<TABLE width=500>0 l$ t% L$ O9 e \5 E
<TBODY>( k! u* S5 b: ^3 h. X+ d: u
<TR>1 C" H4 O6 Q$ Z" c
<TD><PRE>Method 01 2 T# ~+ P4 B$ j8 }( Q% M- Y- K
=========+ |# M* Y1 m8 j) R- ?
4 l7 Y6 _# o/ M1 `/ w( yThis method of detection of SoftICE (as well as the following one) is3 C* O) a+ O: U9 u) d+ Q
used by the majority of packers/encryptors found on Internet.
* J+ A1 Q+ d1 D0 yIt seeks the signature of BoundsChecker in SoftICE/ B: W( T7 N B; v
9 v, l% ]3 W/ h9 ]- ^( k& I mov ebp, 04243484Bh ; 'BCHK'
$ J9 w' f. Y: C mov ax, 04h( |3 T6 P) h' M
int 3
3 ]/ G+ P# F0 K) {; L! H' ]% v1 } cmp al,4
& H5 t7 I1 Z1 i# |- ~ R jnz SoftICE_Detected4 O: ^) i7 E7 J9 F
, `! Z' q/ U. j# y3 e( y: W
___________________________________________________________________________/ R5 _) F: u; O! F* W- v- F) z6 c
9 p( g5 ~7 D2 ]5 G5 o& s7 |* j
Method 02
( b5 y) h! z. f$ x' {9 e1 q0 |1 L" C=========. h; q% y9 ^9 O$ V R
6 G& u. Z% Z" h' l: GStill a method very much used (perhaps the most frequent one). It is used
/ N, i0 u/ o5 `* A% ]) P$ j+ Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ [3 B q, a uor execute SoftICE commands...
5 B! w. W2 b+ c3 e3 T0 fIt is also used to crash SoftICE and to force it to execute any commands0 ~ l* A9 s# c
(HBOOT...) :-(( . o, N O2 U+ ]1 O3 w
" s/ |% r! X- FHere is a quick description:
" u0 ~. p6 n2 u3 x-AX = 0910h (Display string in SIce windows)
3 z7 g; C$ O. m) x+ T4 T+ y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) o2 L6 E' N7 m+ V+ G: F, t5 Z
-AX = 0912h (Get breakpoint infos)% ]" R( Y* u( M& s0 T- o# F
-AX = 0913h (Set Sice breakpoints)" k2 y6 S! s3 C j0 B1 T$ w
-AX = 0914h (Remove SIce breakoints)+ ^- A0 \8 @- O' g. R3 |
+ e6 J* D/ K: z6 p! [4 j) M" gEach time you'll meet this trick, you'll see:
. \3 [1 @5 u, O) w8 ]% ]% j& c-SI = 4647h. F& C' l4 ^9 N0 W l
-DI = 4A4Dh- y4 e8 @ o- ]
Which are the 'magic values' used by SoftIce.- ]) h5 n3 `3 G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ H% W/ k6 Y* O" A' w3 a& ^6 v0 z' c1 f7 j* N8 U* R# [
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 \$ I# g# ]7 O1 h, t
Envelope utility use to protect DOS applications:: [1 a+ `' y" Y+ u
7 U5 S+ c: s$ d7 j5 f$ D* [
, a0 F- f; Q, _, @+ Q) B% B4C19:0095 MOV AX,0911 ; execute command.. g1 R5 ^ v x1 Z1 p* }2 b/ T1 ], v
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. ]6 O. ^9 y% ~+ E8 E4C19:009A MOV SI,4647 ; 1st magic value.5 j+ P; m, n; ]6 I8 `
4C19:009D MOV DI,4A4D ; 2nd magic value.# x0 I9 ~* Q6 y+ F* ^7 I/ S# I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) H9 [# h8 S8 L( U% q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 D; O; v+ Y d! L4 d
4C19:00A4 INC CX" {. S& E+ k' W4 ]- N( ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute j# P& h# {" D# f5 H- ?1 z0 n% M- a' j
4C19:00A8 JB 0095 ; 6 different commands.
