<TABLE width=500>
/ g4 i3 ~( k( Y7 M/ _. s7 N<TBODY>: H% m; M- ~2 S9 h
<TR>6 B* ^+ e- W7 C2 i; O
<TD><PRE>Method 01
6 w, n' t, S' e1 c8 H=========
+ L6 D7 ]* H' ^2 U( m
2 T, ?. w/ S2 E' o0 T/ qThis method of detection of SoftICE (as well as the following one) is
5 x" ~2 T4 ~! C: _used by the majority of packers/encryptors found on Internet.! W* F$ K- B6 x+ N2 N9 p
It seeks the signature of BoundsChecker in SoftICE' j Y- W7 c6 l+ |
! Q' c9 U# U' h/ ?& m
mov ebp, 04243484Bh ; 'BCHK'1 S1 V$ X7 P" @* u- v+ c$ S
mov ax, 04h Z( L9 H8 Q, S: [- b$ K
int 3 , l) Y- k |- K9 |" J% K
cmp al,46 K6 m7 o& f% Z8 g) {
jnz SoftICE_Detected7 |9 o/ Q/ t- Q" O7 B- b
" g$ V0 L% r9 t___________________________________________________________________________0 @( {1 \! [. Q: f, e
4 B0 w* H; }( J% C2 `Method 02
' H6 g- M V) Z: \0 l5 g" ^% a: V=========
$ n1 F8 D7 ?' X0 T q
* {' w% P* J( z; AStill a method very much used (perhaps the most frequent one). It is used, O- L1 ^: W. W& ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. j T; @' s: @9 `4 N
or execute SoftICE commands...
& R6 x* ?0 t0 t# j/ u( c) _+ iIt is also used to crash SoftICE and to force it to execute any commands
) W H# H5 m3 @7 K, K7 {(HBOOT...) :-((
% D$ b) o P+ M6 `% w
6 G/ r4 w# w5 b2 S, Q9 R/ \Here is a quick description:
" T3 O' S7 \4 [3 i7 y! i H& U-AX = 0910h (Display string in SIce windows)
| w# @8 V/ _( |: u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), S. A; G$ _+ R- H$ D a3 I! K4 [
-AX = 0912h (Get breakpoint infos)
, B2 Y" r) ]7 b7 R; {2 V-AX = 0913h (Set Sice breakpoints)
8 j1 @ x( V4 Q, Z; E2 o-AX = 0914h (Remove SIce breakoints)
+ j( n: b3 I7 s; s: U0 t. ^' c } ^+ f
Each time you'll meet this trick, you'll see:
" C% S" K8 _$ B$ q ^/ x7 D-SI = 4647h/ g3 m2 p4 E; a% z" t
-DI = 4A4Dh
, w$ ~+ `% R5 Y- o( s3 a% OWhich are the 'magic values' used by SoftIce.
- p) R+ ?# B" n- r6 wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 ~0 L$ `+ }+ j8 B" R6 X; g' w
! y, \, |2 A0 ?' b2 _: @' \4 jHere is one example from the file "Haspinst.exe" which is the dongle HASP+ E7 n1 r+ W# T* \
Envelope utility use to protect DOS applications:
- @' c7 D% a! Z/ i' z/ z# b5 m# p0 t: D+ |$ g4 l
5 k- S! G# w" q. U6 v
4C19:0095 MOV AX,0911 ; execute command.; y: n H# X2 ~( ~* n0 ~8 O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( o5 d% Y* O7 T- T& C% G: y
4C19:009A MOV SI,4647 ; 1st magic value.
0 q$ H. b" v0 _8 C% Y4C19:009D MOV DI,4A4D ; 2nd magic value.
3 w, g0 ~5 B' t- c0 {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 X# q6 p3 r; C: f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 s0 B. ?& {; @$ W4 c
4C19:00A4 INC CX/ H) M2 w- T3 n q2 H6 s
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 `5 U' L' c& i2 k9 `& y& w- \4C19:00A8 JB 0095 ; 6 different commands.
