<TABLE width=500>
9 }3 D2 J6 Y7 e' `<TBODY>0 M, p' P9 N9 Z4 Q/ W
<TR>! n* c4 J2 J2 D- ]. `
<TD><PRE>Method 01
* ?/ P; _: K d0 A: G=========: M3 b( F: o0 e; F
5 X! E1 c# E/ E9 S4 ^
This method of detection of SoftICE (as well as the following one) is
: S& o' O* I/ a# qused by the majority of packers/encryptors found on Internet.5 R, x8 V* a# x, B" y; k" n
It seeks the signature of BoundsChecker in SoftICE
7 ], J/ f7 T% r3 O; i1 X
+ [" U( {5 x5 R6 [ mov ebp, 04243484Bh ; 'BCHK'7 \9 h, T( X" |4 i3 {1 q0 M
mov ax, 04h+ c. y2 s. m0 [5 L2 v
int 3 ' g4 a' @- i! D5 A5 B4 V& b& @6 X7 e
cmp al,4: y, A/ I/ D% W) Z- [0 A# d: Q
jnz SoftICE_Detected
9 |- V3 ~) E: ~$ ]7 Y, B; Z1 f' A
6 p: A& m( M% f! C% m% [2 }0 Y. u___________________________________________________________________________
; P7 r6 u; d4 `6 R5 m
2 f; {5 [, z+ A- `; FMethod 027 j- L% Z: L8 _; J2 E- Q
=========
9 N( d- U& y1 U- A8 R# u& z
8 A2 J# ?4 K. V3 FStill a method very much used (perhaps the most frequent one). It is used) y Y3 b; M n# M Z' X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) Z& {: q* l' u2 {- }' w J
or execute SoftICE commands...: o3 I4 y$ v# w$ [4 t
It is also used to crash SoftICE and to force it to execute any commands( l1 k8 A2 F! ?/ W
(HBOOT...) :-(( 2 v# ^# f: Z2 Y5 r* ^! N8 v
, N! n G$ S0 l/ k& u! tHere is a quick description:, L2 T1 h* | x4 s! y. B
-AX = 0910h (Display string in SIce windows)7 d+ J' T& A. ^
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! @# @ r- @" i0 L1 V
-AX = 0912h (Get breakpoint infos)1 a" b7 A! I0 B& I, U l" U8 K) \
-AX = 0913h (Set Sice breakpoints)0 F& W$ r: T! S5 `
-AX = 0914h (Remove SIce breakoints)& c2 L0 L8 x( K8 t0 i3 `- V
t5 Y( a/ X' O0 p5 I% P7 SEach time you'll meet this trick, you'll see:
- F- Z* M4 U: n& `- Y-SI = 4647h- V( E$ N l- `" a9 O+ d
-DI = 4A4Dh
* ^5 Z) x/ a4 k# rWhich are the 'magic values' used by SoftIce.
0 m' M7 Z @' \7 M+ x* UFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.! p2 m) Z; B- h! _" S) H
8 L# o9 A6 [0 F
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; ~- n4 o6 y$ Z( V$ O" N0 UEnvelope utility use to protect DOS applications:
7 l! }2 ^2 w: O# b
6 y6 h8 `3 D/ r6 T5 x+ u# t
# T6 `1 c* l* b' P6 g+ o9 Z2 A4C19:0095 MOV AX,0911 ; execute command.) J0 M" d! J4 P A
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' N' ?) b8 I# S+ q) L' T. ]- h
4C19:009A MOV SI,4647 ; 1st magic value.
# z8 S( r1 S$ s" U5 z3 \4C19:009D MOV DI,4A4D ; 2nd magic value./ ^, f+ X/ _# b6 s0 M0 X- ]
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 J+ H: Y9 l1 a! J: N1 B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 M8 L9 C } W
4C19:00A4 INC CX
l7 M* P4 d' ^( G! ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 Y6 S9 e9 n% b2 P- b' U
4C19:00A8 JB 0095 ; 6 different commands.