. m" d& ?$ v) Y- v7 \4C19:00AA JMP 0002 ; Bad_Guy jmp back.
^- z2 U! t& x) J0 [/ |4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* _+ F! }8 t+ H; D
& `- x/ f) G0 B1 H' j8 s5 wThe program will execute 6 different SIce commands located at ds:dx, which
! l6 Z6 X; S) Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ r7 l9 P6 _+ G" Z& Z- k* {; z
% ]6 u& K4 D8 `3 p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% t1 X5 S8 e$ ^& @! C___________________________________________________________________________* r9 G8 C5 ~( j! |" l0 ^
6 E( X4 M y* d( U, @' K
5 C& i; E. `; R) g- Z5 U
Method 03. R5 _! F3 ?/ c+ i X# u
=========
0 }7 i, u2 l ^$ L/ q! {8 M- U" Y4 U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 m$ d7 v0 e- O& q7 x(API Get entry point)1 F! t2 V: t/ t/ B6 C; ?+ ^5 I$ \
& ?; z; ~+ C6 Q* D& x% r
: e: [! A/ }- T! j xor di,di5 m9 G4 R$ U7 n+ f5 e! F& Y% t
mov es,di
' F: y3 F! \' t u mov ax, 1684h ) T# x: z+ k& ^$ D& Q7 J5 |, N H3 s
mov bx, 0202h ; VxD ID of winice! V, [2 }3 b$ k6 ?# j y
int 2Fh
) s" F- g* `! ?9 q; \. z5 ]) h7 { O mov ax, es ; ES:DI -> VxD API entry point
# b2 ], q9 [: q add ax, di7 v( G/ d' n( \* p0 h2 @: `4 z
test ax,ax( T) l& `0 \8 Z' u# {
jnz SoftICE_Detected
) ^+ [! @6 W2 p# P& _4 X2 M
3 U9 f9 E0 I, `! h. H! \___________________________________________________________________________
/ m5 K i; y" F. x, F- [
( s# z' N% |! t" i3 U' q5 ~* F! q3 gMethod 04# Y; h k4 g4 M( q' C; q/ |
=========6 q) z: T5 a" z+ j _0 }
; V$ x6 ]5 j8 VMethod identical to the preceding one except that it seeks the ID of SoftICE
& _2 u; l; v' l$ {9 d/ pGFX VxD.
8 p# ]1 e4 W8 ~( E5 q; x: ^$ W, b7 ^# ?2 Q
xor di,di
/ I+ I1 v! ?; U mov es,di) B2 y w* @( e% H$ \
mov ax, 1684h
4 n, s% v) ]# s( t4 ]% d& o0 } mov bx, 7a5Fh ; VxD ID of SIWVID
5 {; ]$ w Q K. E% X! C int 2fh
) o) U4 ?7 C' m& m mov ax, es ; ES:DI -> VxD API entry point* x3 A* R S' M
add ax, di
5 a) @: L* j; K test ax,ax: u, j1 O' B+ \: r, M4 F& U4 v1 r
jnz SoftICE_Detected
; P4 g( H, p) z3 T) e0 m" Z8 @: E. F7 Q" h0 v2 Y
__________________________________________________________________________( D& U* ^4 b8 F% w, r
1 }# a8 G2 f- D. t. n
6 \% j0 J t; J& x- _' {Method 050 T, T: ^/ n* U4 {* y
=========
% T& L c# n: P* S' V* A) `1 a6 ^! O3 Y5 t( m' B y
Method seeking the 'magic number' 0F386h returned (in ax) by all system2 e& O) M: ]! v& g8 _
debugger. It calls the int 41h, function 4Fh.% \: z" _" j8 K$ s2 l# K$ T' ?% F
There are several alternatives.
