<TABLE width=500>
) p, _# \+ Z+ }/ d0 q1 Z! |4 t<TBODY>% s M$ h0 [: x0 R g
<TR>9 u* L M# a# Q) \% u. N# s
<TD><PRE>Method 01
( D5 u- H8 B8 o. }/ m=========
! J/ ]# K2 R3 n& U
' k" k a- y6 L- y* vThis method of detection of SoftICE (as well as the following one) is
Y a& x0 o1 `! P- cused by the majority of packers/encryptors found on Internet.$ N: g7 p2 V1 `5 Q1 T$ m
It seeks the signature of BoundsChecker in SoftICE
& O" @0 r- l6 {8 u: C
7 X9 J; R! M8 I5 W+ O7 ]9 C+ S4 U; X mov ebp, 04243484Bh ; 'BCHK'
2 {7 l8 `0 Y% Q% |6 S mov ax, 04h
( v3 b) r# p! u$ E int 3
* ], T; i9 j& }# o5 K9 i' d3 P cmp al,44 V0 q& I& {- B7 i. u
jnz SoftICE_Detected
" M' ~. t9 }: i3 c4 {3 V) V( x6 C: g" [
___________________________________________________________________________5 V" F' P; e' d1 p. i5 C
' V/ {' s: @# k3 X o; V
Method 02( c( Q3 I2 g, S5 q, D0 w- i; X% z
=========
$ A8 k( Z( f {! [3 R# L8 m; A; z$ q$ d& G7 V5 N
Still a method very much used (perhaps the most frequent one). It is used
: I5 P% ]9 u4 r0 K( D" E7 {& l: pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! d7 Y+ t4 s' S! xor execute SoftICE commands...
& ^9 t& ~6 e) }+ b5 NIt is also used to crash SoftICE and to force it to execute any commands. u! l# U# {$ T1 r( w
(HBOOT...) :-(( % X, i/ I( d7 `4 x, F2 O* h3 b
1 a) ]8 p# w+ c3 d1 bHere is a quick description:* S- d% Y; i, `; y6 x/ Q! l
-AX = 0910h (Display string in SIce windows), X' v: G, g5 J: Q" E6 ~
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 D% p; k6 k- w5 U-AX = 0912h (Get breakpoint infos)0 s" `0 B! `6 b- V
-AX = 0913h (Set Sice breakpoints)
/ a5 b+ `0 j* k% y! K-AX = 0914h (Remove SIce breakoints)
( r1 h* V0 A! S5 M: w, Y- A- e5 q6 O, i2 G' ]
Each time you'll meet this trick, you'll see:* d ?* J1 H6 V9 F
-SI = 4647h. e" l3 e4 Q# @2 V# S) v- Q2 k
-DI = 4A4Dh$ ~" I1 y2 z8 `, N& b( ]* y& O
Which are the 'magic values' used by SoftIce.
- T; X2 o! }5 qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 K, w% R G. E
3 b' C! ^8 r. T( ^4 R
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 A$ x, L$ N3 o |% OEnvelope utility use to protect DOS applications:
% o. s/ v+ P4 i/ U8 Y$ T: J; ~
, s( v# \! I6 w: C, E$ u
" _/ M+ q! g( k* f C4C19:0095 MOV AX,0911 ; execute command.
: Y$ S0 p4 g! ~8 o7 B0 |7 G% p4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; o, o+ L' M' h! C4C19:009A MOV SI,4647 ; 1st magic value.. c5 P% k' A9 T6 P7 C/ Q4 k" {
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 C4 `& N \9 g# A! R. H4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); m$ I" c" f8 t- d: C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' j/ q' M% C p. O/ R1 Q4C19:00A4 INC CX
; L3 N8 g7 u/ C" |% Q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 C' S4 [6 [/ h. c2 v
4C19:00A8 JB 0095 ; 6 different commands.
