<TABLE width=500>
/ y0 W( k; v" S b1 l( |<TBODY>
1 A+ Z& ^! b8 w+ _* [<TR># I1 Y, ~! V6 k0 S/ e4 Y/ \: f
<TD><PRE>Method 01 ' O+ y" n8 {( {6 p) {- Z0 _: P
=========0 W4 x/ L+ I: w7 X* M" e
/ l# r H2 `$ ~! M7 x1 V
This method of detection of SoftICE (as well as the following one) is! C" N5 v3 O/ z+ e" p' S. k
used by the majority of packers/encryptors found on Internet.
~ m9 y F- S9 wIt seeks the signature of BoundsChecker in SoftICE, K$ j( y; i) t" a& O; E i# g4 E
& ~4 F% @: S, w" Y% C
mov ebp, 04243484Bh ; 'BCHK' G" }- B8 d4 M4 p! T% @; c0 k7 O
mov ax, 04h; R/ C& Z9 `7 x9 y1 T4 J8 M2 J
int 3 & K" f. K8 d9 w/ H% g; X
cmp al,4* B$ E% S- M6 h" r
jnz SoftICE_Detected
`, F+ G% F3 {2 F" V: S9 K
0 C% f, \$ r# R0 r+ L3 L+ }___________________________________________________________________________6 [9 ~( N& H3 r
( `7 K% Y4 n% u4 ]
Method 02
: e/ @0 L' |7 R" |# D$ x" y=========7 X3 n9 ^5 w2 S: K. f
; T" y, H+ ]6 rStill a method very much used (perhaps the most frequent one). It is used
2 ]& x( Q4 d) ? e* Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 f4 H2 j4 q! d3 u
or execute SoftICE commands...
1 w" i# m$ m2 V; M1 UIt is also used to crash SoftICE and to force it to execute any commands0 f; ?: Q/ e' @7 k3 q8 {
(HBOOT...) :-(( 0 _0 w+ y8 l9 q: {( F7 ~
( M. M- Y( j; v$ f" s
Here is a quick description:2 i' v; a! j) U/ B3 S
-AX = 0910h (Display string in SIce windows)9 g. r$ y( M9 [/ F. f/ \
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% P2 }# d0 {, ]
-AX = 0912h (Get breakpoint infos), z; V5 g. \! y3 {: w+ I1 w
-AX = 0913h (Set Sice breakpoints)) G' e) U+ i0 y Z8 ?% g' W
-AX = 0914h (Remove SIce breakoints)1 }( T* ]$ `& ]2 \
9 ^, ?/ h) {+ x6 e9 @
Each time you'll meet this trick, you'll see:
6 X0 v- z1 k8 f! ]7 e-SI = 4647h
+ v! U0 I+ `6 b/ @. |7 I-DI = 4A4Dh) L' K* K$ |4 B
Which are the 'magic values' used by SoftIce.5 G+ c' V, S. U7 L, V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; Z5 V* h! b) U1 B2 Z" O0 ~: l
0 J$ d6 C/ d% d8 U( @; t- p' Z f! Z
Here is one example from the file "Haspinst.exe" which is the dongle HASP3 K7 o: D, e5 z4 {
Envelope utility use to protect DOS applications:1 R3 s% n0 C R* l1 g" n6 W
/ c4 U( z& L3 G2 [3 F* {, L! c: y
/ L6 K* {8 B; }3 }
4C19:0095 MOV AX,0911 ; execute command.' F/ `/ t @7 H. U5 K
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: O" v- {) L% k3 B9 ~
4C19:009A MOV SI,4647 ; 1st magic value.; W, O" Q+ q, H$ ^. N5 j- j0 |' ~
4C19:009D MOV DI,4A4D ; 2nd magic value.5 T# u9 _3 B8 D; F8 J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 W- e1 O# T" a5 u6 D/ c4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' j: o% b% D7 K! T/ P( C
4C19:00A4 INC CX* Q7 Q, O: C4 l+ m4 _8 n
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) G4 o3 b" ]9 M0 e! n& M4C19:00A8 JB 0095 ; 6 different commands.
