<TABLE width=500>
: w- x- J( ]0 E<TBODY>
: {( P9 t' Q7 m8 Y s, I) J<TR>2 d# a: m& ? M% m& q: g/ |
<TD><PRE>Method 01
0 C9 J8 l6 B6 r9 f4 o0 E! [& ] j3 P=========; Q# p3 Y' U" P% o
% X: H5 t( U' E8 O! p) ~% z
This method of detection of SoftICE (as well as the following one) is
( X# h( e" m! b1 F. R: pused by the majority of packers/encryptors found on Internet.( { f1 n9 y. o$ ?
It seeks the signature of BoundsChecker in SoftICE
& {. f& J ]# q: L# C" u
- M, n, [2 Y7 P, o- v" w mov ebp, 04243484Bh ; 'BCHK'
7 _1 P8 b4 H7 q0 v mov ax, 04h" U8 t4 e. p, D6 ]3 I0 R4 [
int 3 5 F+ s) r4 H7 _ b5 l$ ^( F7 T
cmp al,4
6 l8 ?" h. E2 [& g: C" g jnz SoftICE_Detected7 \4 W9 i7 v" R3 y2 f X, Z
0 N- a9 f+ T/ ~
___________________________________________________________________________0 z6 Q# L8 S9 M, s3 s1 P' B# H
% h- S1 `% n3 u$ r; O) G
Method 02" {( M4 z8 X: H+ E' a$ Z. e+ G" N
=========: x; F0 t2 I: P8 F) V
; H: O3 b& `2 A( V+ W. j9 b. E9 ZStill a method very much used (perhaps the most frequent one). It is used
' @. @. w0 W) u0 \7 [ bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 V& i6 J {+ |% bor execute SoftICE commands...
# A0 o5 N! K4 T- ZIt is also used to crash SoftICE and to force it to execute any commands
$ p( a. _, B1 }(HBOOT...) :-((
6 f7 O z( X# s' @2 C$ \& I, e& `
9 }5 _3 X" W7 U) f5 P) _2 HHere is a quick description:2 r# g+ J: W8 E# F0 Y% b' O* t$ n
-AX = 0910h (Display string in SIce windows)
2 _! E4 Z# w. V* {0 P0 j, w4 ?-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, c4 E! Z2 _9 ]! O3 J7 T, n, b-AX = 0912h (Get breakpoint infos)0 L; M' Z1 M2 E; A: ]
-AX = 0913h (Set Sice breakpoints)
- T+ D) O! [) A1 M5 y7 A+ P-AX = 0914h (Remove SIce breakoints)
" p9 x* Z" \' |' X* s* _* y5 ~5 V% J3 H3 c, ]( B
Each time you'll meet this trick, you'll see:
* N" G" _9 [$ H1 C" L! x-SI = 4647h
( ^1 P7 D/ e) q. K4 w; W( j; G# B-DI = 4A4Dh
% y. N8 A1 f8 j/ Q8 U6 UWhich are the 'magic values' used by SoftIce.
7 Y5 |$ K% b0 _8 O7 YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
g3 |/ q! y& d- T0 [& f4 `
+ J! z+ B/ x9 z4 BHere is one example from the file "Haspinst.exe" which is the dongle HASP
7 d) f# j; W& b& Z9 M6 U2 P, x* KEnvelope utility use to protect DOS applications:
2 B" t2 e5 p' j0 N7 q6 a& L* J2 X8 j. y9 K$ C4 k
: b [; t' u0 c+ X8 U n$ D4C19:0095 MOV AX,0911 ; execute command.
# Y% [3 p8 b4 c/ m4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ k3 k' F/ \- B+ y4C19:009A MOV SI,4647 ; 1st magic value.
1 d" a6 ?& ~: F" J4C19:009D MOV DI,4A4D ; 2nd magic value.
, o9 }' f! j4 |5 C9 e- j( d; K6 M4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 S8 ]: Q/ V( ~) l
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ ^. u3 b- O& Y4C19:00A4 INC CX% V" n( D' X8 t, \4 }
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. s6 w3 v/ Y1 z, U$ b) U1 z
4C19:00A8 JB 0095 ; 6 different commands.