1 m- J) h% K0 w @' F6 v" j4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 s( ?$ X2 v' Q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 d6 V: g+ l' X" ]
1 c5 e' z3 }% N8 jThe program will execute 6 different SIce commands located at ds:dx, which
?, Q3 R4 U5 ]. E0 o% I1 oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 d3 U1 E* t+ b8 T3 F& |/ A* q) s6 l! V; d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 a6 s1 V. O! k. d0 s1 ?2 E' O
___________________________________________________________________________
, k: _% C' Y; z% g+ Y0 ?- f1 Z' t( f$ f. S7 T0 j; m
7 b$ W% y5 \3 U' N7 X- N/ i' dMethod 03
! _9 [8 q! C8 N" t. ~, R( e* `=========
8 ]4 U/ e% o0 k) ~$ |2 ]* P8 W' C# [
) x: e+ ]1 a' E2 g+ _- ~Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ W: ^; d" N; ~5 I z5 s(API Get entry point)# K. K% h/ H x7 f4 g/ U
" B) w% l3 k( j, u G
' a4 O! F1 T* l# R xor di,di
2 a, q; w% r5 v0 U9 v mov es,di
6 G3 D5 K+ X8 P+ N- F( V/ h7 ?2 i9 l) j mov ax, 1684h
1 M! G: z! ]" }$ Y" b( i+ _. ] mov bx, 0202h ; VxD ID of winice) e e+ A+ j# F; _" z* t
int 2Fh) K; l4 X( b& L! s/ U8 h+ @; o( U
mov ax, es ; ES:DI -> VxD API entry point* r: R' K. q$ M9 C2 N; I
add ax, di! Y3 O9 I0 W3 J6 g
test ax,ax
3 p) C: x" }% @2 R- o; d* i B$ R$ M7 W jnz SoftICE_Detected; o7 _" `. f/ y3 Q! _8 j0 W% N
) ]" o4 Z7 b) [6 G: k___________________________________________________________________________
, Y9 h( A- m6 t2 K1 m6 W3 I, M- G& {5 R! x2 v0 N6 R: S& `
Method 04; a; W- n. j0 e& O- |& s
=========
% o1 [1 `! N9 i% U6 r2 Q, R3 A9 F7 t: Y
Method identical to the preceding one except that it seeks the ID of SoftICE
+ [- }( A0 X+ f" }, JGFX VxD.- [- T% P* {" L4 n7 d# |
) w: b3 _) q4 X- b" \! ?; d- q. i- g
xor di,di4 M( D! b% H) {# t% A( v) w
mov es,di8 ?. h7 J- b" ]$ O+ N: `6 P3 A
mov ax, 1684h
, t( ^0 p9 V$ K4 l4 u& C mov bx, 7a5Fh ; VxD ID of SIWVID, s5 p) _/ s. J9 m5 G
int 2fh- h& s/ \9 u. t2 F; W
mov ax, es ; ES:DI -> VxD API entry point. A* p/ w! s1 z n) X( N
add ax, di3 J, l" G; v, X+ L
test ax,ax
) O0 j' @0 f4 U) Z jnz SoftICE_Detected" Z* H) Z2 y/ `" J+ y6 M, H* ]
+ ~7 O. B' J7 F( C
__________________________________________________________________________5 f6 P) B2 q# w
2 l" D" D o* U7 z! y- P1 [$ Q; z5 H
8 i* v! V$ v/ J( c0 HMethod 05! S/ g( D8 s* c% T- g" ]- |
=========
- |/ Y9 d5 m! c N
. B% u7 d1 n7 Y. T" s2 BMethod seeking the 'magic number' 0F386h returned (in ax) by all system
0 ~4 g% n8 F4 Y& ^# m+ _& kdebugger. It calls the int 41h, function 4Fh.
