<TABLE width=500>
/ C0 l3 O/ W9 n) _+ E+ `<TBODY># o" Q4 D5 |% Z2 S: r# L; v
<TR>
6 Z/ q8 W% t+ \<TD><PRE>Method 01 + u" G. \# [4 |7 n- l+ K
=========1 I( c0 H/ f$ h) L0 Z/ r
4 A6 ?3 T6 l3 n% I' XThis method of detection of SoftICE (as well as the following one) is
. j8 v/ {8 _" U, N& ~4 h* nused by the majority of packers/encryptors found on Internet.$ n9 k) W1 k6 D; o+ C' v9 d$ y) K
It seeks the signature of BoundsChecker in SoftICE
5 {& _1 r# V2 ~+ n W4 J0 e8 U8 Z- m E% J D
mov ebp, 04243484Bh ; 'BCHK'1 {' Z: t6 S& t! @0 W, x' m
mov ax, 04h
; p: I2 z# s# e+ R9 S int 3 , q, g) l& d8 u3 A4 @. V. ^
cmp al,4
1 Z! n3 n* |/ z2 ` jnz SoftICE_Detected2 D4 _/ x. g a' x
9 A4 @9 R: ~) w) ^3 C8 p
___________________________________________________________________________
' d) F1 M4 ], g2 R _2 I0 h
" E5 _4 V! G" I, `3 ?) p/ |Method 02
; h# Z- G; W0 r: w2 ~4 a) V' f=========9 l8 R5 e" c: C% T6 m0 W$ s* z
/ J! r: l6 }. R" I' u
Still a method very much used (perhaps the most frequent one). It is used8 ^6 G; P0 x4 P; V' p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,: x7 K1 Q, n; x5 H3 k* c
or execute SoftICE commands...6 Z4 V' l3 [2 ` |+ x
It is also used to crash SoftICE and to force it to execute any commands6 y. |7 e# x* V8 N+ T; C: [+ b+ x
(HBOOT...) :-(( ; V) }1 z2 \& V$ o0 l I" t! q9 H# I
; |) u6 z7 J! k2 P& ]
Here is a quick description:0 H" O) X( m+ j! f- A/ S5 D
-AX = 0910h (Display string in SIce windows)
1 H2 r; j5 v" w5 B8 o0 p5 g8 I-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ `) s1 w4 O) [% \4 [
-AX = 0912h (Get breakpoint infos)2 F& S4 {; w" X0 M5 Q
-AX = 0913h (Set Sice breakpoints)
2 Z' W/ ~# q; n9 y* N- G9 c3 m-AX = 0914h (Remove SIce breakoints)! A6 c1 z$ s8 _: A) W
6 F1 b) c9 z, @' T6 FEach time you'll meet this trick, you'll see:
) @: A" e/ f I* Q-SI = 4647h( |3 q3 h) ~$ Y# o9 C/ p1 h0 l
-DI = 4A4Dh$ O) L# R6 ?' V( W9 {) Y
Which are the 'magic values' used by SoftIce.4 M/ c2 B5 u. k9 h: \
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. k: N( B0 {* e& l
- ~0 c B; N2 j5 nHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ i P+ n1 v4 m6 t9 T( T, q; UEnvelope utility use to protect DOS applications:
7 i) h- Q% ]. x9 a1 d
5 u% j& S* y5 ]9 B; h4 E
+ ]* i' F0 C0 b3 G, z0 R4C19:0095 MOV AX,0911 ; execute command.
/ @# n" @8 o2 C( x9 ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
0 n( Z( A" l+ f- A4C19:009A MOV SI,4647 ; 1st magic value.
; c& x7 U* {7 r; V( p1 b3 E/ G4C19:009D MOV DI,4A4D ; 2nd magic value.
, [6 o% a" w" r# U+ s: w$ r0 }1 ^5 p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# H% v9 u& h" I4 X: a, r4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 ?$ m7 J' c3 P8 P7 g9 U) d/ x4C19:00A4 INC CX
. v! v/ M1 A ?) J. |9 }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! m1 X0 q& c* {( L9 x7 [7 G9 Q4C19:00A8 JB 0095 ; 6 different commands.