1 W, x! m" }" g. i8 R4 O4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 f' V; q( N0 @3 m5 b% U. A" m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# D- s+ M/ G. g2 A, X* ?9 z# g/ b% d0 Y1 F7 E6 E4 @' z
The program will execute 6 different SIce commands located at ds:dx, which- I% X* t/ t3 ?0 v- [9 w3 s j7 m& h
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 @; J6 n7 h8 D$ V; |; v& T
# p) s; G6 ~( g7 j0 ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. |. `& i/ z) s- L' D" J8 W4 I___________________________________________________________________________
* O% f! [0 R5 I2 U$ Q, Y
& {/ a; L4 y6 |% U3 {% K
+ _% v% T' a" \1 H7 ~) KMethod 03
- o# q( ~ r/ N! T3 _# E=========+ o% `) ]) p8 v: r: m4 X
1 M) }% s- N+ t) _! a2 ?; g0 x! CLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 K; [: Q+ G' ]( Q8 h
(API Get entry point)0 P* X: x6 g8 T& w6 w0 c
. ?' v9 c: R+ Q. {1 m* X; o) q2 Z6 u1 t5 C6 s
xor di,di
' h$ W; v' U$ W6 o, s mov es,di
7 K J# E5 q# Q) s7 H/ N* T- K; U0 K mov ax, 1684h 8 i% s7 W/ @2 `4 n: x
mov bx, 0202h ; VxD ID of winice
( N. [$ s7 ?+ l8 X7 S1 l int 2Fh& |5 o: Q% \+ E$ e8 a" l
mov ax, es ; ES:DI -> VxD API entry point
: c* t% {( i# g add ax, di! D4 L1 v- t! M! G4 ]$ t) T# Y
test ax,ax
9 d7 {! O# t7 T. L jnz SoftICE_Detected% O6 K( i% G9 `$ U: {. j) l# c$ L
, @$ N, S9 s& ^: G0 V
___________________________________________________________________________
" M- L) f8 @: \1 ?/ g- j5 \+ q; Q
Method 04* [" V, O& q X" v! a, \
=========
- T+ \6 a+ Z' T6 f
+ w0 }" e4 d1 U; M0 g6 l# i& zMethod identical to the preceding one except that it seeks the ID of SoftICE
1 E" p5 s: A/ s8 r+ UGFX VxD.# n) e* g5 J; @) C, t2 ^
* v) u: ]0 F2 G8 E ~6 k% K, x' L+ D
xor di,di1 k9 k* ]2 M/ {) P* A. S# U: _
mov es,di
4 Z' l5 z; b* t: D- e! ^6 a% q mov ax, 1684h
4 A' U4 Q; z% Q mov bx, 7a5Fh ; VxD ID of SIWVID$ L/ o% ?& ~& u( k
int 2fh( G$ p; d, j O/ m, y) k% v
mov ax, es ; ES:DI -> VxD API entry point6 R. T/ h8 ?4 Z8 U" E# W
add ax, di
, [5 G$ d0 i X. K test ax,ax! K1 w) C4 b( X
jnz SoftICE_Detected
+ H3 f% V) G- D! z9 K* o8 V4 o; }8 u; M- D% e& y4 y$ E
__________________________________________________________________________
- c' m9 f6 ?9 v
- {& x. q! r6 X+ T2 b: X
& p# `2 e/ ~. Q9 w0 q/ {; v: Q5 ]5 hMethod 052 Y: r/ }+ X" J
=========6 K# i' T8 d K* x4 A6 U
, G2 m( x6 q; `) {+ s+ T' i0 b; X
Method seeking the 'magic number' 0F386h returned (in ax) by all system( r% s0 _4 \! w0 L
debugger. It calls the int 41h, function 4Fh.