, Q7 ?0 G8 ?" x, v4C19:00AA JMP 0002 ; Bad_Guy jmp back.% {* s4 B! I* c, |! g; @
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 w$ X) b/ ]0 v. h* h" i/ J4 a# G; l
The program will execute 6 different SIce commands located at ds:dx, which
; T- F7 x1 D$ Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) ?0 c. s+ k0 O/ o
9 |+ Y+ c2 j1 r- W' `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! D5 \4 r1 K; j ]5 ~9 e
___________________________________________________________________________3 ~) u0 r U( W, ? g7 A
4 {2 C# j! t* d
1 c s* D$ l) O7 y0 YMethod 03
+ S6 | `2 u0 \5 M& w- ?1 C=========' C. _2 l' B6 q- A
" k; Q) \# w |5 Y. P# K# q$ K# cLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, U! J0 I8 [' ]2 u6 Q# ?/ Y/ v(API Get entry point)6 Y; b- _3 T2 q" ?7 f; p: Y
6 ?# A4 g- H( m' N) w
9 S+ O& z) o9 S xor di,di
6 @9 c3 Y5 E! U; b. d) [+ ? mov es,di2 z# j [# t5 G. z6 v
mov ax, 1684h 9 f& ~) A/ y7 o9 D2 V
mov bx, 0202h ; VxD ID of winice
! k- {4 M( v, o+ Y' \: u; K" M int 2Fh, j) {: y& M) w1 d
mov ax, es ; ES:DI -> VxD API entry point
* h. d4 \) K$ z1 s" _. L add ax, di/ l" u1 [ R! a( b# Z o7 z& S
test ax,ax
6 e4 Q+ r- m: a( z9 I2 T jnz SoftICE_Detected. ^- {7 }8 E! X+ J, |( Q( p ?
4 V* ]& {- @% S* X9 e. D___________________________________________________________________________
6 `8 {4 K4 x* [) w
8 k" x: S0 S% g1 J) U$ eMethod 04
0 D/ C" N+ O2 ~+ o* A* }=========0 z& L$ Q7 k. J; s; I& L5 q
5 }% N0 D8 f/ i* k1 p
Method identical to the preceding one except that it seeks the ID of SoftICE
3 r! E) s& L' s2 yGFX VxD.* @# c% Y4 h# ^6 k
c- o# N% q7 ]/ l
xor di,di: v$ i/ I" w! q: z# i/ t I4 U7 q
mov es,di
/ V7 |: |* p% R5 |9 s+ O s, n- t mov ax, 1684h 3 O. [( w7 H" ^ `5 G! n2 \: v7 Y
mov bx, 7a5Fh ; VxD ID of SIWVID: W% X% ^. ~% T+ ]% `
int 2fh
+ X: }3 @7 _% q* l1 [2 ] mov ax, es ; ES:DI -> VxD API entry point
7 R d7 r1 l& S3 ?/ A0 }) E add ax, di2 y3 R1 S( `6 ~8 n' n+ r9 O% H) C
test ax,ax
# j9 |* ~0 d$ x) K u4 S4 y5 {; E jnz SoftICE_Detected8 c/ A6 f4 A+ q2 C. O, X/ m3 o* O
, Q2 o4 \3 E& S$ S3 S! h% u, [
__________________________________________________________________________
8 B; B* e8 z# k4 N+ l
' B, o) Z% m: I$ ]5 n" U
7 ~; `' }9 d$ N& u& r0 rMethod 055 ~7 `4 v+ M& F [' d: C; Z6 M
=========
: N6 T& N* S* Q( k, I5 l0 K; W/ d3 [7 u/ Y- n) w' f3 v' L* g
Method seeking the 'magic number' 0F386h returned (in ax) by all system# k1 W# f7 t* f
debugger. It calls the int 41h, function 4Fh.7 f! W4 e. k# [7 X& [2 }% X
There are several alternatives.