. ~% ?; s& H) F4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 t2 G+ x/ p: ^- d6 q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* G4 G1 P% C4 x) z* ]' @! M; B, |0 R! v0 \( S) R4 [! M
The program will execute 6 different SIce commands located at ds:dx, which
/ O( _, I& [+ L0 H3 vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# p' U2 D+ C; i4 b1 ~7 g* q; y# T8 h; I j
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ Z' N) ]2 v5 h) v___________________________________________________________________________
1 ^. s# J* Z, E. L4 K1 A9 H. Y1 B9 O
5 u$ b T. j# _! c$ d+ oMethod 03
* L& C+ }$ K* z+ y$ A$ b3 G+ b=========8 s% `, |8 W7 P; C" H
% f: \$ y9 Q# d3 ^Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, E7 w, n/ G0 {* e! P, z; o(API Get entry point)
3 Y; i7 O$ v- B b) m: p0 d4 _
. C2 x) x! I- g4 k& V+ m9 c2 }! m$ U \$ R+ C1 P! G" a
xor di,di
. t0 ^+ y% }6 `. J' X mov es,di
' n+ X/ n9 I& k mov ax, 1684h & Y# t: v( [) u$ }2 `8 `( `
mov bx, 0202h ; VxD ID of winice2 j+ G' x$ o1 s7 {
int 2Fh
+ |9 N/ K5 u* M/ k( `# v4 `, v9 k mov ax, es ; ES:DI -> VxD API entry point
/ s% E$ d4 _; h: s4 i: w" e% ?9 ] add ax, di
j ]2 x% u3 i' | test ax,ax Z* O A; N& J; @; O, T) o& W
jnz SoftICE_Detected
4 H1 Z0 U) E: i$ o
6 Q6 D0 `: B* a+ |___________________________________________________________________________9 L, F/ }) X1 n7 R1 ]! x
. {# I6 N* z% t, E4 RMethod 04: \7 s: s1 ~7 G/ a6 v' ]! P: U$ w
=========. q7 a% W4 U* h7 v
|( q1 Y- h: z# q5 `# Y3 [7 |7 Q
Method identical to the preceding one except that it seeks the ID of SoftICE
; K" s" n/ I* Z$ ]( R: D$ q- d kGFX VxD.
- T! Z0 {) m3 U4 R
4 O+ ]( J2 r+ }# R1 G xor di,di
& F( \0 F o$ H; t g/ t mov es,di
$ \" f3 I: V9 b& T) L mov ax, 1684h
1 I; M/ b9 R. `/ b+ j9 d/ X mov bx, 7a5Fh ; VxD ID of SIWVID
. p5 C# a/ v! ]: Z2 [" s0 y1 s int 2fh" T5 P7 b$ Y6 b& C/ p+ m
mov ax, es ; ES:DI -> VxD API entry point
! A; P f$ t& g; J+ h( x- G add ax, di
( @- |4 C) @" p I: B( L7 m$ d' K3 X/ x test ax,ax% h# C9 O$ a5 Y5 d% u
jnz SoftICE_Detected
, D: ^1 i2 I% j* h8 i) U- y( G6 ?: a% y, G
__________________________________________________________________________
; c9 S% Y2 L7 ^: O" d% r
( E- S, e' n! j5 H1 }8 H! s" {% L4 ^/ X0 v$ a
Method 05( X( {, r* L9 x4 \1 F
=========
7 p4 X5 q2 [, ^
, k8 |# C% E0 J; u! W! p; j# @Method seeking the 'magic number' 0F386h returned (in ax) by all system, }1 `6 a+ c- h; d& T% H
debugger. It calls the int 41h, function 4Fh.