. Z" ?5 \$ H3 g& F1 h) d% V, S2 _7 K4C19:00AA JMP 0002 ; Bad_Guy jmp back.! C6 \; q. O% x; g, n
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' x2 P# U B$ ~9 B# |1 u% u
0 ^! p9 V+ C, d9 R/ o e3 o7 yThe program will execute 6 different SIce commands located at ds:dx, which8 h7 D/ Z( m! Z& u
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ @4 x2 H& m: |& @' w% |. \* U/ X: J1 x6 X- J5 Z8 j
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ w) J- U! N, w+ M2 ^, v+ @5 `# J
___________________________________________________________________________2 U, B/ ^$ d- E4 B8 c
9 S5 E6 k- r8 W
- R8 y& _3 X* ?; J( H3 I, lMethod 03) Z/ `) p# Z( @' m, T6 G' e* w
=========0 v) x! T0 E5 k, f' X3 N: ?, r) H
4 t0 U! y7 A& P& PLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 _( v0 @ B6 \6 e* \9 r' X" ?
(API Get entry point)% d4 D2 _* e: ]. Z8 b Y
% {: U, Z/ [3 Q9 j' T% \+ d5 R
% A. j* \: o" a- c* i+ v( B xor di,di
- ~8 @/ H9 @& o9 V0 k mov es,di. }: s1 F% w! H$ o
mov ax, 1684h ; X" P1 r+ ^, B& o5 v
mov bx, 0202h ; VxD ID of winice
p1 A' T/ I) N+ ]$ K int 2Fh" ], j7 f/ A+ l
mov ax, es ; ES:DI -> VxD API entry point& ?& |, G. S" q8 T0 z
add ax, di, [6 U% H. ^2 o3 T
test ax,ax
3 E- m0 B# E: y( W* t jnz SoftICE_Detected
" X* S0 N+ ^) A* T- \: V
2 `* o* ]4 b) }; i" H___________________________________________________________________________
* E1 E2 y* k* c# Z# A7 S; V
; D* |/ l. _% T5 _. SMethod 04
# O8 F' V; x* o/ P( g5 R. _. I9 j=========
% L: r/ Q s( z7 N8 q% w% D' V5 S' W$ `. p5 O- q
Method identical to the preceding one except that it seeks the ID of SoftICE' E! [4 X& Z0 `/ Z2 ?, t1 N
GFX VxD.! r4 c" q( o! C7 T
: |: O% G+ _; [' w
xor di,di: y3 Q. z1 x0 t! P6 U( } L n
mov es,di
+ o8 M& C- s& w5 b- j mov ax, 1684h
9 {" m4 Z# \8 J) J9 k: }9 \' v# l mov bx, 7a5Fh ; VxD ID of SIWVID
' n# w% _3 C3 z, G2 _/ Y& @ int 2fh
5 D V0 h& X {$ c& u5 { mov ax, es ; ES:DI -> VxD API entry point
! l( Z7 j; c* G' p7 K add ax, di
5 N8 u" [! ?9 a0 N. y8 e test ax,ax L1 C4 d) ?; `# ~ U# v
jnz SoftICE_Detected
8 s2 L3 _8 e# c- @# t, j
2 G" P- `7 \) k__________________________________________________________________________# c' y1 w5 E" P* w- r
2 V9 G) F _. l$ v; X
" i, B! M' T* T) ?$ e% NMethod 05% k5 m9 e# @( X: I" q2 F: F
=========
1 |: ^: n; F" e! O1 r; m) F( Y
9 r+ m/ {( }2 H" kMethod seeking the 'magic number' 0F386h returned (in ax) by all system
; _4 n* i$ l$ C1 I2 Vdebugger. It calls the int 41h, function 4Fh.