, b* Q* _9 R2 a- F' @5 E& pThere are several alternatives. / U a7 t: v5 \4 l; y
! l7 [7 I% X: }7 K8 d7 e3 |2 s
The following one is the simplest:
. Z e' X9 b9 E+ Y5 f0 |
: I: ^" s ~! ?& i" I mov ax,4fh. t( i' X# G/ z5 k8 L' L3 m
int 41h# N! @' |0 \$ W; ~# ]4 {; s
cmp ax, 0F386
4 o7 ^6 `* q* C) N; U jz SoftICE_detected1 n. @: c ]2 A
( @, s; h, D0 G
8 ?. J; O8 Z+ `$ Z e' Z4 _
Next method as well as the following one are 2 examples from Stone's 7 @4 a# C/ Q+ `9 [( o
"stn-wid.zip" (www.cracking.net):9 I+ H" P, s6 X8 h
" p7 E5 u# j, k4 r) i9 w mov bx, cs4 k; {; K' U3 I& |: Z
lea dx, int41handler2! ?6 O' N' }, |* p: u! d
xchg dx, es:[41h*4]: g6 c3 M. V# K1 g) x, J. s6 h, e$ d
xchg bx, es:[41h*4+2]
( Q8 I# _% k! g# s# V+ `" J- M mov ax,4fh8 Z K/ {- ^7 ` D
int 41h* ]6 c8 `. k: e/ c. P- z
xchg dx, es:[41h*4]5 m5 l6 R f! `' m( o3 r
xchg bx, es:[41h*4+2]
: A5 M. j/ n' u; e cmp ax, 0f386h
' z% T! e3 M% P9 q* `+ R jz SoftICE_detected9 _, `& H: I5 b: N
1 F* K. Y @' E- t ?" i* Aint41handler2 PROC
" u# L! M V% w. b* M6 E iret
6 N; t2 o' }' W( K2 hint41handler2 ENDP
5 n) \: u! `% y' G( t! ~: U5 v( Q5 t$ p8 x8 v& k$ X% L. j
, {9 r2 M1 F! ~+ V_________________________________________________________________________
# L: p# E8 l3 g0 Y5 n0 Z+ e" b5 U: c0 Y) ^+ C
, s: D7 v5 N* u0 l
Method 06# S q( n* f$ R( ` Q2 j3 A
=========9 W1 `+ G) m2 B) e
3 ?4 T, [; a+ x5 k9 ~4 I% E) y' V/ m) p& L. z
2nd method similar to the preceding one but more difficult to detect:2 q) ]; h5 v$ Q3 u
( e4 b5 ]- {- Z6 y0 ^2 N* t' g
/ L2 g3 ~# C; w, I
int41handler PROC
8 m; @/ G" |0 k7 F1 p* x mov cl,al6 p8 [. [5 m6 i0 L6 r5 I
iret
4 }1 Z4 I0 @ |+ V9 Vint41handler ENDP
. |1 }) D5 |2 D3 @) H* W9 V9 V* P. y) c+ O! ]: D' `% j% v
* W" \0 \/ N; @5 j' R
xor ax,ax8 A8 o7 _* w! L. m& n: I& Z' t
mov es,ax# I) k1 {' ~" f
mov bx, cs
) N( H# i5 y) x9 F: B) _ lea dx, int41handler! i6 F: R6 H! K
xchg dx, es:[41h*4]
5 x. `7 a& K6 R) ~9 v% f$ ~7 H xchg bx, es:[41h*4+2]
/ K9 i$ ]$ f/ G in al, 40h
" M1 G- x0 z+ U2 y* b$ D, L xor cx,cx; W9 M! n8 x1 a; o) D
int 41h/ ^, ]$ Q: ^5 M' t, c; F/ I
xchg dx, es:[41h*4]3 ~0 L1 p! P$ R, c# M' G& H* _
xchg bx, es:[41h*4+2]* D4 a: l" F; C5 \. h
cmp cl,al" e( a: n, {6 I& g8 e
jnz SoftICE_detected$ {% _7 ]8 L) d( l3 w
8 R K- U& p, e' X/ z# C! U
_________________________________________________________________________
6 E' a' q* O8 I4 j" d2 l9 x+ G- Q f z" B( J; f
Method 077 ?! Z4 a" V, d( v" p
=========
. H, H+ }# v" ]# f% f9 i( u* e/ E, p/ t+ n2 z9 s1 z, f- j7 J% G
Method of detection of the WinICE handler in the int68h (V86)8 i6 Z) F( R3 |4 @& o1 [* g; d
; {% m' P$ Z4 z
mov ah,43h
9 w% |1 J2 w6 `5 R" [7 u! E! @ int 68h
% K& z; c m% p& t# v1 Q' L cmp ax,0F386h
) @3 @; p# @+ S! O; M jz SoftICE_Detected
8 q/ P6 ?: K+ L0 E! T+ E