9 W: U" ?7 E T4 `; v1 x) _1 m5 u8 U/ x
The following one is the simplest:
2 W7 Q, E% y; }" @% [: }
* }1 |! J- B) c% o; p5 u; \ mov ax,4fh% }+ V9 A9 Q* {( V1 U' l
int 41h3 C# B& j# j( v) B! G
cmp ax, 0F386
4 _. D9 p( J/ A& i* M jz SoftICE_detected/ d3 ]3 ~4 n/ V7 E* w
# T3 b6 L$ e& ^2 H/ V: m6 d
- t( T2 \. V5 x8 i6 mNext method as well as the following one are 2 examples from Stone's
# u ]) Z: L. D* E7 K* ~7 D4 J: h"stn-wid.zip" (www.cracking.net):+ y# ~# ?& ], }! L- `
5 `. Y6 P/ d$ s) @ mov bx, cs" |- D2 d' W) ^* A8 a! ^& o
lea dx, int41handler24 R0 h% [) _$ B5 a; C+ ?4 d+ u/ Q3 g- c% o
xchg dx, es:[41h*4]" p7 x4 A7 o6 u$ u; b( a
xchg bx, es:[41h*4+2]" e, a5 x. l+ v7 D: z4 M% x: o; r
mov ax,4fh2 w2 V0 h: j0 G) i, I: Y9 ?) n
int 41h
7 I5 A$ x) q' }. a5 `, g6 A1 x) r' d, ` xchg dx, es:[41h*4]
) T8 S6 Q E1 u xchg bx, es:[41h*4+2] s) r% C' D; }6 I E8 [5 ^
cmp ax, 0f386h
! @% I# p) A) ~1 J/ L& ?, b jz SoftICE_detected: [8 U) g0 M/ z; B# }5 @$ v
/ k: ?2 l/ e' A
int41handler2 PROC
' S9 {5 N1 @/ p+ \+ t iret0 R5 O& G% N J* y2 I
int41handler2 ENDP7 u' }. N' T. S! \9 n" ?: r2 N2 h
- _ P+ u) [. P1 z5 W3 B$ _; R7 c2 m! L' D, E( u
_________________________________________________________________________2 l* M: v4 Q5 W, b0 t _- z% l' s
) h$ v* W' T% W; E" f; x
0 |. w2 g# j3 q0 v9 z# ^
Method 06
/ [& C! @0 Y% v- @=========: C" p$ X3 e* O4 j: q) x- X
8 b+ I. D) I% t# l* p
: P% \( h8 R# ], K2 X
2nd method similar to the preceding one but more difficult to detect:
5 q2 W5 L/ Y* z1 `) b+ p8 R6 t6 @/ q6 b! n; A
( \2 d+ |2 H3 K* ` bint41handler PROC( x% e0 l' i4 d
mov cl,al1 {( M: V1 l/ u& \
iret
Q; k5 y6 H$ k) b+ U x/ Mint41handler ENDP& {& Q& g* L" r$ o* E6 G: c4 j: Q
* F3 z* n3 I3 L% ^+ f( B. z6 x! P( W# w$ N# |/ M
xor ax,ax
% d8 h9 U8 x; h" S mov es,ax) m5 Q5 q% M5 s" j
mov bx, cs S9 j) W& \+ t" ~. ]" | P% F
lea dx, int41handler
5 B a8 }7 h+ ^ xchg dx, es:[41h*4]. y( U7 \. K8 E- z
xchg bx, es:[41h*4+2]
# ], q$ \/ c$ u; v' w/ h: G in al, 40h% G3 T2 H t4 p+ g
xor cx,cx1 y3 _6 F1 H7 D0 z! Q" l- U' G$ f2 ~
int 41h
: B9 q* x) n% v# w; e xchg dx, es:[41h*4]
_! F% h) `% X7 S, Y& m xchg bx, es:[41h*4+2]+ v& Z9 r- Q$ ` i
cmp cl,al* }$ U+ k o, S, l% `
jnz SoftICE_detected
) p: Z" x$ A/ q
6 f2 d, F y w* p7 X( H _- K1 i: Q_________________________________________________________________________
7 {3 p1 d' K" A7 {% g# Y7 g( M
7 C4 J/ @2 { J# q1 H! D# l/ i; k7 ^Method 079 q, }9 u* [1 L: T' @$ ~
=========6 B+ p( W; S: L" {, i, Y j
$ N# l& l. f0 X7 L7 ~0 o" g
Method of detection of the WinICE handler in the int68h (V86)3 W/ o8 R: F% w5 I
+ {5 f4 C* t4 `, y/ M6 A% M. f8 V
mov ah,43h; M) K( z/ d! m/ @5 p6 ]
int 68h
; \0 @5 f$ c% Q* S# i cmp ax,0F386h
) t( s5 Q6 t. @: d" u; l# ? jz SoftICE_Detected