2 C! G" t' r0 N4C19:00AA JMP 0002 ; Bad_Guy jmp back.( J; ]6 i! Y1 ?4 ]# o4 E/ p
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 N) p+ t+ h' n: H9 r8 m7 }% r5 C/ f. z% u, _
The program will execute 6 different SIce commands located at ds:dx, which/ v V0 G3 _& C( C. {: ~
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 S- M2 O4 J3 q a1 R
0 l6 i$ X) v0 n% x' L8 \: v+ h* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! a" E8 Z2 G7 W' V" w1 h! b* h___________________________________________________________________________
! `; n4 `# o- e& x( P9 k/ n% v" n/ i0 h8 a% P) L7 K% v
3 L, Y1 g" T: [$ ~/ z; u& YMethod 03
7 G( e0 E H2 N& Q& h* X, U=========
* G3 @4 y& D8 s# y! A* i% T# T
; |! p7 b' s3 p( YLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. h; E- t/ i9 B0 u! k
(API Get entry point)- A/ y. C9 n3 z" E& b7 k
0 x# E6 k% B3 d$ T$ e7 v1 a& q3 {
+ a6 ~0 L n6 }# P. U9 S
xor di,di
1 y7 L' h: V+ e: _3 K1 x5 Z mov es,di- i ~+ |) V1 X9 L5 d, \
mov ax, 1684h $ i' A% f, V; G7 R' n! h: i5 l) j
mov bx, 0202h ; VxD ID of winice) Y- V4 q2 ` u/ B9 h
int 2Fh8 B: r! V9 W* O0 {7 {5 l2 ?1 l
mov ax, es ; ES:DI -> VxD API entry point
6 E9 I. s6 x# Q7 }6 r# O add ax, di
1 N) M; x$ U3 N8 R9 f. {) f test ax,ax
2 ^$ l0 c: F) I! g jnz SoftICE_Detected4 b* @' P7 | d, v" y7 |
. O4 S; S1 k3 T0 A
___________________________________________________________________________
+ d4 X! R0 ?/ T* m" b, v/ i; s3 p3 ~. A
Method 04
5 Y/ e6 O. r% l+ _; P=========
, T) ^) P! ~7 _' j( \5 m Y- q7 H' Q3 y
Method identical to the preceding one except that it seeks the ID of SoftICE4 s( ?0 s. C- l7 n( o' N. E! W
GFX VxD.& `( t# n+ C& z5 A
/ L: `6 K8 c9 |; N xor di,di
+ C% C( c0 r, S3 H7 ]: { mov es,di8 S+ i# x: w. ]4 K1 V# p
mov ax, 1684h
d9 v/ a2 {" ?9 w/ ~7 ? mov bx, 7a5Fh ; VxD ID of SIWVID
7 Y8 z2 w& h; p1 D8 p/ C int 2fh' h! E7 @9 |& X. g7 H$ u; J
mov ax, es ; ES:DI -> VxD API entry point% U$ Z; X H2 p7 \+ _
add ax, di
( ^$ ^8 |/ a! S% W& |2 y. R0 f7 w test ax,ax `3 H, h4 ^5 L) W
jnz SoftICE_Detected
* W7 E2 _6 L6 X5 z/ M
, l$ u2 d Z/ W& R6 t__________________________________________________________________________: N- l- L) u' |; r. j
: C% l5 l' U: R+ V. S8 U5 b4 E @' O, ^9 c' C0 a9 P1 O v6 F
Method 05
, L. y; c5 \, f* a=========
; X$ h* t( ]8 F+ K% Z6 k; m( `- m
1 H, M& l4 A+ b. l2 G9 `! ZMethod seeking the 'magic number' 0F386h returned (in ax) by all system0 V0 T) w7 c% b) o, w