- M3 H, K; N* t- F3 l/ Q8 T+ f- J. q+ y. a! r
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 J' W; R+ W# p0 L app like this:, F- j1 U9 |2 w6 ?$ k
" W: U! J/ A) Q+ p v, n BPX exec_int if ax==682 p( d0 S0 f6 ]2 r" A, [, K
(function called is located at byte ptr [ebp+1Dh] and client eip is
% C, j7 e7 O$ I2 ?$ a- M located at [ebp+48h] for 32Bit apps)4 D4 S: `* P. B/ H) u. D
__________________________________________________________________________0 i; [+ W: O) y: A3 u
3 j) J) L8 N" l# N
) g; k; D1 d; b' R! X
Method 08% V2 H3 A$ X( Y
=========6 }1 C( @- l8 z8 X& f+ {
; Q) @& M& j8 Y" _1 r/ F
It is not a method of detection of SoftICE but a possibility to crash the
: N6 @1 n" ~" T3 }5 H+ z: R& W( U% jsystem by intercepting int 01h and int 03h and redirecting them to another
) h' D$ O4 c7 y; e2 e: }+ E: Droutine.
2 B- B8 K, W5 O& h2 x0 V5 ?4 JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 j5 w' h8 n. R! ?8 L/ p# ]
to the new routine to execute (hangs computer...)
$ w. c! n2 P1 A/ e9 S3 C; Y) e+ E' K" P
1 H! c5 I- w, D! c9 b/ [: D g6 _ mov ah, 25h- } `0 e) [& A2 ^' {9 W
mov al, Int_Number (01h or 03h)( `, P; @7 _/ N# f' M
mov dx, offset New_Int_Routine
+ l. x( D5 ~$ v% b/ n) G8 Q& k int 21h
! l+ Y: |9 n' F2 r6 b0 E9 t9 u
$ `8 y' {2 X3 i* z__________________________________________________________________________
& n- Z2 {$ f6 H9 s7 ?& N w1 Q4 v" O+ s' H6 [
Method 09
8 N. s) n/ `" i* T( K=========' c- Y& a' U4 s- S* T. I" @( T
9 ?0 {6 T, [ ?0 g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 `$ B6 X- U" W u% D
performed in ring0 (VxD or a ring3 app using the VxdCall).
& B& q0 b; u2 Z0 H cThe Get_DDB service is used to determine whether or not a VxD is installed
+ v. W2 k) T d7 S/ J( M' Z6 D. Zfor the specified device and returns a Device Description Block (in ecx) for2 g3 S' v" g' V' L& B2 B7 G
that device if it is installed.6 L9 W) c9 i4 R/ o S3 B6 u
* O' \6 v+ U- d" q9 C& I& w) W d4 @
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) y# l* Y5 n6 a# Y: J0 Y+ V9 P+ L; e mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; M; _- L$ t9 J8 q; d9 @ VMMCall Get_DDB
' ~3 e, T! p+ J& [ @; w! { mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# ~) x+ p( ]! \+ ?' _9 }7 r
3 x# q9 o9 w5 D" f6 aNote as well that you can easily detect this method with SoftICE:- ]% b1 e9 x" A# a
bpx Get_DDB if ax==0202 || ax==7a5fh
' O- S a2 [, c* l: g
5 d5 b; h& ] W ]2 G__________________________________________________________________________6 c' @/ ?1 w( s) m2 B5 `* B
S/ o/ H& q9 r) }, z6 aMethod 10: M3 Z e" t% f* n( \& M6 `, z3 D; D( Y0 M
=========
( j/ T3 w6 J: r* u5 N# j! @3 f1 Q0 e3 b+ @
=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ x1 U! _6 o/ L! g& x2 t SoftICE while the option is enable!!