2 E" L* c* f9 A$ Z! i& {' `1 WThere are several alternatives. ' m0 [4 ^+ I; k% t1 m4 R4 ]# n* x3 _
" U5 U$ H' i% e* ^# a' @3 u
The following one is the simplest:0 Y' B2 k, }. p0 ^
3 p' a, h2 [4 r/ A mov ax,4fh
" D3 F/ F3 e' X int 41h
+ j7 g% V. l5 a. h. O cmp ax, 0F386
1 [) Q* U1 |* v& B; i& L8 u jz SoftICE_detected
, {- @. P1 b/ F; B3 [# V9 M1 i$ _4 B
, }5 I! O3 A; L m' n8 G% G+ XNext method as well as the following one are 2 examples from Stone's
8 c& } b. L1 M2 W6 @' M"stn-wid.zip" (www.cracking.net):
7 d# ~* K; ]2 |0 Q( \3 n: F" Y
. d' K1 Q: o' I& u- N% Q; H mov bx, cs" o. M, S* a! d2 {$ p% G: g3 g1 F; }/ \
lea dx, int41handler29 H: O8 g2 S7 h3 A d! M4 @9 j
xchg dx, es:[41h*4]' E+ n" I; G; x' X# C- n/ Y- h2 B
xchg bx, es:[41h*4+2]
. q6 o3 @# H& N% L mov ax,4fh
8 F- Z+ @; B7 i! w" a: G5 A int 41h2 z! b" a( ?3 n, d
xchg dx, es:[41h*4]* G2 Y% G5 d5 Y- L
xchg bx, es:[41h*4+2]/ c& Z5 ^4 C& ]& E/ b( f* P ]
cmp ax, 0f386h
1 K# h" S" z/ @0 v; Z/ B4 ~: p r jz SoftICE_detected
5 L* S' P: ]6 R+ j! A. K% {( U& S% p! N
int41handler2 PROC
1 l& a8 L3 B: w; C. v4 d, z6 S iret
4 _' j7 \& X# v# A: C; gint41handler2 ENDP/ S7 K4 a7 K j* G
* S! k. |8 [. t
1 X$ ?* G! F Y; E* J0 i: i
_________________________________________________________________________# o0 Q( c7 `) E! T. O/ g
2 z* k+ l2 U, J) E' [: C1 n( O9 e$ J. n
" G( l0 b( Y; y( H. {' ~
Method 063 S1 r7 ~& k1 k
=========+ ?+ s; I" a' q, k7 D
! n* ~# {5 ]# [5 x* o- H E, X( H4 e) d5 O: I6 K2 F, t
2nd method similar to the preceding one but more difficult to detect:( h& S$ A& V9 q! m: m, C2 @+ B9 b
p7 Z3 \) t! U
?% d4 q1 h! k, Wint41handler PROC. h& m% S" ?- m6 y
mov cl,al; `1 Z* _5 W6 ]# Z5 m
iret3 P/ N1 c' D) B, t5 J$ Z8 s' u( F
int41handler ENDP5 ~) V$ H$ D, ^1 e1 T( _4 d% ]
. j! R0 a. ^0 l/ H; Q
( T2 O9 S$ f7 c0 h5 D- U+ Z$ o
xor ax,ax# e: Q9 Y! ]* O3 W/ l; K
mov es,ax
( `; @. ]& k/ A2 P mov bx, cs0 n8 }' j, I! v* @% l! Z
lea dx, int41handler
& E7 X% i6 i" `2 U4 G \7 R xchg dx, es:[41h*4]
2 K; m u# ?% _4 t$ h9 u2 A xchg bx, es:[41h*4+2]
- J2 W% I. j5 L5 Z o in al, 40h3 u; z3 ]- x G1 F) B, s2 N; V& u
xor cx,cx
# Q X# W5 S/ h, [) C int 41h
: h" G* Z k* d+ x* H! R" S xchg dx, es:[41h*4]
8 B. ?9 i( b- ~2 b/ M' S& g xchg bx, es:[41h*4+2]
) E8 N" z5 \2 A3 w cmp cl,al
# s+ X6 R7 f u, t jnz SoftICE_detected- g. F) s5 }! [" ]- R5 K: t
9 l3 @1 Q' H; ^5 r* W f0 k
_________________________________________________________________________
% y% X" R* [$ L( u* h1 L9 C% I; V
Method 07
. }2 l7 t' D. M4 g: J$ h3 `=========
. k$ ]. {( S& Z! l5 j- S5 j. q- x( ^1 g0 W
Method of detection of the WinICE handler in the int68h (V86)$ a* U; ]1 [* b9 n! q5 e: X; N
$ v1 [; }7 \2 f, L
mov ah,43h
( y, o3 Y: Y" `* X6 m int 68h; U3 b1 ^+ d3 M1 [8 A2 n
cmp ax,0F386h) L: c9 I- a4 l1 E: @
jz SoftICE_Detected; ~, ^% h$ B$ I q8 b
_5 G( v% _ l7 o) ?9 [% E: W5 R/ q9 M) ~2 W% j& r4 q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ S! }4 S: A5 K Y) ~ app like this:
0 x6 Q' Q' H# B3 E
- f ^ d6 o* Z- `3 u BPX exec_int if ax==68& `! d$ f( O, @: B' q1 T
(function called is located at byte ptr [ebp+1Dh] and client eip is
. J. E0 Y l0 ]5 t located at [ebp+48h] for 32Bit apps)
- w, `% z& C$ b" l2 Y__________________________________________________________________________
: I6 ]/ m! R1 \
- {9 O9 ]: C4 N1 w* l5 G. Q( J u( j6 x( V* ?
Method 08% I% [/ ^/ b6 \* N6 g# o0 K @9 ]6 o
=========6 Q9 u+ _) _3 t3 z8 t
! C' x5 M% d+ a# }! y, k; N
It is not a method of detection of SoftICE but a possibility to crash the& T) G7 ?$ P" x, I, h( n' m
system by intercepting int 01h and int 03h and redirecting them to another
2 l% m5 B5 Y* s+ e$ p: l& [- i8 Broutine. G; n W: d E5 z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& }* }: S/ p0 o/ L3 t' \
to the new routine to execute (hangs computer...)
$ ]$ p7 K+ T7 k: N9 G8 {3 ?
4 u$ Q; W x9 O$ k# B# z mov ah, 25h
2 R3 g/ |8 \7 r6 b: b' U mov al, Int_Number (01h or 03h)
) Z( F! N) [, |. W" C* {+ m* l2 r mov dx, offset New_Int_Routine
# {+ E9 y* p! t6 e" b4 N, [ int 21h
7 k7 E$ r) o: H' l; ?! p) E# _+ r. t
" Q, {5 c! E: u' F4 e w__________________________________________________________________________/ `# L7 m$ O9 q$ a; a
& j1 l) F! x& Q9 a% i
Method 09
+ M' D0 L4 A0 u$ I" C========= Z7 T$ |# ~7 A) O( y2 ^. C' ?2 h
! `. Z! M' m+ x$ N P! {) B4 } f, L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) ]0 V0 g' z' K) [/ \7 k' u9 \performed in ring0 (VxD or a ring3 app using the VxdCall)." J6 n( v; j, @8 r6 Y3 K! N! o
The Get_DDB service is used to determine whether or not a VxD is installed
1 W6 \& c8 s) E8 d9 ufor the specified device and returns a Device Description Block (in ecx) for: x7 A1 N3 m1 e& t
that device if it is installed.& L# d i. D X6 N
7 u* f7 R* t- W/ L; T7 x. a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 f) B0 U( m) K3 C4 t mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ c4 h1 s# Z' u6 m" H/ f$ O
VMMCall Get_DDB
& ]2 V: j1 m% U- j9 g mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- I* D+ r# v, H0 {# a; J4 o
: W5 X* t& g* n4 a1 S- oNote as well that you can easily detect this method with SoftICE:; y5 k1 U/ t$ ~
bpx Get_DDB if ax==0202 || ax==7a5fh1 Z5 g/ e* w$ r3 z
3 Y8 Z2 G! R1 C
__________________________________________________________________________/ a; ?2 E- V: f5 J6 D. l
7 K0 B4 ^7 s+ o; Z* [ \
Method 10
" L- S1 I6 z) s, R! p' n=========, `" R! p1 r. q1 M. D; e. X+ q
$ a* v3 O) r6 ^; b=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 _3 ^' g# ^( l; I% u2 I+ e* u SoftICE while the option is enable!!8 v+ i& G$ b9 q7 v0 b7 B9 Y
: Y; V; n2 }; q6 g& NThis trick is very efficient:# Q: V% S! H# Q# _7 y( O3 U* f% R; n
by checking the Debug Registers, you can detect if SoftICE is loaded# u& J0 c8 k8 u* o( A
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) D7 n# S; s) F5 K! j