" y k0 s+ A7 |$ m% G7 f$ D: u; r' u6 o, e/ h5 A# e+ X
5 \6 v W( r5 F5 ^/ W! f) h. Q: c=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ S$ z5 G s+ N% e8 n4 g/ {
app like this:8 g9 @! Z. P, C: {9 C* N X
0 x$ g' E+ m6 H
BPX exec_int if ax==68
/ \) O( r) d2 S8 n e2 @# q3 D K (function called is located at byte ptr [ebp+1Dh] and client eip is
, q5 a/ d' ]; k z) z/ j located at [ebp+48h] for 32Bit apps)
E1 p) e/ |# E% V__________________________________________________________________________6 }, j, _# C0 N$ ~% P' _2 y
+ _# L# ?2 x( G3 {1 `, u" } E. D3 k# Y* s, i
Method 08; E" f6 R2 H9 G: C& I
=========. b$ M5 _% T3 X8 x. X
- w* a% Z' B# p d. z- c# H
It is not a method of detection of SoftICE but a possibility to crash the' J6 s; j M0 @* H
system by intercepting int 01h and int 03h and redirecting them to another! f. z- ]! T6 t; Y
routine.
$ t. i( s# Q- l+ VIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 U a z1 f: l. P& ~to the new routine to execute (hangs computer...)$ u6 k- r: e# g: @
5 g3 i+ U* z( r$ I$ @4 |5 N; M mov ah, 25h% F- j- j7 ]& R5 I; d+ `
mov al, Int_Number (01h or 03h)( W4 C5 E+ E! M8 @# ?3 l( X2 T
mov dx, offset New_Int_Routine* l2 F4 o8 a; O! g N$ @
int 21h
" ]) @$ q! j+ R
$ V/ ]3 D& r0 A9 H__________________________________________________________________________. ^4 E3 `6 m" |( Q1 P" S
6 T! R9 _6 q% u2 ?# ]* FMethod 09) V7 i" \" G4 z, x
=========9 }2 Q4 L2 ]" G( D% A
0 E9 ^4 H, b$ r% }+ d0 gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& E. a8 M: S- d" I/ dperformed in ring0 (VxD or a ring3 app using the VxdCall).
q/ T9 Z, P( F3 M: t5 C. VThe Get_DDB service is used to determine whether or not a VxD is installed
+ s4 ]9 t; c9 Z; lfor the specified device and returns a Device Description Block (in ecx) for
3 u- I$ A9 t0 J) ?' {0 q- Uthat device if it is installed.1 s" v6 P5 C- l
/ _) V: T5 H$ A) Y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% ?. Z' S- F2 h; } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' o) d" w8 y* Z/ W VMMCall Get_DDB
$ P0 y: \) z, ?& h9 k1 T) V mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: H7 l4 b: k6 O( F! j [; l8 z# `
, U _9 m) h5 J/ G- g( L" [/ mNote as well that you can easily detect this method with SoftICE:. _0 \' G+ _) ] q
bpx Get_DDB if ax==0202 || ax==7a5fh
, |' v. ^# R8 ^0 N( Z+ ?* H; o4 t6 H
__________________________________________________________________________( b" l7 E) X. {
: d0 ?6 {8 b3 q( o; ]0 b% J
Method 10
Z! B7 U* M6 g/ k5 F0 N=========8 {0 K9 L1 \" Z% q! x2 F
' `4 F+ W+ \2 I. }# ^9 r8 c
=>Disable or clear breakpoints before using this feature. DO NOT trace with% X3 t# ~6 Y6 ^6 }4 C5 x2 C# H
SoftICE while the option is enable!!