debugger. It calls the int 41h, function 4Fh.6 |7 [1 a; o& ^& }9 K- c% [
There are several alternatives. : d, u+ Q0 _5 [5 B7 }: W
" Y4 B: q! q" D4 {# TThe following one is the simplest:$ i# l7 _& H9 d$ U6 N3 R7 d7 O
" C+ |3 J. q8 c9 h# u3 o; n
mov ax,4fh) z& i8 x, s2 H8 H4 {* A6 g g8 Q
int 41h0 Z9 k% x. J3 `# F' t; O5 h/ s) A
cmp ax, 0F386. `+ b5 O* | `
jz SoftICE_detected
$ Q2 | n9 t1 v1 G. m0 G& t. r7 k
6 F- U2 A! X- Z/ d9 P' v1 O0 Q
Next method as well as the following one are 2 examples from Stone's
3 ]0 U- n) {/ ~8 h, U% w"stn-wid.zip" (www.cracking.net):; C7 n- {* P: D* I
, {3 z+ v6 s& A. v' z0 g, J
mov bx, cs
; J. A2 ^1 B4 ~- ~6 ] lea dx, int41handler2! G7 ?& G& B- Q0 A: b& Z
xchg dx, es:[41h*4]
. E$ t" ?7 S# _# ^ xchg bx, es:[41h*4+2]4 X: z' R2 l+ w- x
mov ax,4fh
9 Y" T& F) X" A9 }' U int 41h
# @; N" k. t, ^# w xchg dx, es:[41h*4]# }* M, i; M+ G7 G% L6 V" ?
xchg bx, es:[41h*4+2]
! J7 D; s0 b" i# W3 y2 H) C cmp ax, 0f386h: j3 M2 E1 I) H( L( K j+ M
jz SoftICE_detected
0 |' n: O" M# r/ W. u/ J2 p! [ |' T5 z+ C! i4 ]* _ F
int41handler2 PROC
7 r# E; \9 u, T3 B f+ G6 M iret
6 P8 V* W# } s1 t" S/ Xint41handler2 ENDP
7 |: q" I8 _3 Y0 i, w5 C. k4 }8 H" C1 ~/ f
5 n( c9 ?" w; R# t/ s_________________________________________________________________________
/ K# a' |% g( Q
F$ z+ A" C6 P# t5 ^7 p+ S& M1 }6 T$ O& N( h* P8 d2 Z8 R
Method 062 a i+ A8 c: q* g: B
=========8 `5 \8 G7 v: B& [! J
0 b4 r# D% ]. h# G- P3 v9 ~7 @7 B- k! _" l; z; M% \! W
2nd method similar to the preceding one but more difficult to detect:
6 a: @% X h) I0 ~ \* O
: C/ \- t+ p' k5 ~
$ e9 u. b( j, W* O( H) Pint41handler PROC
( @: S2 _ ?% M' M$ h0 Q5 v; _' ~% `2 n mov cl,al
0 e- R, G6 n# p n+ r iret
, i0 o1 R% P, I% G0 A) @int41handler ENDP4 S9 R7 H- V( @
6 B' Q' `& a1 \3 \% ?# |
7 q3 g$ f, o7 p* [! [0 a. r xor ax,ax
+ w* D! d+ ?& H! H mov es,ax: w# b5 x* z3 t5 G- B5 q/ c
mov bx, cs- a) m- w) @% m* C
lea dx, int41handler8 g6 a1 f# j, G# |. @
xchg dx, es:[41h*4]( A Z9 [2 [3 H" A
xchg bx, es:[41h*4+2]
2 w2 V/ f7 t) f6 F: I6 ^" L in al, 40h
' ~1 A6 b3 A6 |2 H, l( n5 H g Z+ z xor cx,cx
3 K3 k3 |! Y+ W/ g# Q int 41h
* `# O9 @8 \, |+ A xchg dx, es:[41h*4]
{) b$ D# I7 j0 H xchg bx, es:[41h*4+2]
+ ? O4 D( B# i2 W( } cmp cl,al% c+ r5 U% {9 [$ e j# D. E
jnz SoftICE_detected
' ] P. f" b7 n0 K* ~
