9 f ]$ Q6 I1 X8 ~+ C* N8 c! m; w9 H( q% q, F
Method seeking the 'magic number' 0F386h returned (in ax) by all system* s$ c; H; V' d8 J2 {* Y5 u) z
debugger. It calls the int 41h, function 4Fh.
5 l5 a) w* l/ @) v$ ^There are several alternatives. 6 a7 O; s* \: n) [/ W4 a
$ W4 |1 T8 q9 w+ p
The following one is the simplest:
I$ m; [9 R: {8 ]% I
5 h9 H* d# q/ }( D6 G8 D; m4 R, _6 _ mov ax,4fh
. p+ T# A/ Y9 N1 k& S. J$ t int 41h& }- Q3 \, e. b
cmp ax, 0F386
# y9 r% j* D$ y8 Q jz SoftICE_detected, G+ Z* x' n& |) ~6 M+ {$ G( u y
6 Z5 q- h7 o% s a$ b9 k$ {# y- `* _
Next method as well as the following one are 2 examples from Stone's
8 @9 j6 n4 i0 Y5 J9 K% i' ~; o"stn-wid.zip" (www.cracking.net):
7 k. y3 h( P' h( L3 r% y6 f) i0 o g
mov bx, cs
$ u% h- t7 L" Q' C& F7 {& \: f lea dx, int41handler2
+ [) Z3 M! \! e( V$ X xchg dx, es:[41h*4]5 m4 E4 J) U* U' C0 O L' b
xchg bx, es:[41h*4+2]3 @; r- a- v4 ] |
mov ax,4fh* Z1 i3 s6 e; A
int 41h3 C9 K2 D# Y2 D3 J' d' S3 A
xchg dx, es:[41h*4]' |# D- x# {# ~1 D8 _2 A( `
xchg bx, es:[41h*4+2]
/ x6 N: |* c u3 ^# z" C cmp ax, 0f386h1 n, I0 n }; S
jz SoftICE_detected1 s' d8 L1 x# H# O1 m" l0 q4 ^( H
, d- k- C! x% C7 R: O/ s+ m. `! c0 I2 Hint41handler2 PROC6 e4 E* R. q& p0 ^
iret
$ Z8 T2 ^" Y. Yint41handler2 ENDP7 K P- w) Y: v, H, Z& W
7 v8 S! \) `9 i4 k
/ Q$ w: }8 b% M- E Z& m4 l U_________________________________________________________________________8 c8 W; D Z( ]+ m
& y! [; D' Z+ Y# ^" `9 c A( B7 A) U3 d n' f" n" U: |7 }3 n
Method 06; p" B; J1 a; J( p
=========
' ^- H! o2 u k. z
9 ~! f$ y4 a& ?0 X3 h# Z
9 _ n2 t6 e& n, r$ A4 Z- q2nd method similar to the preceding one but more difficult to detect:! Q$ L, X% m( d/ U: v0 }/ |
. _5 j% i) p: d+ _8 x
+ M( Q4 b1 `% }+ B8 @. X7 e
int41handler PROC
2 _9 S' h3 G; g7 ~" k4 E e* [" L mov cl,al
, U) T, j' J7 ~' v# ?+ K$ z" f# i iret ]( z& B! A! j/ {) e& @+ j
int41handler ENDP, y* T+ Z& g4 G: G, G" M) {+ \% E% c" ~
! N( Y4 w8 N+ P1 T$ O
5 E/ f9 t5 c# C3 t! ?$ H xor ax,ax
% Q# h( U \& y/ \/ J2 V1 C mov es,ax
0 j {4 W6 F5 L( Y mov bx, cs. A5 {$ \; `9 f1 H# |+ M5 p
lea dx, int41handler
$ M: {, Z# l; Z, ^) Y) | xchg dx, es:[41h*4]; m+ [2 [' q0 ?6 I& D
xchg bx, es:[41h*4+2]
1 @; O* m) I+ e: W% q in al, 40h
8 w( b; v' \. U Y) k0 R* ^9 u xor cx,cx1 e9 m8 @( w# K
int 41h" `# m) c. J) n5 Y: ~5 s& l- `
xchg dx, es:[41h*4]
! m3 \) Y2 |/ r; D xchg bx, es:[41h*4+2]