" r; E- q8 i v2 t- MThere are several alternatives. ) O; T+ B' W v( b
9 F& P" q" k( }The following one is the simplest:+ |, X: e# I. E6 O
) O$ o2 P" ?8 I X5 C
mov ax,4fh1 K6 V8 ]2 j o% u+ q' ?" C7 ~
int 41h
) f2 [- m+ w: P9 I( ^ cmp ax, 0F386
9 G# } _3 Q' v% L jz SoftICE_detected C% q; w6 S w% E% m
' w7 _1 v1 U' C8 |" C7 @! L, h* _& ^! k9 T" O
Next method as well as the following one are 2 examples from Stone's - d' O% F. _% s3 I
"stn-wid.zip" (www.cracking.net):) o. `% ?! q9 c( y+ H7 ?
7 j7 U9 B* C7 \+ |2 g
mov bx, cs
' V4 E( N6 U/ C lea dx, int41handler2& X3 ~ b+ H* O
xchg dx, es:[41h*4]5 o9 Y5 T7 n' b9 [3 A0 G+ C
xchg bx, es:[41h*4+2]
& i0 Z8 G! D4 W# C+ s. R6 {+ \& t0 }" x mov ax,4fh
4 T ~" u8 E- x- F) E4 X9 G int 41h. K9 C8 c7 ]; K" \' A7 A
xchg dx, es:[41h*4]
; L T8 Y$ o# }6 |9 d8 b' _ W4 p xchg bx, es:[41h*4+2]# |3 }7 [9 K9 T3 a+ i" N* r- Z
cmp ax, 0f386h1 V1 L( \; u% r' n0 l; n
jz SoftICE_detected2 \9 E6 K9 q& q' ~+ Y
+ U7 ` u& L9 c3 h; m5 z6 P
int41handler2 PROC2 F& z) x2 W- t. X2 I! r4 B
iret, F- d* D# K |4 c. W2 K
int41handler2 ENDP5 W6 }6 }: [& U
I- E/ g2 p" {8 g! o2 E* @& u1 B0 S2 X
_________________________________________________________________________
" V- S' z) k8 V2 n; K
8 o q+ {3 O( N, f+ u. q
2 D8 q/ [7 q1 Q, B6 aMethod 06
' u9 B" H! s* D: u=========' L' O7 J; W) m8 ^4 Z8 ~, Q2 h$ H
6 ^6 W; S2 a0 @ K! f
; J3 X2 s/ J6 P# w2nd method similar to the preceding one but more difficult to detect:
1 x$ V2 j; k# N8 ~9 A0 P" o! U
; U9 s6 w+ s8 X! ] z
0 j& ]. E0 l8 K2 T- gint41handler PROC
& S- h# Y: k& S0 i2 g' j# O. ~ mov cl,al
8 ]# g: X& ^; p- {; y! n- z iret
% ?' C G( y0 g7 G; y7 Nint41handler ENDP. V. Q+ @8 Y2 `- s8 c6 J% ~' u
- X; Y2 p0 h$ [& v
* e+ S S/ H7 O* G5 \5 J i
xor ax,ax
! ^" L; n2 W; M1 \ mov es,ax0 g) @8 o1 s$ F% N. C- G' i, Q) X
mov bx, cs& n# K* _4 D7 p
lea dx, int41handler, Q$ R* ~$ H( R* y' O5 J; b
xchg dx, es:[41h*4]
7 {! ~4 F6 }( U6 d xchg bx, es:[41h*4+2]
/ ? R1 J7 h2 Y1 w" | in al, 40h3 ?6 y: K6 c& z- M ?" q5 y
xor cx,cx
! o3 ?) l7 T: a9 ?! B# L! E/ x int 41h
4 H, j5 J1 l# @ xchg dx, es:[41h*4]
9 X# L3 b8 c' N" X$ t. q. r; ? xchg bx, es:[41h*4+2]
/ Y; r. n+ p- p2 I; G1 C cmp cl,al
2 V' E* {8 \5 K( L jnz SoftICE_detected
% G& V. @! D8 \2 c1 h' i2 K1 e. W6 a0 F% a% {- p
_________________________________________________________________________
, o( U: @! v4 t( U% @( M7 g# m
Method 07% w: F1 g* f* G+ \% r2 n! b
=========
$ c. J/ t ], w+ Z: ?