* }# [) a2 t& F* l+ ?_________________________________________________________________________
6 o Q+ ^* u0 K6 l/ ^4 a4 v9 G( \, v' x+ ^7 t4 t- n& s1 [2 B
Method 07( C3 {6 P; Q( q" N
=========
/ b4 d8 x! ]" `( W; Q1 U# j. l9 F. M7 d3 i. k0 s; W+ `
Method of detection of the WinICE handler in the int68h (V86)0 C0 @6 u B5 K j$ z* F
) {& k8 v" s/ v
mov ah,43h
! b0 ^9 Q' T( q, \) V int 68h* K- K7 z# \! ^$ ?1 t3 J
cmp ax,0F386h+ c& S8 Q3 k+ t% y: z5 M7 A' s
jz SoftICE_Detected% B1 p+ d3 _7 I- J
8 {+ V4 p9 e" J; G$ T$ h5 T1 G. r% q/ m! Z- a2 F( y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- y# y$ y4 m9 m4 D$ p4 f
app like this:+ Z) a, l+ G" s+ L5 ?: G' ~
" j+ d1 d/ j5 A* L/ [+ p7 h( j+ X
BPX exec_int if ax==687 ^ D n, O; L; g' z0 w
(function called is located at byte ptr [ebp+1Dh] and client eip is: Y3 Z. J: \8 m' {7 z" s3 Z
located at [ebp+48h] for 32Bit apps)$ d, E& |) ?- T% P( v
__________________________________________________________________________) Z: S; u7 K5 X( }- @+ W/ i
A' H- ]% h8 J2 `1 |" R: M8 f
+ `8 V/ I1 ^% q& U& KMethod 08
5 Z/ C5 S4 _- r" |6 O7 ^1 D1 B, ?=========/ q# a" ]+ y# {) L5 z
0 Y% Q4 h9 C9 w4 [" M
It is not a method of detection of SoftICE but a possibility to crash the
: W/ K, J) J9 j! isystem by intercepting int 01h and int 03h and redirecting them to another
X- d! R- K. {, K. Hroutine.
& L! l/ v1 V& R5 R) a6 n9 s; @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ r/ m* N' {2 y( c+ N# V6 o% {
to the new routine to execute (hangs computer...)
: P2 F4 C4 V: y( d; Y3 r/ m& j1 F2 F4 I0 B: q
mov ah, 25h) Q3 |2 K: o8 x$ ^. Y
mov al, Int_Number (01h or 03h)
4 | ]7 L; n: D2 _( N3 H( v& E. ] mov dx, offset New_Int_Routine% A# `) ~3 W, s& `$ J" g) |; C$ ~8 N
int 21h' |) B* v- `1 _
% p; C( `" Y3 j) b8 {6 F
__________________________________________________________________________
/ w/ J: ~; u8 X: m9 a& B1 E2 |6 w: s
1 V5 ~( _# u/ s8 \: CMethod 09% y( v# d0 h, _% ?7 `# u3 s
=========& j$ b) o. A5 D# B/ l7 Z
2 B: v/ G2 [0 [1 ^: A. x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- F8 T ^" D' R0 O9 P/ c
performed in ring0 (VxD or a ring3 app using the VxdCall).
$ y' [7 Q, \+ f, @* [The Get_DDB service is used to determine whether or not a VxD is installed
4 K# K% [" E9 r; @* bfor the specified device and returns a Device Description Block (in ecx) for
' `4 ? O/ q8 r5 d }that device if it is installed.