1 p1 w3 r! K' r6 d7 t cmp cl,al( p) H0 m1 U7 n5 o
jnz SoftICE_detected1 r9 a; F; z5 r/ m7 O2 B
2 L: Q5 Q$ M, t
_________________________________________________________________________' J$ j) _4 @/ Y% t: n- T( b
: S& p5 F1 ^" uMethod 07; c7 ] t1 r) q( A6 _
=========7 Q4 E v6 O5 n- u
; \/ ~' L( g! W5 U& k' Z) C/ CMethod of detection of the WinICE handler in the int68h (V86)
3 i" o Y9 ^) A4 k' N2 `( m6 J4 _
mov ah,43h1 `" B' a {/ {
int 68h4 m A& w( a4 u/ P# ^+ T$ c
cmp ax,0F386h5 ]5 d5 {, H! X. {
jz SoftICE_Detected
1 x1 b0 n, b, \, i
; ?+ E0 A' ~; p& s' a9 p" t/ _
' F e$ ~. e K=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# X' \+ l5 f. c8 o app like this:
. d: q5 ~( |' \% Z% ~6 U
n0 N9 E$ E: @" S& a BPX exec_int if ax==68
4 A) J" @6 c% S (function called is located at byte ptr [ebp+1Dh] and client eip is
7 l$ D$ ^8 y/ x7 z. [- R located at [ebp+48h] for 32Bit apps)* A' Q! u. B) v, E! w6 H7 ]
__________________________________________________________________________- Z# t4 x4 N$ `! W" ]& T
4 A5 d( P" }1 F9 X" A4 n$ f
. w7 z; Q( R9 X
Method 08& a% {; `8 ?' Z- u5 ~
=========
/ M1 i k$ Y, j/ r S
2 J) c6 i, k& S% ?$ o4 j9 x7 L. z& tIt is not a method of detection of SoftICE but a possibility to crash the% W* G+ N# d( Z1 Z- M7 Z0 H" u) J
system by intercepting int 01h and int 03h and redirecting them to another
+ \9 P1 t2 t1 Xroutine.
( E# A% z% a# E, r. C0 q8 I6 jIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 G, _ G6 f: k# b1 nto the new routine to execute (hangs computer...)
4 ?- f. }1 S8 F' X
; _( c$ K% ?9 N& X3 i) l- w' t7 M mov ah, 25h& Z; E$ w1 G8 {/ w# G4 P9 }' O; ?( }
mov al, Int_Number (01h or 03h)0 E$ `* s! c1 m0 i( q$ }; `5 D
mov dx, offset New_Int_Routine2 p5 S8 M& w0 y& M3 W9 c2 U1 U' y
int 21h& r& S- ^9 |$ Y r- _, s% i3 u
6 U9 v. x5 c+ }4 G
__________________________________________________________________________! h* R2 R7 Q3 _: z7 L% e; d8 t
, ^ r8 b- h' d4 _, H* w' F2 WMethod 09 |/ _) B! K/ v
=========% d9 T6 d" s. D
! C0 N4 L. k& b
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) |4 g7 }# H5 wperformed in ring0 (VxD or a ring3 app using the VxdCall).
; x. C/ Z2 Y9 p" @( {: n' _0 w* F LThe Get_DDB service is used to determine whether or not a VxD is installed
* u9 d' g) T: \$ W4 P1 Ifor the specified device and returns a Device Description Block (in ecx) for
% r* `. c5 _" x& g2 Fthat device if it is installed.