; U9 }6 j" X, S* f/ UMethod of detection of the WinICE handler in the int68h (V86)5 [) v" e% q! `7 D+ F
9 M( l7 k1 }6 ~( O( w: g. i* j& J
mov ah,43h* V! j& d3 Y: N5 I/ m
int 68h
( d& r7 O6 p" L0 m" R cmp ax,0F386h
. L2 ]4 ~* ]8 L$ o' ? jz SoftICE_Detected0 u- G z/ D) A2 {9 b% q1 q; Z
# [, g/ Y) y% d4 ?6 v3 c
# [/ q, t0 t5 f* }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" v( T& v8 x# Z) G' k app like this:7 U6 |: R; w1 ]/ \
" v+ Q; U+ E/ ~% n
BPX exec_int if ax==68
* t) M: p6 w( N: K) e7 c0 g (function called is located at byte ptr [ebp+1Dh] and client eip is
/ e9 \& z0 ?+ K1 b located at [ebp+48h] for 32Bit apps)- s: ? p; X4 H, E6 G
__________________________________________________________________________+ ^+ c- p- L$ `
: p6 L2 Q# |2 H% l6 p) w) v/ H! J r
0 Q3 ]# s0 r7 c/ H2 B) M8 k2 ^3 ^Method 082 ] F2 I; D. {3 Q+ F
=========8 m7 s' n+ k2 v A
" K6 E5 F# C. C! e$ p
It is not a method of detection of SoftICE but a possibility to crash the
7 }# p0 Y$ M+ w2 isystem by intercepting int 01h and int 03h and redirecting them to another. T: K: w9 s$ R+ t H2 z- S
routine.
5 `+ w$ u6 @" [1 l( A+ cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 L! \7 G. J& Q8 ?+ }1 Q) K
to the new routine to execute (hangs computer...)
5 Y2 u% n% ~" h5 v
/ K- A W# ]& u$ T; y/ k mov ah, 25h
8 P; _8 ?; B+ T, M8 K* R9 Z* Y mov al, Int_Number (01h or 03h); R, M2 a' G/ l- O/ Y3 _, z1 z$ c; N$ K
mov dx, offset New_Int_Routine' B& L& c% Y% {) h
int 21h/ K5 |4 `$ i1 k
, u* ]6 b$ O# K' e
__________________________________________________________________________3 s* M" c! Y4 r# U0 s+ b8 s
3 x5 t7 z* |6 i4 \6 N8 a8 y( f
Method 09
2 K( V& S) ~$ q- f G=========5 C: r' V% T* X$ [
# V4 p s4 S$ ]$ u+ j
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 R. Y1 `: q; R5 s5 kperformed in ring0 (VxD or a ring3 app using the VxdCall).
) r& ]2 M# |$ t4 lThe Get_DDB service is used to determine whether or not a VxD is installed* Q& ~0 x/ Q, x4 d
for the specified device and returns a Device Description Block (in ecx) for
; A, j/ z/ X/ J: athat device if it is installed.
' n) h, P8 R( Q9 w; K! O' `7 E( `4 w0 b1 _( p; r
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& G% c' `; B7 ]# N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 M: i6 p+ m* j
VMMCall Get_DDB
( d/ j9 ]( u F0 J2 ^6 t mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 l1 \/ T% o. x" }& t' ~, v9 p m5 F$ S8 l
Note as well that you can easily detect this method with SoftICE:
+ v$ M# b2 Y0 v e+ ] bpx Get_DDB if ax==0202 || ax==7a5fh3 a# @4 S1 ?, ]8 K
4 t# ^ z/ C9 X, w4 z. ]5 c" K__________________________________________________________________________9 L; }2 G0 L7 d {# |1 m% g$ t
, L9 A3 }+ M( v& j+ c+ Z& X
Method 10& x, [7 o3 H$ w4 b' z
=========; [5 @4 V: f. d9 F7 [9 e
) O. s9 Y$ p& R! M J=>Disable or clear breakpoints before using this feature. DO NOT trace with# W! _, N1 J/ w: M
SoftICE while the option is enable!!