+ K8 O9 P4 z4 [- }! g, t/ }- |6 h' D( |2 H8 w: ], v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 n; b+ X% H9 O7 t3 I8 n
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 a% [ d' ` P
VMMCall Get_DDB* j5 N. N9 `3 Z+ ?3 v, z0 y0 ~
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 G1 ^* g" T% `6 e$ d* I' T, s% Z0 t: @2 W# U
Note as well that you can easily detect this method with SoftICE:
7 R* _9 T3 n4 k. { bpx Get_DDB if ax==0202 || ax==7a5fh
$ }* s( f' h1 Y6 M
! t$ Y# C y" c, U3 _/ d__________________________________________________________________________. r& @3 D2 B& d: c% o6 e' @9 `
, Z$ R1 F+ Y6 {' \0 b# l/ J
Method 10
; {& ~' j# h8 b/ f=========+ y2 I: ?. l Z6 j" w
! U* Z4 E7 [0 X! [: h2 a=>Disable or clear breakpoints before using this feature. DO NOT trace with
& D, c' {! l* j1 E0 q; U SoftICE while the option is enable!!1 }7 x4 J- S; ~: S" H
6 L5 I) m' {7 H( q# a) H+ UThis trick is very efficient:+ z) Y2 s9 t4 U/ F
by checking the Debug Registers, you can detect if SoftICE is loaded
l* ^4 m6 W2 l9 R( u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! v) w) \$ J% M2 [0 M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' `7 z0 b: t+ P7 a5 H- Ivalue (in ring0 only). Values can be manipulated and or changed as well
# U3 m1 w9 e0 W; ^: N4 R' W, e(clearing BPMs for instance)
& W d+ f4 `- w' Y: a# C- r$ C7 A" K7 \/ g1 ~
__________________________________________________________________________
# ]1 \1 n0 R+ L0 j$ ?2 ]! w
/ t! h) ]1 u4 o, x+ FMethod 11" W' z: K& a6 I3 ?
=========
3 A3 `3 V) ~" H# i& E. h
+ C6 I7 o+ p) k# o& D4 S5 TThis method is most known as 'MeltICE' because it has been freely distributed
( ^& I8 \0 _2 F+ A Mvia www.winfiles.com. However it was first used by NuMega people to allow
" x. Q0 x2 b9 z! D7 kSymbol Loader to check if SoftICE was active or not (the code is located" H% \( C, W1 B
inside nmtrans.dll).
( n1 h3 P) y& c7 c8 ?, y2 h/ b9 _5 x( ?" ]7 `0 x" p
The way it works is very simple:
" Q+ a. q+ G3 Q6 M% oIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 b W9 X9 X0 J2 R3 Q$ ?4 `WinNT) with the CreateFileA API.' i* s3 S/ t l
, X& z. D* H C9 \9 d- L
Here is a sample (checking for 'SICE'):
9 O8 |* F/ H( T$ ?# d. F
0 T. M# Y( v4 z. r# K3 e8 t; I2 SBOOL IsSoftIce95Loaded()
" @" Q0 {( [! D T* m. @$ I{
* V6 C; K* \1 L, y* o2 s" T+ O HANDLE hFile;
# R i% \0 Z7 N8 D" @- P hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( b" @( p- k) x# n" u9 z& p3 K+ @" n4 s
FILE_SHARE_READ | FILE_SHARE_WRITE,( f) M9 f& v1 }- t6 t1 m# K
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 G n4 P8 a! F
if( hFile != INVALID_HANDLE_VALUE ) W) E. J* P4 w2 \
{
. C6 i Y `; m3 B$ C9 p CloseHandle(hFile);) g6 ~& j7 T- a$ M
return TRUE;
1 ]9 ]; J3 n0 J. v9 f }' Z7 d3 j) |* S. C! s$ g
return FALSE;