9 N- u$ n e+ w: |
9 B3 p4 o" m3 L: @4 P% YThis trick is very efficient:
, O& k. o9 C8 |* b: k, U: Y+ ?" Gby checking the Debug Registers, you can detect if SoftICE is loaded
( x5 R0 I: N b: X i9 Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 L0 q- J w$ p& [8 r+ U
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 b# E: b1 i6 v+ Z5 H- fvalue (in ring0 only). Values can be manipulated and or changed as well1 b: A4 o; M* S, F, j; F, a
(clearing BPMs for instance)
4 Z) ~8 E% w$ x) I2 o5 j, f( H- B$ n
__________________________________________________________________________
, j, W! m# K0 k6 H! B( x( Q. I' A
Method 11% b0 \3 D, d# Z" d4 f }8 Y
=========
) ?) x' G0 `7 V1 D- p: r7 O+ o5 v9 D* Y. j3 B1 ~
This method is most known as 'MeltICE' because it has been freely distributed+ q. [8 U6 R2 q. ]
via www.winfiles.com. However it was first used by NuMega people to allow5 a/ ^1 Q, z. K
Symbol Loader to check if SoftICE was active or not (the code is located
: i; a" G2 b+ c& G5 B% X4 Finside nmtrans.dll).
3 W0 M. d! R( D7 I/ u+ J8 }1 J8 R: R' H3 i h
The way it works is very simple:. s2 ?8 B" g2 Q6 a ^$ |5 B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 I% l1 J0 K3 F* y6 L+ B/ b
WinNT) with the CreateFileA API.0 j8 Y3 P9 H7 ~: c# J
- n3 C- ]$ Z, u3 D9 t1 T7 @Here is a sample (checking for 'SICE'):" T- P. N2 j3 P8 ?
+ ~! C8 j4 y' B; t( a5 QBOOL IsSoftIce95Loaded()& k+ H; f ^. K/ q
{
- f9 F5 X) T" i% f HANDLE hFile;
; ?% w _! o1 b& M' c! p' x5 e5 T hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! J: z+ C; V- s- C+ n
FILE_SHARE_READ | FILE_SHARE_WRITE,
$ y! v9 E! `3 A; [- k NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. `! `: ?/ }, i1 v& ~) q4 b! @
if( hFile != INVALID_HANDLE_VALUE )' E5 C$ x0 W: n* s5 L$ L! F: h
{
$ H# B8 Z& J2 f* e1 W' w CloseHandle(hFile);: e, f/ } O) M: e; y% }
return TRUE;/ M3 K) ?5 b5 o- L6 a4 }. ?
}
" k6 A B" V' K: r( S return FALSE;8 j; L/ l6 u1 p0 Y7 f* n" ?
}
$ }$ u5 T' N5 O: Z t+ q& T$ B. D1 E5 Z8 j7 k0 Q! Y- W9 S
Although this trick calls the CreateFileA function, don't even expect to be/ X4 O6 r8 a7 n; D' M8 I/ Z4 w
able to intercept it by installing a IFS hook: it will not work, no way!
+ H. @. I4 s# S$ T& u9 [! LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% q/ r& z* Z( @. ^$ K) Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( j' X1 f0 {8 R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ Z1 U9 N" ^, o* a3 D P* U
field.
M3 j9 N F9 a; rIn fact, its purpose is not to load/unload VxDs but only to send a
8 H# R* w" L+ xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% j9 K- w2 M! v1 s, P4 {/ ^* V6 }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 Y' ^9 B" j. H' C0 u: @) r% m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 t& [, j j F" NIf the VxD is loaded, it will always clear eax and the Carry flag to allow$ b' A* R! D" R, x' m- q+ X4 z
its handle to be opened and then, will be detected.