7 x( L J* j! p1 u7 QThere are several alternatives. 6 w: D7 n7 r/ Q
, i5 `& ?5 y( S2 x0 ZThe following one is the simplest:( G8 O/ ~, l( r& q9 C
- b' L/ _; e% Z" L7 ?' ?1 w, ] mov ax,4fh7 _/ z3 H( W) g8 v8 U( c% ?" n* V
int 41h7 l! v1 m, ^/ P
cmp ax, 0F386
: @* k2 E7 S( p* K5 W( V. g L jz SoftICE_detected/ e' d& n5 l: `6 i
( u7 _8 F3 c3 ?7 u3 N! w( C* a+ i: M
2 R# v* b6 B9 E+ h8 B; \Next method as well as the following one are 2 examples from Stone's
% \2 A H5 S8 J# d' M c"stn-wid.zip" (www.cracking.net):! n6 H$ @, N5 Z; T! y6 ?9 i
( k- w/ {1 V8 z K: U4 m% T mov bx, cs
/ F7 T$ G; Z9 R# q lea dx, int41handler2
- c1 p3 Y+ A) J4 @ xchg dx, es:[41h*4]
( P! Z3 y! v1 U- ^* h- s xchg bx, es:[41h*4+2]
+ x4 j5 x0 s% `& ^1 @! f+ _' t mov ax,4fh4 J4 R' M, J" n- N
int 41h% ~) Y: u! D2 o$ r6 @ v# i3 E
xchg dx, es:[41h*4]
! Y4 B) b! @+ r8 K, u+ {5 q3 _ xchg bx, es:[41h*4+2]2 r( ^. z: m, D0 s1 ]8 G
cmp ax, 0f386h3 J+ B" @5 S& c4 S l1 j8 L
jz SoftICE_detected
, q; h& w. V* h6 S$ E( ?: e6 e& R- T7 \& z2 J i7 i1 H0 p
int41handler2 PROC( t c( o0 ?$ U9 u) H+ C: t: Z+ `( B
iret9 l& o, |# S: ~' \: k) ~* l& \9 R- X
int41handler2 ENDP
6 d0 N6 B( k" }; ?" ~3 b' ^6 @, z' x( I' V0 a, s
4 Q- ^, D) u# E8 g_________________________________________________________________________
9 |) R5 x( q& b- C8 a9 z
; d5 t7 a; u+ i' J! t2 E9 F7 H3 Z4 J; b/ ~
Method 06) b7 X& L# B( r2 x
=========& V0 Y/ O) b3 k5 \1 W
2 z1 O. n7 E' y! i) u, X( z; L. X& n; w+ p" w; |$ t
2nd method similar to the preceding one but more difficult to detect:& @6 h/ _7 _0 d. N
. D+ n/ T8 u# h5 p1 y* t
9 D+ `$ s+ M* e$ f. Iint41handler PROC
! p! i9 J% `2 ^9 T% }9 s mov cl,al/ _4 V4 D6 h c4 B0 k' _
iret( o, J7 f* @+ k
int41handler ENDP
/ y) M* K1 g2 M2 v' M2 ]& l/ U% R
* X2 q0 m" l* b, E xor ax,ax
; I" ^5 ~. H. }6 I7 l mov es,ax
; r, A( Q4 k) V- s# \# R/ x mov bx, cs; ] X; S" Y6 W+ x9 |& v% A
lea dx, int41handler( W3 {0 N* x B4 h7 ~
xchg dx, es:[41h*4]
, s: A9 {4 W+ L- S; S' V xchg bx, es:[41h*4+2]* u) O$ q; e+ D$ \" x/ e