5 l6 k; A+ X6 {, p- D4 p/ s2 h9 K9 ]0 ?1 A7 b* [' M* T% L5 K
This trick is very efficient:/ Q$ M8 {. N' [* J" a
by checking the Debug Registers, you can detect if SoftICE is loaded
" F* B5 Z9 B/ Z/ }( J& J# d(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! V1 i% ]- a: x8 B9 a1 s' q$ Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their: P6 ?% W7 }( a
value (in ring0 only). Values can be manipulated and or changed as well
4 H6 x/ Y" ]8 R) K$ @& R5 {(clearing BPMs for instance)
& w" U5 ?6 ]. W2 a- y7 C3 K- j Y! u4 v! ^2 G) W
__________________________________________________________________________' D: F' [/ h0 O& U/ s) r+ h
/ ]' n6 K. t3 ?8 v4 ^
Method 11
+ @" ~8 y8 I( b! N1 l# n7 Y' @0 o. z=========
. ^1 _: I1 J4 G: M! I1 k/ A D3 g: m4 C U4 P
This method is most known as 'MeltICE' because it has been freely distributed
l) t& W& o& }# g" qvia www.winfiles.com. However it was first used by NuMega people to allow' l3 m# R7 J) Q2 v R
Symbol Loader to check if SoftICE was active or not (the code is located% h( h4 Z% [3 [: y
inside nmtrans.dll).# [& O# l- E9 y8 k) |+ W3 b% Q. I3 W
* ?& G. S# j' hThe way it works is very simple:5 C+ [$ Q" B" @, Q0 N9 ~( @& M4 ^* ~
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 o- J% W T( zWinNT) with the CreateFileA API.0 E4 F) {0 P* o" h
5 V' t/ h! j! Y. Y) X$ f8 F$ NHere is a sample (checking for 'SICE'):
! r. M( G0 S/ N
. e9 k8 `) ^1 [) ~$ F5 `: |, _BOOL IsSoftIce95Loaded()
7 }2 ~/ u: I" R' H! ?) ~, |$ [- {{
# v+ S1 U/ Q% a) x7 u" k0 M HANDLE hFile;
1 M; _6 o9 `) Y8 }* h* j hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% D" d! w1 S' l' y4 `! Q
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 O7 G7 I9 F5 b3 ^ ^$ v* b NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- G' u/ q7 f* o1 u7 s
if( hFile != INVALID_HANDLE_VALUE )
' O' e0 C9 S3 s1 i# t {
) A: W) x! u6 X" }( h1 p CloseHandle(hFile);% {1 e. M* a2 d+ U2 g' e7 x4 Z
return TRUE;
2 d3 h- V1 G9 r. c M$ b }$ H1 {+ ~ _, C6 t' [/ ]
return FALSE; A/ R# K9 ^/ ]3 `$ E( m, y7 M
}
* o: L& F4 q( i
( ^$ ~, J& c8 ?9 h, s- q' m4 OAlthough this trick calls the CreateFileA function, don't even expect to be
V" y# c* p: C, s: Vable to intercept it by installing a IFS hook: it will not work, no way!: k$ R( E0 s5 k/ L# M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- e6 c: n Z' C3 L# t, wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 W' J' a$ ~ q" v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 P' u5 Y( Z: _0 E4 m2 z' A
field.7 s$ m; d$ `) k# r Y1 S- Z
In fact, its purpose is not to load/unload VxDs but only to send a * P/ z1 W9 R. g$ q8 M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% t/ y; e. ?7 y( S
to the VxD Control_Dispatch proc (how the hell a shareware soft could try2 M$ r6 d* e% P- C3 r3 H: _
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 {, _+ ]: V" f z/ d( ^) H8 C3 }If the VxD is loaded, it will always clear eax and the Carry flag to allow
! E2 D+ J0 P3 Kits handle to be opened and then, will be detected.6 y2 ?" Q/ U2 P8 a4 n: v, w6 i' S
You can check that simply by hooking Winice.exe control proc entry point" K) `1 G/ T( D4 J" V# H
while running MeltICE.