" J9 g6 Q- G& A# S( N
. u' |2 ]4 s9 c) E0 s8 `9 d mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" S! X$ Z6 `# L5 t
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 P& Y6 l T0 |6 z& q
VMMCall Get_DDB) i2 o4 A1 w$ R- P, K3 B) F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# u2 e8 k W- r2 S8 M. e* u* Q
4 Y5 Q/ b! n) ~" Z+ [/ [
Note as well that you can easily detect this method with SoftICE:' p% H. @1 u: U0 F3 L: N' c
bpx Get_DDB if ax==0202 || ax==7a5fh
2 t+ `9 u( d: ]
. n; l/ T- G8 Y__________________________________________________________________________) t0 f. k3 k0 A. _) @
6 p0 o: ~+ k1 p+ ]5 R- SMethod 10
% @. C$ B" O4 y=========! F# A, d, K* O* n4 }
" V; I, y" c* [, S% b& O
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ X8 m+ y- }$ ?) P+ S7 p8 e
SoftICE while the option is enable!!
7 ^( A+ r( g4 |! W' \, j) r
. w3 k( ]0 B3 }, `/ \* b8 WThis trick is very efficient:. }3 ~+ @0 b- g5 `" [8 B" q
by checking the Debug Registers, you can detect if SoftICE is loaded
( h" u; F; f/ Q8 m3 L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# ?9 R; j. W7 g/ K: R) |6 H, F6 _there are some memory breakpoints set (dr0 to dr3) simply by reading their+ y$ M" l6 u" m! T# M3 l3 J" [
value (in ring0 only). Values can be manipulated and or changed as well
/ C; v0 c2 i* o3 [) T(clearing BPMs for instance)9 F! g; j' W' m- w k( }
6 k: O& _# t& [7 j b+ w2 ]
__________________________________________________________________________
! b' n/ I3 S# j8 j6 ^1 }! H
4 d: N) n5 \' l0 Y" ?; o( X* fMethod 11
- ~4 L2 _! h% K4 C5 E' Y/ M=========$ r# v% b( D n4 W' D
5 N9 c$ j" Z! f% L
This method is most known as 'MeltICE' because it has been freely distributed
s# T6 w& L7 a- u# D: Pvia www.winfiles.com. However it was first used by NuMega people to allow
- L; Y/ p, o# i* uSymbol Loader to check if SoftICE was active or not (the code is located) ~- N8 p+ E9 L' y' D* z
inside nmtrans.dll).
1 G" }$ R" z! a3 X$ V& l% U) |
* o( @; y7 c5 P3 {/ i( H: qThe way it works is very simple:
' H5 Q' e1 t; D* DIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 S1 [2 H+ H0 [5 ~, g
WinNT) with the CreateFileA API.- q' q( j4 p, V& H
; y9 |) b9 h: L t3 sHere is a sample (checking for 'SICE'):' E+ V' w( X+ A+ ]
, [' f4 \, R8 @* n O- hBOOL IsSoftIce95Loaded()
. B% p& P. k; ~{
+ I: q5 t* n3 W: r, E( e9 Y HANDLE hFile;
" m; D% I/ N9 b3 F8 W- Q( n9 i$ J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, s+ y9 @/ E! I5 S. F
FILE_SHARE_READ | FILE_SHARE_WRITE,# [ K) `% H' {5 v- P5 |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 @. n9 U1 @- H6 O3 R# {5 J3 c
if( hFile != INVALID_HANDLE_VALUE )2 h5 a8 {$ q. D0 k! R {
{
( A; ^6 G" Z$ {- Y, K4 ^* ~) U CloseHandle(hFile);
+ }* O/ V5 t$ e' u2 i return TRUE;% s- y* P) `" i, k) u: J, t
}3 t$ X2 Q2 N) V# C# O# V
return FALSE;
/ i' V1 }) t5 c) h2 h% x' p}' A: C5 A( Q' c2 v2 N3 ~
$ O+ ~$ j- g' d# O0 t& hAlthough this trick calls the CreateFileA function, don't even expect to be. t ?7 b' w8 |) a" ^/ s
able to intercept it by installing a IFS hook: it will not work, no way!- P/ R4 l1 D# Z3 b* \3 t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) b( f9 C* d( n' cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 ^# \: V& c: X4 W. U. iand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 K }: y) N) r8 L7 K
field.1 U; \# P0 |) ^0 y3 b& e4 c0 v
In fact, its purpose is not to load/unload VxDs but only to send a
9 G4 ]2 G2 z* F6 Q0 z+ @" HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 h; |: U" Y$ B1 \0 `: e& h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( x7 _# [5 U: ~2 r. t* X) {! ^! eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 a. f( P. r i! VIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, l. c# P2 h" g3 ^4 gits handle to be opened and then, will be detected.