4 n; e7 M: q9 z( r8 x) m" g$ g9 o, o, L) c7 k/ k4 d+ t
The following one is the simplest:
& L5 a2 z7 |3 n9 ]9 z; n* |, I# a, C6 |& K( [. t* N
mov ax,4fh
# o" b. J3 j8 ], Z int 41h, O% [' {# T. w8 J) H
cmp ax, 0F386- l+ Q( M, v( [
jz SoftICE_detected' n' }/ W( b h
/ u+ i3 l8 G) ~! s$ y. N2 B# P; q# v3 c* n( F
Next method as well as the following one are 2 examples from Stone's
4 u5 n$ S" T1 }, K$ w$ Z"stn-wid.zip" (www.cracking.net):
( i2 R9 x( O( C" \
4 \8 [7 I/ g' f# N+ g) w) e8 i$ G F mov bx, cs
: \9 W" n- g! e$ r2 L7 ~+ P lea dx, int41handler2
: c) f2 F9 W t xchg dx, es:[41h*4]
) I+ @( h1 A: ?* ~! v( W xchg bx, es:[41h*4+2]/ T1 n0 d0 n- S8 h/ z) u+ v
mov ax,4fh
* |" {+ R! k! n" y int 41h
; q4 M) m% n* `! E! y2 [# j2 m xchg dx, es:[41h*4]
1 n* j' x2 p4 f) M% U9 | xchg bx, es:[41h*4+2]
: b% Z& O( m9 J: Q4 _) S cmp ax, 0f386h
/ p6 Q" M3 |; }0 Y jz SoftICE_detected
" o: c7 M3 x' ]9 {1 \ A- X9 E r! W/ R y4 F& H
int41handler2 PROC( O9 u: R' v( }. q7 U
iret$ l4 G6 C H# `
int41handler2 ENDP
; J) s1 t! }3 S( N# G+ L, O+ d$ @8 D G5 f
7 j6 p U7 ^7 G# o) r. r4 Y% t
_________________________________________________________________________: _# b. }7 [! C2 w/ U! J- C
" T0 w- B4 S4 k& R$ M
1 t: ?" Y$ x* J: y1 [" }' |
Method 06' P+ L; P! T# j$ t) \( C" v- a
=========6 {8 b2 x* x3 q
- ]+ I6 N7 L- B% d" V2 T$ J
. L' v! c& r7 e# c0 [6 K% x
2nd method similar to the preceding one but more difficult to detect:
\+ E9 S* Y* m Q/ d8 M5 \8 a, X; f4 ]; J6 c/ c
5 m* p- t; t% d% e o+ ?
int41handler PROC
2 |% c+ K- f! Q mov cl,al
2 _2 W" r7 e+ b# v+ [" w iret8 g ?. Z" \2 \) y+ s1 g8 N
int41handler ENDP
' V7 @9 p$ q" e P8 B" V% o2 C( S
( l+ k; ]3 q M7 m( v xor ax,ax
' b' V% X/ S! P mov es,ax; `" ?4 e: P! S( U1 f6 A
mov bx, cs
% r' }/ L, y y0 i; l* I( k9 d: R# g. } lea dx, int41handler9 k0 u& N2 z9 L9 b
xchg dx, es:[41h*4]
" M1 X, h0 r/ }$ f5 t& L8 p xchg bx, es:[41h*4+2]
' G- p' D9 X% V* W$ G# ^& n2 Z in al, 40h; k- o% A2 B( m- u/ s
xor cx,cx% L. ]* ^ v# f9 }0 G
int 41h6 O$ o2 K8 M# V& S0 _! o
xchg dx, es:[41h*4]
* Z; L5 b8 g: u \5 p( J xchg bx, es:[41h*4+2]
- b( o$ q0 R& y' a" {0 I cmp cl,al6 y. ?7 k8 y$ q$ ~ k8 P$ j
jnz SoftICE_detected
3 T7 _+ B0 q. I9 G! g5 W! T( X4 X1 ?+ Z) Y0 p0 ~0 \' G, ~( S1 U
_________________________________________________________________________8 ~3 C- U! d6 W8 n
; J: ]# b; t3 k
Method 070 I, G$ P. I* J/ I* n
=========
4 U+ L2 B4 L! [& P* B4 \
) E. w2 a; L- } L5 w! wMethod of detection of the WinICE handler in the int68h (V86)( |' I* d4 c1 R4 Y" a) A
! ^0 W& r' L1 C/ T( h. \ \1 D
mov ah,43h
$ T2 s* P$ r7 m5 l+ Y( c$ X/ { int 68h: D7 w3 w; D$ \+ s
cmp ax,0F386h
+ |' a9 c! @0 _7 k) i3 I3 l jz SoftICE_Detected
& C7 k5 E6 b1 g% Y0 t3 W
& n6 B9 z6 L# A$ b" y4 g) x3 B7 T7 w: K# N; @/ P* W
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' U E0 ]" b2 [" G8 z- i app like this:
2 [+ Y2 m4 c" y4 G, n6 ~( n) y1 h1 Z7 z+ D
BPX exec_int if ax==68
/ Q0 N. w1 y2 I (function called is located at byte ptr [ebp+1Dh] and client eip is
! g1 ^8 v& ]: }# d* \* ? located at [ebp+48h] for 32Bit apps)
$ z$ h5 j* \5 I. s1 c__________________________________________________________________________
( b2 h/ K: l; b8 ?9 ~3 t* y0 G
) D- n! O$ @# \! a1 _
& {4 R# e5 e, R/ IMethod 08
6 w7 F% L: N; X* l; `=========' `7 S8 m* T) m; h. i% w
8 T3 n0 h& s% s( U8 GIt is not a method of detection of SoftICE but a possibility to crash the
' |$ e- ~" r( X8 osystem by intercepting int 01h and int 03h and redirecting them to another
, h9 {) ^5 Y( ?# f: kroutine.: `& S- O3 F& w! [% B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 c' j3 a, m2 G/ W
to the new routine to execute (hangs computer...) p: d& ? c3 k$ H% x
3 d3 j- j7 }2 A ^8 s5 @ mov ah, 25h# B2 v: E$ J6 @
mov al, Int_Number (01h or 03h)2 h5 @; I4 P0 v7 g
mov dx, offset New_Int_Routine; u( `. C; x& @7 a# _
int 21h
2 D& n" q: s+ O% S
7 w# O6 M& w; C4 u% _; T* g! b" a__________________________________________________________________________6 X/ r6 |2 Y1 Z, B7 w3 W5 \
/ `% h/ g$ V7 i# p, L: j; Z4 yMethod 09
2 p. z! [+ C3 V1 S2 i5 ]9 r& f=========9 c. K/ v2 \; b! N
. Z! v1 G( L0 Z) u6 d/ x5 gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 ]: k: t! ?& j6 A/ r
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 Y. b' Z' s3 m1 FThe Get_DDB service is used to determine whether or not a VxD is installed4 C! W/ B2 t5 @2 `1 S2 `! A, |- }- ^5 m# z
for the specified device and returns a Device Description Block (in ecx) for
7 s x8 Q, ]; Y. y) |that device if it is installed.3 c4 o7 Z6 K3 m9 u
- Q; c* R; Z4 _: j5 C$ j4 f% c mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- [, R+ S# `- a2 @ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% z" X) O4 r. O VMMCall Get_DDB
3 \* C4 j+ X* b- L/ r/ d# C5 h: Z) x mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ a. V& {7 \1 w
/ o. c' F8 U k5 j/ M/ PNote as well that you can easily detect this method with SoftICE:
+ g; |7 k' A9 E9 m& U bpx Get_DDB if ax==0202 || ax==7a5fh
" X! y3 G) e3 x1 O9 i8 J4 ~8 I& C* s9 E
__________________________________________________________________________
0 U5 c5 _4 U) D3 _6 i; R' `1 K7 ]# H" D% x$ u& q/ D" I5 f7 ~0 [% K
Method 10! Y) s' n3 K3 q/ y3 V6 Q
=========& ?( E( z7 b v, a0 ?, ]* e1 g
9 w# d9 Y& U& N k" A; ]
=>Disable or clear breakpoints before using this feature. DO NOT trace with6 R o7 x8 t, ?4 a' c, {* `3 B
SoftICE while the option is enable!!# P) v2 }6 q# X( R5 ?6 Z- q
@9 r/ h3 X- V3 j2 K) sThis trick is very efficient:
% ~+ u/ w: R9 x1 Z8 v6 ^by checking the Debug Registers, you can detect if SoftICE is loaded1 a4 F8 [. \" _9 x/ @
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 N% b* ~2 G! n$ T: z6 |there are some memory breakpoints set (dr0 to dr3) simply by reading their