E1 D$ `! f1 X* b' p; \}" W2 {" v3 Z6 x. u* a
9 J7 d( \$ G: rAlthough this trick calls the CreateFileA function, don't even expect to be
4 W$ M; Y3 v$ z9 n# g( [able to intercept it by installing a IFS hook: it will not work, no way!
) ~; L, a( L4 }& KIn fact, after the call to CreateFileA it will get through VWIN32 0x001F( s! r2 P0 J, }5 r# _' R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& e5 d! U4 u- s& M/ t' ^* _4 ^& Gand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 f' V4 r- i, |$ ]- A5 Z9 \
field.. \- K8 u. y9 ~8 L& ~- p& r P3 c
In fact, its purpose is not to load/unload VxDs but only to send a
1 E# j* d; L5 D% A& d, @: }* ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& v, Z0 v$ C+ D1 H- ito the VxD Control_Dispatch proc (how the hell a shareware soft could try+ K4 n0 E& a$ Q+ R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, E1 b2 i1 G9 p/ wIf the VxD is loaded, it will always clear eax and the Carry flag to allow" V4 p5 c1 j: V4 Q+ T( B
its handle to be opened and then, will be detected.. f+ l+ w/ P! o' n7 X
You can check that simply by hooking Winice.exe control proc entry point
* ]# p0 C; g0 ]9 T. B+ i+ J' ~while running MeltICE.$ x1 d' P+ Y% Z4 f7 r8 @
1 W- r W3 F ~2 L
f* ?; Y# G/ ~, A& ], I 00401067: push 00402025 ; \\.\SICE) ^/ R6 u% |) Y
0040106C: call CreateFileA+ P0 m4 b" s: E, d- R
00401071: cmp eax,-001
, e0 j4 w, x& n# |6 v) g% ~7 Z 00401074: je 00401091( Q! U+ M$ _- S& X6 f
# c* {( a( t& j, u5 i5 Z) x2 @) z7 }1 n3 u9 r" L/ F
There could be hundreds of BPX you could use to detect this trick.& A( p0 p5 a' A$ \
-The most classical one is:
1 h5 J" c1 s: b6 R BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 F5 F f8 ? N6 A0 Z" k+ A+ \ *(esp->4+4)=='NTIC'
1 M* b5 b- u5 q" n8 O# l
( H9 P% Z$ U) {) k-The most exotic ones (could be very slooooow :-(
* v& n9 ]; g& w% R& a8 h) f BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 e9 |2 {# X" f+ n7 W
;will break 3 times :-(' \5 @; j! ^& }8 B: G
: o+ F2 K. J* ]8 }# |-or (a bit) faster: 7 ~% Y8 p5 a/ H" s
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! `1 \' Z" N1 g! O9 l
0 C0 U& o8 x( M4 C3 b" J BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; x% f" l, K$ s7 T9 A
;will break 3 times :-(4 m! x1 l9 d# Z6 L
9 a& \0 _- l& U2 M) z! h5 n8 `-Much faster:8 M, f& G% O& J, s$ T7 O
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 l" @- a- j# v; O1 j! Y
; i, ^# V( h+ |6 f' a# ?Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% z4 m& O# }1 v) ?* y0 z( I( f" W' o) hfunction to do the same job:. U8 C6 `5 P! Z3 D) l0 H& T% C
9 i9 u( [2 P1 _$ C; r; L5 f! z
push 00 ; OF_READ
: E, F: m. E* q, D/ b# c9 H! C mov eax,[00656634] ; '\\.\SICE',0
, w; h3 S. \. x* l, t$ Z3 L( H! A } push eax2 Z1 U6 z3 f0 r3 s q# R' O
call KERNEL32!_lopen% W6 A- ~3 U5 ?% d- c% [: u" D
inc eax
% B; m! L: W' o jnz 00650589 ; detected/ Q, ^1 U- a" {4 U# u# A
push 00 ; OF_READ
/ a9 N. Q; t- r: C mov eax,[00656638] ; '\\.\SICE'
9 O5 r; Z8 `- h push eax3 X& e. o/ e3 k7 G) j( m2 a
call KERNEL32!_lopen
( J" {6 s. d! X% L: O, z2 @ inc eax6 s' x) h: {5 D( b: _# v
jz 006505ae ; not detected
6 t; h: i, O' J) E
# B& V4 U3 n. B w7 U q% D! Q, k2 l$ Z0 }; H
__________________________________________________________________________
& _( F5 w) z0 [% z1 p