there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ Z* O5 K, t" `+ ^: C; Lvalue (in ring0 only). Values can be manipulated and or changed as well) J" D( `: k& i2 C; ^0 S$ F
(clearing BPMs for instance)
8 T4 `" D9 D& O5 t" U1 F! M8 d ?3 A9 C1 T z1 b
__________________________________________________________________________
, g2 N/ j' _) n0 W. |: X; z4 e" W- _# ^' u" e& d
Method 11
. N1 k8 Z- R p2 J=========
" ~3 {: Q& r" a. _7 U$ E9 g/ f6 ` Z. |8 p& P, @+ P. @: q# K( R5 B
This method is most known as 'MeltICE' because it has been freely distributed4 e8 Z& r# S Q0 Q$ H1 _1 l
via www.winfiles.com. However it was first used by NuMega people to allow
1 V* y( [. Z, G# s/ u, wSymbol Loader to check if SoftICE was active or not (the code is located0 X1 _+ ?- t$ p" [
inside nmtrans.dll)./ ]9 a& u2 S" ]! x- j; }
8 t* H7 y! q, m% uThe way it works is very simple:3 c$ T1 R+ D W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 E- {1 J) H! X& k1 i
WinNT) with the CreateFileA API.2 D* \1 {$ c. f$ G+ K
; [/ ]5 ~2 z; ~& I0 P9 x
Here is a sample (checking for 'SICE'):! b$ Y6 Y. F9 m2 {2 ^% @/ y$ w
2 W- f5 J% z" o! b' r1 L/ a+ zBOOL IsSoftIce95Loaded()) e9 \' R* R7 ~ E' E3 p
{; X' ]) Y8 B- n
HANDLE hFile;
1 p, e* c* S: I8 ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( y8 Y! ^5 C7 @: g/ w FILE_SHARE_READ | FILE_SHARE_WRITE,2 {: v6 a6 k# y# M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. D- o0 t4 D" M; [! P: U if( hFile != INVALID_HANDLE_VALUE )
$ @" C4 a; \' E0 `4 U {
: h5 v9 x$ c1 Q I6 O$ m, b' C6 { CloseHandle(hFile);8 {) X! C# U" _2 A" E1 J
return TRUE;
$ g$ g" ]# @" G( C- d }) i) n; }" t8 n; d! H
return FALSE;
+ M g& `: U$ r# f* @6 J' e; c}
: i* f3 |4 C+ s( X5 \, E$ ?( e1 p: _9 ?" S* \
Although this trick calls the CreateFileA function, don't even expect to be
8 e, p0 [! K5 `3 Aable to intercept it by installing a IFS hook: it will not work, no way!' \7 `8 v7 D5 D1 I c7 Q$ {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 i9 `0 [$ N8 b* n8 S; e6 Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! i) F3 {, z. B: U: B+ y: Yand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 g1 I, E1 Z" Q2 x2 `" ^field.
( w7 B$ I+ Z9 e2 x1 L9 ]% MIn fact, its purpose is not to load/unload VxDs but only to send a * X+ _; u6 @: |3 b% N( Q0 Z5 H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) h" {9 T" P) _2 u6 o
to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 J) y4 u% h! P5 X6 G
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' j6 p5 }0 s7 V% k2 G+ X7 W, S
If the VxD is loaded, it will always clear eax and the Carry flag to allow; S5 h& i$ O& j) i8 T( C
its handle to be opened and then, will be detected.1 K. ?) e5 F# G6 L9 }2 w) ]
You can check that simply by hooking Winice.exe control proc entry point
4 [( m5 i; {6 Q5 w+ o- v: @8 awhile running MeltICE.