9 H4 D$ \! D0 x9 V2 W! K$ m) V/ K
5 S, W; P U& z* M' g
$ B/ S+ P5 O: n" V" Y0 v5 [/ q7 R 00401067: push 00402025 ; \\.\SICE6 D3 b( Y. o* M. m
0040106C: call CreateFileA& w; F5 p1 k* X) C$ B
00401071: cmp eax,-001
" t2 ~0 l& |8 v6 S! X8 V- @ 00401074: je 004010917 _, A4 I5 W9 g9 H {
: M8 w' D& Q$ y0 }3 ~4 c9 [
# N6 P3 J v: c- `3 |
There could be hundreds of BPX you could use to detect this trick.
( K+ ]: |: v' ? @9 H$ e2 c! c1 ?-The most classical one is:
, g. K6 S r$ d: c; U# ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- |7 ~9 X( Q, f7 }2 y; r0 G5 F) h' C
*(esp->4+4)=='NTIC'. E5 G2 h3 J& o( n" H) S/ L
+ q5 C! {" Z* m) X6 n- @' g
-The most exotic ones (could be very slooooow :-(
7 z* k Y# n4 g( ^5 p" _ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " i; {. Y: P; u. E4 o; T1 J
;will break 3 times :-(' ?5 Y: X6 l7 h5 V X
" z# U4 D: l. u& N$ H-or (a bit) faster: . z1 b% n7 h& Z# G0 W' n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ Q: Q9 g4 F y% j/ b
, ?( W- z! `7 F" e/ d" Y6 x
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , t! [& ^5 h6 l. D6 w# ^" s N
;will break 3 times :-(, ^3 j6 C8 ]" U0 l: D- D
3 p5 ^# L1 x. i: p( P" E
-Much faster:
; W/ l' _* b% H8 Y/ J BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- n8 Q* j4 @0 G' A3 d( H6 V2 Z) B, x" T. v
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! i0 U- q5 d2 [; Q' d4 ?3 w% q
function to do the same job:
/ B4 L- l7 y/ B- {/ i$ O! ^( Q9 o( [" d% _! ^4 q! M4 t6 F7 X
push 00 ; OF_READ
2 y. U$ ]* @# ^8 m' o mov eax,[00656634] ; '\\.\SICE',0
% W3 M7 F6 @; T; \ m* K( p: c push eax. ~+ |2 z& N& U$ E" l' b# [$ T
call KERNEL32!_lopen
' `2 ?; E( ^/ C+ W, \/ j( y7 j inc eax
3 B5 ^0 i6 [5 J0 u2 ]" ~ jnz 00650589 ; detected
3 ]4 y9 P# s. x- ] push 00 ; OF_READ. B. K+ P. N8 \; a! N6 d
mov eax,[00656638] ; '\\.\SICE') Q% E* r! [5 i0 d" _7 ]( N
push eax! k! q4 z6 K* k- ^8 l
call KERNEL32!_lopen, e9 T) o3 Z; t! u
inc eax, m B+ k( E0 Q% m8 ?