3 ]' F5 F7 }8 L+ ?Method 12
3 i3 F7 E5 Q9 z4 P* H=========
# U% {2 S+ B$ U
2 i$ @9 b$ q& u" J) e6 gThis trick is similar to int41h/4fh Debugger installation check (code 056 @: v: Q+ u3 O. O* d8 l
& 06) but very limited because it's only available for Win95/98 (not NT)
' O9 ]+ x; m1 y! A# q9 @' A3 Oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ o+ q' k6 U- `8 n& K
. u c/ d9 _3 B7 d push 0000004fh ; function 4fh
7 A$ e/ F t/ Z% I, h* e6 ~ push 002a002ah ; high word specifies which VxD (VWIN32)5 N* d0 n& p# G$ {. \# A2 u, f; I; z
; low word specifies which service2 X6 f, @5 h# f! O1 P; u
(VWIN32_Int41Dispatch)+ f1 L; `) u& c7 J n; v
call Kernel32!ORD_001 ; VxdCall. I" [( P+ f1 j+ d9 P$ \
cmp ax, 0f386h ; magic number returned by system debuggers
2 S) h( j! K" e. A2 R/ T jz SoftICE_detected7 B$ j: s- c0 ~, E' y) q6 S
) e7 B: ^. v; A U6 i
Here again, several ways to detect it:
# B- g8 s0 [/ j$ |. [
3 d' @: j8 O7 n1 P3 |" i# E/ C BPINT 41 if ax==4f' s3 U2 o5 @0 r8 ` \* H
! d5 w [4 F* }/ l2 F+ P8 @4 ~ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 @$ w W; B. f; a" i2 U
) h' e! L! K( O9 r; o
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; Y* i! D8 O. ~& _6 G7 c1 M
8 U! Y) h( B- J BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 u' L* s( |# j! t. I5 k! L6 e$ [) P* ?
__________________________________________________________________________
+ T- r @+ S$ u8 @. O- c: m7 A! `; y7 a- Q
Method 133 o! T% f6 F, t- W
=========8 ~* B' ^2 y! ]2 d
/ n% ^. E, a- Q& {! k1 [. H+ P. _7 m
Not a real method of detection, but a good way to know if SoftICE is
8 K+ @* F0 z" p% T0 Y3 kinstalled on a computer and to locate its installation directory.0 Q5 Z- F5 s4 @$ i& f/ ^4 Z8 _( I
It is used by few softs which access the following registry keys (usually #2) :
. m, K1 g' h P! P5 r+ F9 o! z0 t; Y( [8 |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( X7 F) o/ I/ Y2 i6 f, l
\Uninstall\SoftICE
& L7 B! H% K K' W3 V- Q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' ]. c- E E. i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. N& F; C- V# d\App Paths\Loader32.Exe& O. A& Z8 u% _% X' d: l4 u. K
% @. q" g" p9 S: G
6 W1 M' \! K8 B% QNote that some nasty apps could then erase all files from SoftICE directory4 S8 Z& _, x, i! E3 V
(I faced that once :-(
, ]+ k8 X. c" w+ V% J9 ?$ E1 `6 l8 s. W4 h
Useful breakpoint to detect it:
9 Y/ R; z9 ?( s6 D* U% y; v# y Z9 `' C& A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; W" Y1 O+ t' t# z4 N& K, o
2 G2 A% ]% P* s4 E, F__________________________________________________________________________
+ Z& F7 P6 O. g5 x% x3 \
3 O/ d, ^2 r0 G, @ |4 a. L7 F+ T; x+ i1 g3 Y" Q: k
Method 14 : X( u4 v5 l3 W1 S7 O3 ] h
=========/ q! \8 c( F& y5 c: T5 R) s
$ N0 k \. w3 q5 `2 O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 q5 g( Z: t8 Y' f0 O& }" T
is to determines whether a debugger is running on your system (ring0 only).$ S2 ?. E6 R% N) Z( Y
0 C' G8 e h3 u VMMCall Test_Debug_Installed
- L8 r5 X' T3 }8 w( W" `& I7 T je not_installed* a/ c4 m3 u/ |
5 |. y2 @8 o/ G8 y% ?5 o
This service just checks a flag.
* l" r: \* E+ c6 Y& |: C( c6 j0 b( D</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