) m; s- t( ~# s$ T. xvalue (in ring0 only). Values can be manipulated and or changed as well
& n6 D6 S) Y. V0 \9 x(clearing BPMs for instance)4 o. h! I- o% [. z6 M% z# e
$ b, Y# m+ [. ?8 h
__________________________________________________________________________
% f+ ]1 N: n, W, _) P2 k% e9 ^! f+ w
3 s/ q( n" n% }5 z' B' NMethod 11" {: l2 F" c$ N# Y
=========5 }- l3 i5 N) B7 a0 q6 K& E
/ K# I% S$ S4 e0 m' _
This method is most known as 'MeltICE' because it has been freely distributed
" b1 k) ^' b# ~! g8 D8 `0 u+ rvia www.winfiles.com. However it was first used by NuMega people to allow; l& D; w2 l" k; L
Symbol Loader to check if SoftICE was active or not (the code is located& i# b- o6 Y# b) L W6 ?8 S
inside nmtrans.dll).
; ?2 g& I8 [+ O' p" w/ B* { X+ r5 V: c$ }
The way it works is very simple:9 H1 P4 f% J4 I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: A" B& ], O! p
WinNT) with the CreateFileA API.
2 I5 ?- T3 y W0 ]; j
6 |$ q# y- z, M% z4 M9 t$ tHere is a sample (checking for 'SICE'):' O; s1 H) S( S3 K4 E
' W% |# }" m, z; J. V. t2 S
BOOL IsSoftIce95Loaded()! M! c% J3 n' T+ _- o
{# k# _5 f$ A: s" J1 D$ G; R9 Q
HANDLE hFile;
, O; v3 U$ O( C. K: L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# b$ o. |/ D4 r, W+ u
FILE_SHARE_READ | FILE_SHARE_WRITE,
' Q! q# n$ T. C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 x* b o- { |4 i/ B! n Z if( hFile != INVALID_HANDLE_VALUE )
: v7 k, S9 W: |9 E0 |9 C4 n: ]7 L {# Q2 G( @( I/ U( S. h4 l9 H0 T8 `
CloseHandle(hFile);
l2 Y# H S/ I+ B' ?& C$ G return TRUE;
. A- O6 P3 N. C" g0 J7 u }
4 @" d/ B1 }0 l7 X$ I5 G" a return FALSE;1 v. i4 V* x3 n% |, M, y" T
}4 g* F: G/ V2 P" [. |* s7 I8 g5 j
! g3 ?, I/ ?2 F. T' i6 s$ [5 G) N
Although this trick calls the CreateFileA function, don't even expect to be( A" |4 q# ~0 v! c X
able to intercept it by installing a IFS hook: it will not work, no way!! @, [" R0 n0 D& w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: G% J6 Y8 j1 A& T, P3 mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; M) ]7 o! d# {* {9 |2 M1 d0 M2 T( ^and then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ q1 d5 ?6 i: r9 o$ a1 Afield.9 q3 {; s" g3 ?; z, [6 q Y0 W
In fact, its purpose is not to load/unload VxDs but only to send a 1 i% n( W: E8 x/ Y$ n; P1 v4 o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ e" o, F* [( F+ y ]to the VxD Control_Dispatch proc (how the hell a shareware soft could try( N u5 R; v3 X, ]9 }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* m& A* ]6 Q. i: ~/ _
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% V6 ~, ?% w+ N- Xits handle to be opened and then, will be detected.8 f. p9 R* G' Y* @& A
You can check that simply by hooking Winice.exe control proc entry point0 ?0 Z& Y$ x7 R0 a- A2 h) r
while running MeltICE.