5 x; ]. g; f* c9 i' v2 E& e& Q3 ~You can check that simply by hooking Winice.exe control proc entry point
1 z: l1 x8 |2 E1 ~. Rwhile running MeltICE.
# Y1 R& e; L% T
# `8 P H# d" B; m- v
7 w9 L9 j6 _+ `- k5 _ 00401067: push 00402025 ; \\.\SICE, V; E, q8 y! j/ e7 ~
0040106C: call CreateFileA1 b' n( d$ r' q9 P/ F" D, j7 S
00401071: cmp eax,-001
/ m# M+ y: v, E6 U. k$ w; H p 00401074: je 00401091
1 y; T7 T1 r# Q1 | h0 T0 v
" H: ~% U$ m: o" I/ _
2 c& s! N$ m( m2 N+ { I7 lThere could be hundreds of BPX you could use to detect this trick.- A" w( s8 D5 ~! `7 q; V6 }2 t
-The most classical one is:! a. g6 x c8 U& b. a
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# \7 l* T) E; ~ *(esp->4+4)=='NTIC' ]" P/ F$ X+ Q' b% e1 g s9 _5 o
8 Z$ [2 ?( J b
-The most exotic ones (could be very slooooow :-(- ]5 t/ E7 P3 D& [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 C2 O2 G/ }9 @* A ;will break 3 times :-(
8 L7 g6 v# b/ Z) Y$ H$ g9 l$ U
& _7 W8 @# I2 Q4 y. P& W7 Q8 J-or (a bit) faster: ( k3 Q8 O/ p6 K6 }3 s7 F$ s
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# [2 u9 U$ m5 Z% p
$ {3 T/ e2 y t1 |4 W" s, Q) v5 U BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! c" Y3 Q/ n, ^: y" g
;will break 3 times :-( m5 v1 d8 C6 s) e/ T
# M/ i) Q7 [# J8 P n-Much faster:- B- {6 Q' f5 p$ z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 O; h$ ^6 O5 _& m) R, _/ Y# j
# R; @/ t. W- M1 B0 g- [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) V, x. ~- I/ l' [% [9 `# _* _
function to do the same job:
8 _' j; Z' ^2 E' W* D. f* K- U7 X5 V; X7 z
push 00 ; OF_READ- ^' ~5 x& q, z; y
mov eax,[00656634] ; '\\.\SICE',0
$ L+ T) S6 o% t) v' g+ ] push eax
. i2 t, V. W+ n( S# Q( _ call KERNEL32!_lopen
1 I7 J$ ]1 `0 M7 Z inc eax7 G/ _0 K {) r- N: D* |9 T
jnz 00650589 ; detected
! Q) l4 }; N5 ], e+ k: O& b' E push 00 ; OF_READ
6 ?2 _* [9 {" F: t% `; e8 j mov eax,[00656638] ; '\\.\SICE'* X, g$ R. ?" C3 a5 `8 u z( B. g5 |* ]+ F
push eax
6 n6 d5 x* Y/ `" s. C7 v4 @* Q# I call KERNEL32!_lopen6 b, B! ?2 w/ e! K% o
inc eax
) }1 O$ l, u, H# K jz 006505ae ; not detected
4 G; c; p! I2 J( R1 v
& l6 X! c' k3 ?$ t$ g7 A
! K! L) P/ X! ~. r__________________________________________________________________________
. Y7 x- k2 X$ S: V9 _
' D# M9 d& M2 E8 V x) o. jMethod 12
8 @) o8 h3 y; C( K: P/ j/ b=========
( B) D# a/ n3 r) z9 N- Z
1 u, ~. u8 p. l5 B" rThis trick is similar to int41h/4fh Debugger installation check (code 05
& z5 G8 |; r @8 \% r8 W& 06) but very limited because it's only available for Win95/98 (not NT)9 o9 L# F6 _, D
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! P) T9 T+ _! v8 `
0 S* g% g8 t o# B1 X4 O) Q, @
push 0000004fh ; function 4fh
5 Q* i7 |0 y1 H G push 002a002ah ; high word specifies which VxD (VWIN32)