in al, 40h3 `& Z$ t, Q- ]( W. q8 B
xor cx,cx
6 a, d/ e; n2 V5 y3 ~$ S. U1 U int 41h
! t M( U4 T' N0 w% X xchg dx, es:[41h*4]; I5 h: A6 Z# B. P1 ~/ D3 M
xchg bx, es:[41h*4+2]
- s3 ?' C! e% ~9 l! v8 j/ Z: [1 ^ cmp cl,al' `7 R/ i- ^3 Y: f' C0 T% m, x. s
jnz SoftICE_detected
* X: N6 b, J0 C; V6 L1 C0 C
|8 C6 B* J" S9 a8 V4 u_________________________________________________________________________
) a- O3 R7 g$ N7 m$ F; O( M- S% g% z1 S4 O' b6 f
Method 07
* A: d! O4 B2 o/ k=========
$ C/ M- r' W( x1 N6 h: [. W5 I6 D; d3 V/ P; a9 r, Z7 X- E. G% ~
Method of detection of the WinICE handler in the int68h (V86)% y( m; t0 e7 L/ Q0 e- O. W
3 h, ~! Q# j% i$ _7 t3 [ mov ah,43h
; j# C$ r, x% M int 68h
3 l* o2 V! S6 U! z9 H2 P7 F8 W$ p cmp ax,0F386h/ q% V2 w! q0 r9 a, Q
jz SoftICE_Detected
2 P' f d& h: V0 F5 C, n
3 a, W) l7 }1 P: B; E( D+ U8 }" s, ]) c3 {$ p* u. @3 b. N
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ ^; _/ _, ~# a' \" a6 {# n7 { app like this:
0 [6 V$ y& H: V$ W& x/ B& P1 b' P) a& a! N
BPX exec_int if ax==68
* H0 Q2 n/ B: X& a2 L (function called is located at byte ptr [ebp+1Dh] and client eip is
0 L+ u' u6 X+ b; c# |+ F located at [ebp+48h] for 32Bit apps)4 _6 { `2 D" V8 K+ }
__________________________________________________________________________& u. @/ u* l9 V1 u- ^- F7 ^
. X- Y+ Q! ]/ U
$ H1 c' X1 [; B" qMethod 08
9 M& ?$ z; T0 d9 Y) @3 R! u! V1 p=========2 u1 \% ~0 B# s1 q% D
# n) o! P6 d4 i# w
It is not a method of detection of SoftICE but a possibility to crash the
' _, W' i9 c6 |, ?2 B- d2 xsystem by intercepting int 01h and int 03h and redirecting them to another
0 A3 }" t) C ]' y! W( \routine.+ J) t g0 a0 B$ R- k; E* c
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 u" }3 r: g, H4 y+ _3 U
to the new routine to execute (hangs computer...)9 ? W1 S$ c+ [3 w) d) _; Y7 O
& u7 Q3 \/ h' r( W. [& l, \ U: z
mov ah, 25h
& z* ?4 c! Y- S% e; O mov al, Int_Number (01h or 03h)