% s* s9 S' `+ M. AYou can check that simply by hooking Winice.exe control proc entry point* s- b: r( t8 s
while running MeltICE.
" ?+ S# d- _2 a+ {( A+ |$ }: `2 z
2 y1 h) B" @( @: S. d) a9 Y
00401067: push 00402025 ; \\.\SICE
7 N: e k1 Z- [; Q 0040106C: call CreateFileA; u) @ Z3 J" L" Z/ @* d; k( b
00401071: cmp eax,-001% n1 p1 t- ?3 d) l, I
00401074: je 004010913 [2 R6 ^4 E8 N j: u: m0 P) _ }
4 C- i, H2 R6 ^/ J* ?
& {1 A4 y3 P4 w7 g1 S* Y: }7 U
There could be hundreds of BPX you could use to detect this trick.
$ {$ Y$ r4 \9 A-The most classical one is:) G, p E: Q0 X8 y4 B; M7 I
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- e; G) D% G& T *(esp->4+4)=='NTIC'+ V8 u* B- }; a# l% P f' D( Y
4 k/ g+ P; D8 f* _# c- P-The most exotic ones (could be very slooooow :-(5 }0 M$ P6 S F+ q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / n0 m" d( X) V! m2 L W4 r
;will break 3 times :-(
7 @6 }* b9 o# e+ f7 [6 t/ D' z0 e" N( b: s
-or (a bit) faster:
. w, D4 r* t3 H+ \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, d) }' O3 b9 R$ `2 z2 L% O. v' m& N/ H$ j& P: \; l% l/ ~/ \# D$ a
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + H/ g0 p ~* P9 d3 D& L$ ~# S/ I
;will break 3 times :-(
0 {2 t% S. K7 E( f" S2 v) ]# j) K# J
8 Q9 \) d" l; S: z4 h8 ^6 @-Much faster:+ X9 p" x3 _$ @. F6 B7 B/ C( j, S
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! f& P6 h% Q; @0 H/ t$ A# Q& P3 H/ I& D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ y* D* U" R- ]: k- d" P7 M" hfunction to do the same job:
$ Z( g- N/ v0 M! ^ q; a9 ~; m
/ A5 h$ R- D2 S: Y* O push 00 ; OF_READ
& i& J9 `) e9 B g5 Y$ [ mov eax,[00656634] ; '\\.\SICE',04 P) U, Y+ B; M$ d# u
push eax# M( ]5 l1 S* O
call KERNEL32!_lopen
; H! E" Y p9 c% f* C inc eax6 r7 M* t b$ b! g+ I6 W5 }) y
jnz 00650589 ; detected
1 F: c+ K4 h( M push 00 ; OF_READ
* f4 z9 A" s p mov eax,[00656638] ; '\\.\SICE'% X- B7 y# m2 V" ^
push eax6 n6 [4 A" i+ K8 ~" s( N$ V
call KERNEL32!_lopen" E& Q- U# h6 X5 ?# k! W6 B, Q
inc eax+ |: U( V6 ^' @7 ^
jz 006505ae ; not detected m2 D; v* f' f4 x7 F6 \' `
; A' s& o0 `9 K. F
/ p& r" a6 G& i1 N
__________________________________________________________________________* d0 Q4 T* A+ C9 b7 t7 B2 K2 _6 s% r) S4 F: @
1 Y. F$ i X* v# c: H7 [Method 12: W$ W2 Q+ {; T+ `, C
=========
# @. g: ^6 } G9 s9 ^
7 u* D" Q& L- ~4 P) }This trick is similar to int41h/4fh Debugger installation check (code 05
D9 r9 H; C. }0 O( Q6 Y% D/ T& 06) but very limited because it's only available for Win95/98 (not NT)
( ^. @: ^+ r! T3 H( ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 [# u( c, C6 h% C) A; c
& e* t0 P* _' e2 a push 0000004fh ; function 4fh3 q' G$ i. f2 P5 I% x* _0 u/ Q0 D; Q