2 c6 ~$ ~* G8 O/ ?. F; r; u. `6 C4 w8 w! H
0 T; F. {' j0 y8 c i1 p3 W c
00401067: push 00402025 ; \\.\SICE
! E! H4 p# [$ t3 W6 E s' e { 0040106C: call CreateFileA
: I _3 P: Z; j3 u4 B8 Y, f 00401071: cmp eax,-001
, c% @, I$ C" {2 k7 o8 e6 T* v 00401074: je 00401091
+ K7 X* `4 F! y, i( I
u% q) z c1 f9 W
) D4 k+ U1 P- g2 W- \& \& ]There could be hundreds of BPX you could use to detect this trick.3 ]8 ]% E9 G8 ] o- g& o
-The most classical one is:
4 [% a8 _: V( c! w8 f2 ^* I BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. r k4 F. D$ Q! S5 Y6 @) F *(esp->4+4)=='NTIC'# h+ `6 H; J8 J5 A! b- S+ \
& I+ m1 t" O5 x& z
-The most exotic ones (could be very slooooow :-(2 _( i! }; a/ }! e& l' i* j* d
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % H9 x7 }, }. C8 b
;will break 3 times :-(
7 s% K* G) B# D$ B' Q& s7 q1 C7 D7 f7 ~
-or (a bit) faster:
$ `& G Q x5 e4 z1 N S2 F BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- r: `2 x; M2 T% W7 t
* K8 R6 w4 v' D6 d BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & l Q# v; o- w$ B Y, a
;will break 3 times :-(- T: u9 n: ~; p) \2 e2 m2 Y
% P8 j' Q: {1 l9 I2 ~
-Much faster:
j) b: B, k3 N BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 A; d6 g G) p/ d3 Z5 F, d
7 v& J s& U( R6 Z- T. }3 \Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. m: y! ~3 p! q" \4 Afunction to do the same job:
( E9 L/ J- ?- k" \6 {( M$ s' K
. {- ^$ M7 E& Q, c# Y/ A1 c push 00 ; OF_READ* y# Z* p0 x$ [- [/ u" ~0 P7 d
mov eax,[00656634] ; '\\.\SICE',0
3 c6 x5 b0 N2 ~) C$ u( y push eax
9 V+ r4 x, J' |3 K: M+ e) X call KERNEL32!_lopen; x8 U7 o! m/ D' [# n* R8 R8 g8 x
inc eax5 F2 f0 M, T+ ?# M: m# \7 f
jnz 00650589 ; detected8 X: s( q9 e& l! D+ T) s+ I- r
push 00 ; OF_READ
# X) s+ o: z' Z8 B0 U0 j mov eax,[00656638] ; '\\.\SICE'
" s9 i0 E% n, _! _& e2 _ push eax! Y& i- c5 S7 I) I2 z
call KERNEL32!_lopen' `9 T% [% S4 z" G, {3 K
inc eax5 S" J* O" [+ t) c0 c, K+ N; h8 A
jz 006505ae ; not detected @" z7 o# c5 B4 U
! B$ g/ v4 w5 e* l7 L3 U9 m5 v5 e
' s; R& r& u7 }8 F__________________________________________________________________________* Z, m: z) [, J& J% |. {
- Q3 }1 `7 ]& \6 C7 RMethod 12" e8 t' d: i0 P; A+ e C: p2 l
=========
4 Z( c) M/ l9 a4 a3 |3 j( l2 J! {+ c; F3 K* }3 f% m. M% E
This trick is similar to int41h/4fh Debugger installation check (code 053 |) S9 f9 `/ T. Q- b: ^2 e5 g
& 06) but very limited because it's only available for Win95/98 (not NT)
, k3 |* E5 D- x! k! V1 Bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' S- F& [& @* L0 D' j5 v6 d, S# n3 Y- O* V# m5 I; _! E" n
push 0000004fh ; function 4fh
' U0 ]6 k& K) G* O, ^0 M push 002a002ah ; high word specifies which VxD (VWIN32)