# {) w/ k2 [& I9 _7 [ mov dx, offset New_Int_Routine
6 Z/ k8 l0 _$ h2 ^$ w int 21h4 U# G5 P- b- h* R* z/ B4 ?
" b4 r: f+ H; I" ^1 w__________________________________________________________________________
; ^) V! W( r. K5 e" O3 b
: U( s/ r: U1 {3 XMethod 09" v8 w( D; F! t K% X, o! J
=========0 ]) x& V7 W8 ~& i( W
j! s* L& X) x4 G- c0 T
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 H1 c- _2 G/ ?4 d. iperformed in ring0 (VxD or a ring3 app using the VxdCall).- r+ b9 I# ^$ W
The Get_DDB service is used to determine whether or not a VxD is installed
: o) t( u+ j2 r9 H- }for the specified device and returns a Device Description Block (in ecx) for0 n4 U$ @* Z) s- y3 v! f" K1 l3 \
that device if it is installed.8 |" a, W4 E# M1 J% a1 Q6 @
- \' ]/ v1 G K2 q9 M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 S- ^: K; R* ~! t; ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 p' i/ X; a7 k& m" g7 m
VMMCall Get_DDB
! g$ O6 ^: G6 t mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% A X2 b- E! P* \
2 c5 p) i8 A9 v2 \8 A" t- N! uNote as well that you can easily detect this method with SoftICE:$ d# i9 r7 R8 W# H5 B$ A3 j
bpx Get_DDB if ax==0202 || ax==7a5fh
; K* q% p G9 K
" }4 S2 ^; Q; ?' h: |" ]__________________________________________________________________________
! q7 b/ ~; K1 m3 \) h8 M
2 p! X, P0 x4 u* U3 AMethod 10
+ j# ~! W7 o0 E2 r% C=========
9 s) ^+ {. o, D+ _+ Q" F4 ?. m0 v, G# G! A0 ]: v/ V( g2 e, p( T
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 I8 r8 X/ G. X1 Y5 e2 w
SoftICE while the option is enable!!& T T8 f" S. t
7 v1 t$ \- z6 bThis trick is very efficient:
( \& Z+ `/ i a3 b1 @by checking the Debug Registers, you can detect if SoftICE is loaded1 K( h/ a2 P& U
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) H$ o! |( c& X; w4 F+ V
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 `% O% ^6 B6 q% ^value (in ring0 only). Values can be manipulated and or changed as well# h/ J7 j4 T" n; d
(clearing BPMs for instance)1 s; q+ T6 W8 S0 F R$ }
5 C( Z+ h) r- ], {8 H+ n4 Y9 B
__________________________________________________________________________
6 G% g/ s- p4 d
, i( \! H6 {. G4 n7 Z6 KMethod 11
( h3 Y. ~* x7 f* E/ ^+ j=========2 Z' f+ J2 J& O3 Z+ J
9 l* ~0 P6 J: eThis method is most known as 'MeltICE' because it has been freely distributed
$ J7 q# S; l+ W3 w4 }$ kvia www.winfiles.com. However it was first used by NuMega people to allow
9 x1 R" T0 o, n. ?) X; u( vSymbol Loader to check if SoftICE was active or not (the code is located$ [% h" d; Y7 ?- p/ B; g9 \4 r
inside nmtrans.dll).
5 F6 V/ q% D. v- x: N' a+ k8 k3 ^2 E- q, o- K$ b# E
The way it works is very simple:" N2 v* S: b- S: y$ H% p/ z# r( l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for v' H S- u& X6 @! P. h& c
WinNT) with the CreateFileA API.' T# t; }+ N' C
3 L& C2 l" m0 `. F- ^. V) W6 L
Here is a sample (checking for 'SICE'):
4 N7 A& k1 a H' }. o& A
; {$ M: S" B+ |' e: ], ]" b# ~BOOL IsSoftIce95Loaded()
1 X% E# W( W5 k+ I: m( h{; d1 J+ G8 G7 Z: f& ^6 n! Q9 A: f
HANDLE hFile;
" h# @7 w) Q) n, i8 I hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
I7 Q0 Y; ?" T6 z, f FILE_SHARE_READ | FILE_SHARE_WRITE,6 d+ i: n) T& `9 d: l
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. r0 M% l) l9 G if( hFile != INVALID_HANDLE_VALUE )6 }6 w5 Z0 y9 }) l
{4 i6 D( U/ L& t- C- ~# b! D8 W
CloseHandle(hFile);
& G3 d' C' R2 n& D% i return TRUE;
" D1 ~9 l7 K/ q$ _, K }
) l% f9 j s4 Q6 U: e return FALSE;
0 `. Y& }8 x/ ^; X( z8 U}
3 u* m0 H3 }6 i- b L2 R
. C. ^% U( E' F( ]. @. [Although this trick calls the CreateFileA function, don't even expect to be
# c- Q) W+ i) l Mable to intercept it by installing a IFS hook: it will not work, no way!: n* C, z( q2 j& L
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- q9 K3 @, Q# s7 n' `# sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 I6 [6 z9 q( {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# s, n3 e; B# _0 c6 f5 }2 i
field.