push 002a002ah ; high word specifies which VxD (VWIN32)* A I* V' N2 \7 p! h3 @) `
; low word specifies which service
* ]0 q* F' I8 d2 g3 t5 m (VWIN32_Int41Dispatch)
6 D8 a6 [& q( I) g* h: n call Kernel32!ORD_001 ; VxdCall9 G" ?: w8 O& o- k% W
cmp ax, 0f386h ; magic number returned by system debuggers: j. t! D$ D. |, o, k3 W9 q+ u
jz SoftICE_detected9 O# L4 n1 F$ i$ H
/ v5 J* u+ a& z; L1 LHere again, several ways to detect it:+ H6 B+ f! f4 Z) B
7 M/ i/ _' z- s BPINT 41 if ax==4f, Y6 }4 ^ [4 G1 z3 A
2 g! B5 |& M$ q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" i8 c" I5 v9 `, o4 D/ m1 u, |3 J
+ l3 {: Q) m5 t( u+ I BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& x/ I: A- m. a Z( o
3 {0 ?' S8 q3 X+ I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 x2 e7 m0 S9 u/ i. X7 p( r+ l
, e$ ]! T2 E/ P' o__________________________________________________________________________
2 i; Z$ c0 n0 X4 U; c% Q* p0 I5 q8 k
Method 13
+ {% j* f9 T% N. \- k=========
' w9 y# I/ l- p" H% G1 \0 y
0 ?. L* u/ V* J$ {/ dNot a real method of detection, but a good way to know if SoftICE is4 D) b" E$ c' T7 ^4 b' g5 |
installed on a computer and to locate its installation directory.
8 G6 C2 B4 z1 [# A# YIt is used by few softs which access the following registry keys (usually #2) :
/ Y5 O. l G% H, j4 ]+ ^4 I$ m. ?% O9 {
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 R @ M l2 i9 s, c3 C7 s' }
\Uninstall\SoftICE
/ c2 I* K/ B# g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! k! [% o3 D# n# N; L
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 _6 W) J* h) a: W\App Paths\Loader32.Exe
0 w* U6 Z( W y5 ~# E: V
7 s# o% m5 k2 H* x$ \2 ]
: c7 ]) A, u- R8 | K* FNote that some nasty apps could then erase all files from SoftICE directory
2 J; I3 y8 Q9 K* }6 f0 F; y# y(I faced that once :-(( n b6 [- j! {. W* b
8 R: c# B: J+ _
Useful breakpoint to detect it:4 g, ]8 t$ m4 ]/ Y
/ u7 Q' H' o( w5 L
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% o2 O; u9 X1 t2 J& B# P% e7 D
! z5 b8 H z+ V
__________________________________________________________________________6 Q) T) D2 c* t$ c5 |
# {& K+ }2 V" P5 T
3 Q3 D4 X% h; b4 N. f3 @% p8 NMethod 14 ; w9 Z, u! a6 F0 C
=========# R* x9 J4 Q1 V$ c; M
) [1 J# \0 [4 D- K/ g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose B2 v; Y" o4 z& J" _
is to determines whether a debugger is running on your system (ring0 only).
s9 ?, s6 t: [- F# V9 Y; Y" w$ O7 u2 w* w
VMMCall Test_Debug_Installed; y9 A* H8 B; ]- H; U
je not_installed5 ?8 \- e3 @5 V: {
; r5 f/ Z) o% n; T$ t* C+ c2 DThis service just checks a flag.2 |: o/ P) X* a) q, ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