0 V2 N# P' H0 d* v7 S' m; n) P. e) Y+ A9 }
This trick is very efficient:6 t8 e( W. M( @! q
by checking the Debug Registers, you can detect if SoftICE is loaded
$ A/ w- d$ x9 x7 {9 m# e(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- M' K' S s+ s2 S- e' J
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# T* J* B( [% \- r. S4 _value (in ring0 only). Values can be manipulated and or changed as well }9 \ _( i: n0 N( c6 G o, \- ~: U
(clearing BPMs for instance)
. V/ T0 O0 p0 |# i3 }/ U2 f
8 G- W" P9 ^* ?4 {+ r) \& j__________________________________________________________________________
" [3 b7 u$ T, }" d, E: _' Y7 t
Method 11
1 K; x J8 G, D4 O1 z=========
* B7 g6 F6 a F/ k% c* J. t j; U% N, r8 w% |
This method is most known as 'MeltICE' because it has been freely distributed0 h" n# m1 P9 Y
via www.winfiles.com. However it was first used by NuMega people to allow
) Z+ x. J) Z& _* J' FSymbol Loader to check if SoftICE was active or not (the code is located
5 V; f$ K# u% m. {3 y9 ainside nmtrans.dll).8 P" t9 `# ]& X* G" U
" D( |* w* Z, O
The way it works is very simple:
% p1 c- m4 z9 E/ s8 l" z% ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' R3 N( ?8 V# e6 o
WinNT) with the CreateFileA API.. E, }6 @1 ?+ O0 g) c
. x7 I5 z; j" S$ m/ n3 j9 r6 L
Here is a sample (checking for 'SICE'):9 _( R% @: Q$ T
9 O1 w% X) h# [
BOOL IsSoftIce95Loaded()
@& w. t7 i- z{' `3 v: `8 |7 U) G7 y
HANDLE hFile; 8 z9 O9 n! `9 }0 N- D' e- F$ K9 _
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
R* f6 j/ O* g' ? FILE_SHARE_READ | FILE_SHARE_WRITE,8 x1 u8 u" S# o* a2 @( V) \# G
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" S1 j1 o) j5 M8 \ if( hFile != INVALID_HANDLE_VALUE )
+ F. L! ?0 H. ?6 ? {
# i; q9 P+ |0 q- i CloseHandle(hFile);3 |# T5 z6 x$ o6 t/ Y
return TRUE;
& ~8 O) ^0 q7 D& j4 L P9 f }& [3 F" o1 H- o( G( F/ A; F+ S
return FALSE;( f( S- e" o0 d; |% @* j' r
}+ u, l$ [# n- F4 q- [4 C6 i/ O
3 ^ R9 @$ S3 C6 C* }& R
Although this trick calls the CreateFileA function, don't even expect to be
: ~1 u$ o( z" q4 w+ j# ~- H% ]6 bable to intercept it by installing a IFS hook: it will not work, no way!
l- B+ j- R2 S1 l( AIn fact, after the call to CreateFileA it will get through VWIN32 0x001F8 ^" T4 R g5 @. v$ v) J4 w- s/ b
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 L/ e2 z% D$ a/ Q; A0 a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 F6 B& A0 G0 lfield.* ^& |2 n. k+ P. a* l1 g9 K) E
In fact, its purpose is not to load/unload VxDs but only to send a
- } J5 d: d2 [0 b8 AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ j; r2 }+ L- o( ?# `0 Ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
: Q, ?7 I1 Z- f& Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).% D# T# V: {$ h% ~% R1 R8 p
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: A/ ]+ x9 L! I' K4 J {" k Cits handle to be opened and then, will be detected./ p6 n* X k* `& i
You can check that simply by hooking Winice.exe control proc entry point
' i" D: v$ j! ?* g" m9 Lwhile running MeltICE.7 b' X" r8 ?0 ~2 J) J9 [% Y5 ?