jz 006505ae ; not detected
2 m; @) d: ]! B9 _% a0 }/ p" L) Y% I2 Q- T
& A; R: T. l8 S
- @7 ` t4 m# L" X8 |8 w( u# D__________________________________________________________________________( D7 r9 o- [' j: p* \
% J4 U0 {5 o* w' {4 ^8 AMethod 12
- {: ]9 ]' q6 c# H6 @=========
5 T: y) U- D5 q" }1 N
n B; U; e' H+ GThis trick is similar to int41h/4fh Debugger installation check (code 05
3 L. `4 I8 f& f1 g; B& 06) but very limited because it's only available for Win95/98 (not NT)
( g w8 g7 ~6 Vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 t/ b8 v; ? y5 v; H
6 X% a% \! ?& _2 p+ R/ W; K# S4 C+ z
push 0000004fh ; function 4fh9 K, k: o8 G, ] Z: z+ W4 Q% w4 A
push 002a002ah ; high word specifies which VxD (VWIN32)
4 B% \) j0 j" o6 |' q: ~ ; low word specifies which service) Z" X% i# o% w* u- q
(VWIN32_Int41Dispatch)4 L- |* V6 U* Z& E/ l ^
call Kernel32!ORD_001 ; VxdCall0 w4 ^9 ~, ^; ~- ]! I. W' x
cmp ax, 0f386h ; magic number returned by system debuggers
7 s9 j8 N4 S, G" c jz SoftICE_detected/ o% k/ C, i$ K% n. A' R
1 N0 M c# C/ A+ D9 a+ N7 B8 a$ K
Here again, several ways to detect it:
1 q. M# c) w# _' o9 ]! D3 m
E" N8 i2 ~* }2 H BPINT 41 if ax==4f
+ W5 z. S# ~; T% B/ |4 m0 q4 \+ v3 z8 M; h" w1 x/ O. y/ ?& {
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
`1 ], }$ U4 X3 y
9 C, b5 G* z* b2 i7 q! n4 m BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) `9 C0 W& T% ^2 f7 j
% N6 P9 B/ y; w: U2 f BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! d# x6 ?# U! b6 G1 H8 r: @
) f* `1 @% B! m4 q c# B# j& z$ M__________________________________________________________________________' U6 i6 q; H& x! [) w) q
; T1 k; U$ W, T7 ]5 ?5 W
Method 13
# Z+ n. w( ~: ~ h, |) M=========
% X. S9 ^! U; R; C; R( c; y
+ m6 ]. L* i% J# `1 MNot a real method of detection, but a good way to know if SoftICE is
5 w2 X; k5 Z$ R; B& Kinstalled on a computer and to locate its installation directory.2 r: p! \8 [2 P& {. I- U
It is used by few softs which access the following registry keys (usually #2) :+ r: [2 E# g0 f/ Q
8 A: Q- ]6 e; Q: _& L2 ]' B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ N7 H2 B. a9 n( K- @1 e# S4 {\Uninstall\SoftICE; A+ g8 q6 s- O5 m& v0 e3 j( E
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, p2 v+ k* Y4 I- M b& O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# Y# l5 Y3 {6 K5 f
\App Paths\Loader32.Exe
/ V% k1 D) J% U! U
7 ^0 q7 R i) f6 C1 q/ t9 f3 a
" W6 k( |) G# `% k( ?- E# QNote that some nasty apps could then erase all files from SoftICE directory1 N9 x1 n8 @8 H
(I faced that once :-($ E, E$ _3 q6 a
s X/ f( g4 `, a$ S9 EUseful breakpoint to detect it:
% A& { f* m$ B1 `1 R0 i2 f" a; p) d' P5 X; G [
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! X; Z$ p/ y: @9 U% N1 q0 v" \5 I! w+ A
__________________________________________________________________________
6 Q5 Y: c- C7 E' U+ s% x3 E R0 }% y
' q, A& c5 d2 l4 u$ b* C4 E+ x
, @( S E( t! WMethod 14
* g/ j' J; E9 _$ |8 h) j: `=========1 {+ ?9 P/ j& z( ~) l5 Q8 |, C
$ i% t) f4 L: @0 z4 F3 t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 g2 i: f8 U: C* ]$ o/ p! n Fis to determines whether a debugger is running on your system (ring0 only).
6 f! q+ p6 x4 \( U; `; A! S2 ?' s) s+ ]6 Q) C
VMMCall Test_Debug_Installed! P0 j/ C1 g; p5 r
je not_installed
; N( L+ Z; {' l, _9 H, o9 o0 Y( J* v
This service just checks a flag.6 Z, |* l% h+ | m, ?1 _
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