3 S( ^' \8 Y" W% t: Z9 e" E ; low word specifies which service( @- ^4 q9 W0 a! |: Q. J8 I5 V' } _
(VWIN32_Int41Dispatch) Z/ q% S6 W- e, F* R8 x8 B
call Kernel32!ORD_001 ; VxdCall8 o$ t: v1 W# X
cmp ax, 0f386h ; magic number returned by system debuggers
" Y4 z) k% D) @) |# V/ r jz SoftICE_detected/ f, ?2 n# ^2 K1 H0 L
# I3 K1 U( N6 M0 N! x) YHere again, several ways to detect it:, d- G a: y7 y! q) A4 l
& u2 \# u. r8 s
BPINT 41 if ax==4f9 Z. V9 w# e) x3 ^
3 I2 |; R( u' X6 o5 X- A( K
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 Z4 `2 p( F: W) z; V, r# W* g
; |6 z. _4 e! E0 H. j* {% y/ l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 p) G8 _4 M& a7 X$ F
6 N8 K6 J, K* I
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; Q* W) H J& F$ p, l# @) L) W
. p1 I6 S/ {6 h9 a* Y( |3 q
__________________________________________________________________________$ h* V. w7 l3 x* z% n8 g) y
5 O8 }% r" H/ e6 Z3 Q( BMethod 13
! N) o/ g6 b1 p=========' J4 ?+ \5 }0 d4 w$ g1 H! q
/ [% K7 I* b' P8 K% ~% S, I9 RNot a real method of detection, but a good way to know if SoftICE is a+ E# O' i! W9 j3 h. i2 S5 U! p
installed on a computer and to locate its installation directory.# U! O- f3 i3 R: d
It is used by few softs which access the following registry keys (usually #2) :
2 k" [2 k8 w7 @( |% N; } [
, q A1 e# F {7 p7 q1 D8 {3 k0 H-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 E' k. v3 j: D2 k+ h0 N- [' N
\Uninstall\SoftICE! C9 O+ P h( M3 F7 U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! w$ ?3 j3 `2 ]+ Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 A0 n9 ~1 u1 S( V* w0 s& g\App Paths\Loader32.Exe* O3 J, k8 Q5 D! _
9 h6 s9 z9 x( v& H# o2 A/ H
7 A" @ x# }2 M+ G) X4 H
Note that some nasty apps could then erase all files from SoftICE directory; a' k9 U# i6 {& ~5 a
(I faced that once :-(' M7 `/ c7 Z# N' [0 R$ k
- S' I H: R% `/ E. l* i8 R& s
Useful breakpoint to detect it:
# c6 e) t' x$ _% y ~$ y; U1 E! }7 V5 V6 a# L4 Q2 }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
Y+ J+ G- k1 M# z: X1 D' s% w3 ?: Y! _; k' ]
__________________________________________________________________________, Y6 G: I0 n* N; H7 Z
/ ?2 T5 p1 M$ d- P. e- Z" [
& n! M7 a1 _+ s1 ~* |Method 14
: U& J0 E% X7 t3 C' ^' ~8 H5 J=========
$ }: p- _6 @: {, O/ r; t" V7 j% C3 h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( N+ u( c: o) v" @' T% ^
is to determines whether a debugger is running on your system (ring0 only).1 \" b/ C9 N3 Y
; ~7 {6 g4 t# E7 |- u, Z# a
VMMCall Test_Debug_Installed, n; }, {* G+ {% q/ \
je not_installed3 O. S4 D$ P8 w0 |" p Z
2 V7 c% Q6 v# T$ A/ J
This service just checks a flag.
* j, l8 p5 z' z* O2 p( a& w</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