k: E( o7 _, z; O# z5 D3 z ; low word specifies which service! H1 N- t, e6 `! S2 ?) n- ?. x0 T
(VWIN32_Int41Dispatch)
! r: r$ H) `8 ^! d5 T call Kernel32!ORD_001 ; VxdCall2 X; ?4 e; A% g' D. E6 w$ W
cmp ax, 0f386h ; magic number returned by system debuggers( F/ ~ w7 J: T- t& L1 G
jz SoftICE_detected
$ ^8 {( L8 U" h/ U1 ]& f$ e) }4 @# s( T) O
Here again, several ways to detect it:) N/ s/ b4 x) R+ C0 M V1 V- B+ e. v
: _7 a* G& [; g2 r3 [% [! d; }% w BPINT 41 if ax==4f& k" g$ E5 e- k0 ]8 E) l
8 \4 K. l) Y- W1 _' H BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ h* ]6 |* N# A7 y2 P- A! d) ^
: T! z2 S, W: u. `* X! N BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! m8 e) O4 v0 u4 h5 D9 Q
: v+ U) C! R+ [
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, {; X! J S7 g$ p$ X( S# Y1 [) w
; C& i1 y9 r* J3 G5 M3 | }/ q__________________________________________________________________________
9 o6 q( H* B; f1 e7 T {$ ]0 i4 X% h2 F: x) l
Method 13
. g' Q+ p4 V# q; z& X. j) ?=========
, J O+ s$ q/ h2 C6 A6 c
1 Q: d/ P6 U- r2 y; _8 ^: \Not a real method of detection, but a good way to know if SoftICE is
, @& L( W0 b& Y* c' A& Linstalled on a computer and to locate its installation directory.6 S: T5 v/ A2 _; U. X" u+ ?
It is used by few softs which access the following registry keys (usually #2) :
; [) l( o/ {" g5 ^- e' k- L# \& _, R# s/ i/ q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 `; ]* r; M6 F5 R
\Uninstall\SoftICE/ Z+ J% N6 J) |" y1 t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. F" Z/ B( @% T8 _$ G. D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ @& ? f( U1 R1 ^6 j\App Paths\Loader32.Exe
& B E: f: g5 B: Y( Z) F
# D5 v& `: K6 d) T* X2 r$ [1 X/ A5 }( t
Note that some nasty apps could then erase all files from SoftICE directory
. J5 ~4 e5 j0 |0 d0 a(I faced that once :-(
7 O- j3 {" B) B, P3 }) G8 D! _ Y) y- v0 j+ ~- }
Useful breakpoint to detect it:
$ M# q$ H9 n/ M/ \, T* t Y4 f2 p+ V9 t% i' @, v
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# l: x& }' U/ Q. X# {, b+ ~
: a- @, @: j5 R& V5 Y' {/ v7 E, X
__________________________________________________________________________
. S: r4 ?: s9 g# N2 k7 @, b
" T! J/ E( t! l' h- j* F5 l. v4 G3 |- [* [
Method 14 , O0 b6 m7 X; P" v+ f
========= r/ }: t( G5 j4 i- [* R
}! A; K9 U3 R3 V$ H, Q2 UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 d; n5 ?5 `* A' c- R+ Dis to determines whether a debugger is running on your system (ring0 only).
8 L0 E) E" g! }5 N' G
, i- w3 r% |! X: [' j* v VMMCall Test_Debug_Installed
0 e2 P# d$ G( \: w# h% @$ Y je not_installed
X0 a' u. i/ `6 |3 d
* n% B' r2 `9 ` c5 LThis service just checks a flag.
8 `$ V) ~* P' a. L1 H</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