- r+ b) O! H# C$ rIn fact, its purpose is not to load/unload VxDs but only to send a
9 T( C; E& ?1 XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 u8 M/ d5 A, |0 q- Ato the VxD Control_Dispatch proc (how the hell a shareware soft could try/ j# _/ _& U0 k- b: K
to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 A- C1 M- A8 ~& Q$ c u4 _
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 {$ a4 S3 X1 v' T, {3 e, G
its handle to be opened and then, will be detected.4 w& B7 T8 g1 m3 _
You can check that simply by hooking Winice.exe control proc entry point' C' ?* c* o2 Q6 P: d+ J" [
while running MeltICE.
7 r/ P7 }' M; q$ z7 ?
! ?5 I" B1 e, |* ^9 o4 [+ n. ~) }3 K' ^' ]1 D" E
00401067: push 00402025 ; \\.\SICE7 p9 [$ ]: u; j$ x5 g1 {( G
0040106C: call CreateFileA \% I8 n# Y% r9 C
00401071: cmp eax,-001
6 q: t8 {& t& x+ Z2 E 00401074: je 00401091* X' a& F8 S: [3 d
' ?4 _9 Z! ]# l i# e& I4 @$ Q8 S0 A# i0 O0 y: F
There could be hundreds of BPX you could use to detect this trick.
5 F7 `: K& G/ K, o-The most classical one is:5 e- W: C4 e/ P
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 J1 {% |2 @7 u( s
*(esp->4+4)=='NTIC'
% m6 F5 J, Q" u+ d7 |- k) y
6 j' Q* K1 U4 T. H-The most exotic ones (could be very slooooow :-(
- g8 |) S u0 |* X" M BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') Y( D+ Z$ M7 L% K1 `) [* P
;will break 3 times :-(
: E: \8 D* S5 O' M" [9 R( e% t# ~1 R/ o8 _2 b- k; K
-or (a bit) faster: h8 `5 }/ Q' p. x3 M+ ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 f) F8 K& u% i$ {
, ]) Z8 f4 A' f* Z o9 y7 t5 Y3 K
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , j6 _1 Z' q8 P* c+ o/ m
;will break 3 times :-(9 s9 }5 l) g, B, Z0 z9 H
$ p% @5 W6 E9 _; _
-Much faster:; `$ K8 z1 _9 Z% r8 P$ [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. D; g" t" |3 Y4 Q
+ v0 t1 ]9 d3 O) r( w- w+ nNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 h1 S4 E" [. t- R- w, J6 D8 Dfunction to do the same job:, m$ J+ |: l7 b: D2 |
3 O6 H% s! c* u, U
push 00 ; OF_READ2 ]8 k8 y. t' S! z
mov eax,[00656634] ; '\\.\SICE',0, _+ [; `# T5 v3 Q1 s
push eax4 y) y6 H/ k x1 |+ l/ N& o- n4 Z
call KERNEL32!_lopen
2 c3 u- Q C& r0 l9 I: B# l3 n0 v inc eax6 V+ g7 Z& b6 ]% T2 o
jnz 00650589 ; detected1 Q* ]- u) k9 r2 I1 V
push 00 ; OF_READ6 Z! r G( B' {, q4 w
mov eax,[00656638] ; '\\.\SICE'
- o: L3 |4 z+ g( ~5 N; h/ H* }4 q push eax% [. L# f& I/ x) a: K
call KERNEL32!_lopen1 \' A' d& R( n a6 d
inc eax( r1 H- H5 n9 p: n6 E
jz 006505ae ; not detected
: z1 P# Z; }3 |! i m1 ?/ S5 P5 t, d* Q5 t
' v& Y8 ?, b( W( _7 p
__________________________________________________________________________
" G7 i. I0 m) ^8 o3 S: K6 Z4 @* D& U: i9 z
Method 12! x$ {6 H* r; K( Q6 D4 z$ ]3 C
=========
t: ]6 \6 {. ]4 C% G f* j3 l2 s% i: |! H: j7 ]
This trick is similar to int41h/4fh Debugger installation check (code 05. [8 H' m" p8 E2 r% I