, P' N* u* ? w' |( N
6 E' `5 G' b) C8 V) y4 h% k
00401067: push 00402025 ; \\.\SICE
* ^6 q/ O$ R+ X u 0040106C: call CreateFileA
" m* e3 _/ w( Z' C, J 00401071: cmp eax,-001
" ^. H8 Q! L, X, J$ y0 Z& v( L5 G 00401074: je 00401091
& ]! e; t4 B+ Y7 o& Z7 a
8 \8 M+ }: N7 G2 s: B [5 T/ z+ r: ^! S X3 \6 R7 o5 v
There could be hundreds of BPX you could use to detect this trick.; I) g K' R5 m# [
-The most classical one is:" B9 E3 ]: i8 ~- ~( b6 n' R
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ n0 z8 d% {# P4 I, g, A' Z
*(esp->4+4)=='NTIC'
9 q* U j+ T1 a V c, Y' }0 K8 r) V$ J# `9 a: F- l' U! `
-The most exotic ones (could be very slooooow :-(6 N4 e8 r' \5 K! i# N+ g5 R. G
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 j! A" T" P' U$ g ;will break 3 times :-(3 K) m1 j+ x4 a& ]1 G+ u3 C
: ]+ e/ ~- q8 M-or (a bit) faster: 0 |3 x" v8 P4 [ z# o# l: ~- |" x
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 ]; v1 X% |' J3 e/ C& [4 t8 ~6 i( y( ?7 O& s
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! W; M7 }2 w& N9 F) A1 } ;will break 3 times :-(
8 P( _8 A8 H8 [9 c! o+ T6 m0 O9 M# b; S, C h' Z+ T
-Much faster:6 Q/ `7 M K1 e7 I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 `8 M! m9 z' _% Z% t4 G
6 G$ J& _* [( p: M% ~4 [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 I& b% k% g, |- e
function to do the same job:! [+ |! l2 v- } z) W% D
% Q* k9 j) S2 K# @) { push 00 ; OF_READ* M3 Z4 `' ~$ L i( }) z
mov eax,[00656634] ; '\\.\SICE',0) c+ } }3 D6 x1 U6 G* N
push eax
* t; [; j8 q/ f/ P, A; `) ? \ call KERNEL32!_lopen5 B# f, V8 n" |4 E* j$ a) o
inc eax" g! z5 V7 N) }1 P
jnz 00650589 ; detected
# F0 s1 n# ^" h3 u# b push 00 ; OF_READ
" C2 J3 {( [2 v- U- S) W mov eax,[00656638] ; '\\.\SICE'
' z$ H% J" T2 d7 H( u push eax2 O% Z: y3 a% Z) C, W, A
call KERNEL32!_lopen
Z( R# O+ m# |0 s! Y inc eax' h+ K' T3 [, s0 [- N: @1 |
jz 006505ae ; not detected1 h5 ~% V P' r! i
) q1 w: B$ p. {8 ]+ k
% V0 `8 C( W: {" N- N
__________________________________________________________________________
0 o9 D" S- I. i9 {/ f3 t* h
5 L& w# U B$ HMethod 12) R/ s7 T9 f0 `+ N' S
=========% B' F2 U6 _: U6 ^
& l* }2 C5 q" K: }! r4 `
This trick is similar to int41h/4fh Debugger installation check (code 05' @) V* }4 `$ } d$ S8 J: ~; p
& 06) but very limited because it's only available for Win95/98 (not NT)
- J$ `, Y6 _2 Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! P& s( \7 M0 v+ y. A, U: A2 \3 M) d* H2 U& y1 M8 `
push 0000004fh ; function 4fh3 b9 c( i1 c7 M4 ]5 Q
push 002a002ah ; high word specifies which VxD (VWIN32)9 l" E; K! B1 K0 G- ]$ X: X
; low word specifies which service
4 c- M# s3 _2 ^2 F/ E/ @9 t3 v (VWIN32_Int41Dispatch): d: v4 n. F! ~% ^$ U) ?