& 06) but very limited because it's only available for Win95/98 (not NT)$ U1 p" _2 y9 Z' q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ H+ _! h" e# c, }- _
3 B8 \# T# l1 J/ X$ d
push 0000004fh ; function 4fh
. O; N# U% Q! d8 d" \( F" p push 002a002ah ; high word specifies which VxD (VWIN32)% k, |! s% A8 j" r7 Q) G
; low word specifies which service/ t' i2 G, d2 E( a
(VWIN32_Int41Dispatch)9 p1 D- v: A; F2 M1 e
call Kernel32!ORD_001 ; VxdCall
: Z. F. p" I- f( d+ |; T' ^* k cmp ax, 0f386h ; magic number returned by system debuggers( J0 R! g. r1 I+ F3 T* G
jz SoftICE_detected+ ?& n! l% }/ }( s, x0 v2 c
* t2 Q2 J7 v! Y! r$ u* yHere again, several ways to detect it:
& k. \6 J* V Q8 t, c
+ f, m9 x. t7 w" r) m BPINT 41 if ax==4f
' ]! p0 z6 |4 h% c. y
# w8 s3 } f3 A4 Q" d& g4 Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ u" b' Z9 M d4 [2 w3 o
6 F1 ^4 }4 [( F8 l3 f BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) C+ B/ Z% P: }% s5 ]. i" Y
w: `( f$ A- G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! z9 A' o ^ h' \
9 G; p" J# v4 ~9 O3 r
__________________________________________________________________________
8 F# Q4 | |& J6 g" h3 M
8 E8 h6 w- u1 Q" N3 v" E- {! YMethod 13
& J! `' K* t' C% m$ X" o. ~0 \=========
9 P5 _' r7 s1 U( o3 [/ n+ i
: z* y, H: t8 A$ C% c; uNot a real method of detection, but a good way to know if SoftICE is7 q9 G' P. [! m: p* T% T9 ?5 }
installed on a computer and to locate its installation directory.
( q' X3 C: l. c0 Q; V# vIt is used by few softs which access the following registry keys (usually #2) :
7 s1 u- _" X6 E
% b; W8 E6 I- }& k; r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. r5 v+ k; p- v" A1 A% e2 o2 O\Uninstall\SoftICE
6 G% d# l% L3 v6 p' Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE S O4 V7 D" B& D: `" q+ J- {$ l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 b* _3 e2 o5 R5 S& p% P j
\App Paths\Loader32.Exe( X( d0 u1 W0 j8 ?
6 Q! L6 b/ j7 P" |; S4 S) \3 l! r4 e$ G! v8 i
Note that some nasty apps could then erase all files from SoftICE directory
/ Q: ?5 r3 f8 R! r( O. z(I faced that once :-(1 g) z. A# ~; z) m6 T
% b* Q( F! N" F* x- jUseful breakpoint to detect it:
+ u6 x4 z% } f. L& n, h. v: M0 B( D9 z' [# s0 g
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ T/ }+ l# z8 w$ h) K K6 \9 u' G' d! e# |& [, [& \5 C* K+ r7 L
__________________________________________________________________________+ f# h: G, `9 m1 V* E
?) B* R" X! x
! E3 I3 r. I7 \0 s" Z6 y7 K
Method 14
- D/ `! v& w$ R& @7 q, r=========
" \1 l' j, m# o. \, B
/ U# O/ X2 k3 `/ y9 J/ k6 BA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 C& I: [% \3 O
is to determines whether a debugger is running on your system (ring0 only)." f) I. F( U! D& ?
9 H& F' C$ {) U3 z8 G VMMCall Test_Debug_Installed
/ i( |- ?0 i3 r5 u+ n$ ` je not_installed
1 S+ d5 d& J( k4 |, q
* @2 L3 k) {0 A; v- VThis service just checks a flag.
1 k. y; d/ j7 ^& _</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