call Kernel32!ORD_001 ; VxdCall5 d1 T+ \& \& h
cmp ax, 0f386h ; magic number returned by system debuggers, v: M* j0 }, j: U/ k, `7 @: n
jz SoftICE_detected
6 j, ^; m% I8 ]8 ? c. C' h; m# T" A/ u! p. E
Here again, several ways to detect it:9 X- t7 C' e |) T
4 ]7 ~# G4 U8 j9 Q6 q* w2 \
BPINT 41 if ax==4f
3 V2 i2 O1 G' c4 u+ ~7 P, H8 z. ]8 F, F! \' o" s: O
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 B' N5 s, [% O! |. e' V5 R2 [; e* C( O7 f% m: D) h1 w
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: Q3 X [/ U5 D
3 S0 y+ @6 U9 S/ C6 D, e BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
$ U! V5 g3 [2 [% N$ [* x6 a8 `' D T9 k
__________________________________________________________________________
/ w# ]& F6 j. P, ?0 x( D# x N+ q: m3 y R
Method 13
8 q% |& I0 n, W0 y1 p" s- {# A+ O=========
3 t& u! [5 n, g7 _ V/ U/ [; H! _/ r9 j5 \; u$ E
Not a real method of detection, but a good way to know if SoftICE is- ^ j* t" H1 [
installed on a computer and to locate its installation directory. ~& d- M# w0 E2 Z
It is used by few softs which access the following registry keys (usually #2) :5 |8 ^, H# k' w5 d# J
! F! r6 R* I/ {8 H3 t: O
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 ~/ }" o$ |" Z/ |: \. X4 Q7 P+ [7 E7 \
\Uninstall\SoftICE
. A* l* j) G- S+ ~-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: N5 `. |7 T" T5 m4 y5 N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 k+ Z- x! [( l" c8 ^\App Paths\Loader32.Exe
f5 U3 _5 W; h0 [" x1 l$ D. z# b. E* {
5 Q8 z3 q* j: {) F5 ANote that some nasty apps could then erase all files from SoftICE directory" ^; k$ z8 K- v, N% d( J" a" f
(I faced that once :-(/ d" Y# X6 ?) D6 P' g8 i: b
% B5 r0 m) }) ?3 U2 w, A; WUseful breakpoint to detect it:# i/ p! b' k$ g7 \+ ~* Q" l
( h/ ]: X! R- [+ {" m- [$ [ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 ` y1 S/ w ?- }+ j c* q7 s% s
& z# [% \' E# q$ `" S, h2 p__________________________________________________________________________
7 ~" e' v( A" s8 ^ W
1 Q9 S/ {' ?: Q0 A. x# d. w6 P
0 f( x/ V. h* a( x$ UMethod 14 4 H% c- n @7 M1 J1 C
=========
1 S/ d7 a' T5 G; D9 M8 a& U, m2 M# q: E8 Y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 ~- ]* j( ?- \+ A, C+ v6 P% Pis to determines whether a debugger is running on your system (ring0 only).
& k4 \$ ?& I- J$ z) f2 h0 s6 ^" _
8 [" t5 O1 O' E/ M' c( Y, J- f VMMCall Test_Debug_Installed- v/ m3 g. K% Z" r
je not_installed$ ]" c" \- ?3 Y( D' n( T& M0 O1 M) O2 o
0 d4 G4 O, m" \
This service just checks a flag.' W; z9 m+ r# I
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