6 q5 |: X' u& q+ e* y8 t u
! t% @4 h/ o% H3 H1 b6 O7 I4 O
. j I+ h, F2 l0 c9 }/ X5 I+ a8 e 00401067: push 00402025 ; \\.\SICE
; A5 \5 o: c) ~3 q, v; B- d9 z 0040106C: call CreateFileA( C9 B; Q) J$ p! h# y8 B8 @
00401071: cmp eax,-0013 { h& K- Z$ S; T% L8 X/ T6 }
00401074: je 004010919 d, X! }5 q4 S% u, v
7 a8 p( U. }1 O/ c
/ M" p7 C9 C, o# g
There could be hundreds of BPX you could use to detect this trick.6 j1 n) M+ R1 l# @5 O* _0 e; O' j/ N
-The most classical one is:: N1 j* o6 I' U5 l7 U+ r
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& Y7 m1 H3 ] @: G7 G7 j" n
*(esp->4+4)=='NTIC'
, a" {7 V- c; o/ ]) l
' p, s8 C6 a. M-The most exotic ones (could be very slooooow :-(9 Z6 e4 i6 a U
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " g2 _/ d) r2 y
;will break 3 times :-(
3 V% P8 X1 K/ Z' h% E; \' J. t4 n3 F: o2 ?) {% c6 j9 g. p' B! s
-or (a bit) faster:
# A- E8 |7 N+ p: j/ j BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* [: c' ~9 K4 {( P' j5 J5 i# G
. c9 J$ h; j; W9 v BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! \: w- ^0 H3 r) j! M8 n' X
;will break 3 times :-(2 ?( J. t8 j. Z1 I2 s5 g# {* t1 c
( V) Q1 m7 s# I4 y$ X, M
-Much faster:
* x/ x9 z7 O8 Y: N8 X8 E+ T BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') [( V- G; l' {% E7 E, W
+ l+ }# n# U# Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 a6 f# x* u: `7 ^, H$ @
function to do the same job:5 a- f% {. Z0 h- y' n
4 q4 @3 {' n* a% M# M
push 00 ; OF_READ
$ I# B3 D$ m& `2 W6 d mov eax,[00656634] ; '\\.\SICE',0& d z8 I+ b6 F% |0 _: i
push eax# U1 |6 z( ~6 w1 M
call KERNEL32!_lopen
7 Q9 t2 I1 r6 `9 D X( g inc eax
+ o. B( I8 [; I8 f7 ` jnz 00650589 ; detected
5 a' h7 M0 }/ R7 j$ L push 00 ; OF_READ S; @+ w; e1 v5 D, |+ C
mov eax,[00656638] ; '\\.\SICE'
1 N2 _& I, z1 z5 f2 W push eax
/ a4 ?' L2 |4 B/ L call KERNEL32!_lopen
0 I. E H& Y! j1 a' |; N; h inc eax& ?+ N# o2 s9 h" V9 O# ]
jz 006505ae ; not detected
: o( o R. S; q" \' O# }3 ~" Y+ R( M" ?
8 K* {% _# ?" \__________________________________________________________________________
$ U/ j' Z+ Y( g4 A* j0 ]8 z- ~4 V% \) J o! Z, a
Method 12
5 Y( c: c! E; t1 b. o9 q=========
: ]- H+ k4 o; |5 x7 p$ {. e/ h+ K- G
This trick is similar to int41h/4fh Debugger installation check (code 05( `& l! Y0 A+ K& g3 h8 X( [
& 06) but very limited because it's only available for Win95/98 (not NT) L' n2 {0 h8 i) a8 g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- P$ U* K* J/ |5 k4 C, o' r, x$ r
) u. z) T8 A& G# T6 `6 G- \ push 0000004fh ; function 4fh
1 @! ?$ J, `: \ push 002a002ah ; high word specifies which VxD (VWIN32)
5 t. {: U/ D6 U1 P4 Y ; low word specifies which service
) r$ d6 Q+ V- \- H (VWIN32_Int41Dispatch)8 _& }: b7 z3 K. Q0 C3 X. T1 ^& k
call Kernel32!ORD_001 ; VxdCall
, ]6 r# w# Z# ^" L3 j cmp ax, 0f386h ; magic number returned by system debuggers
6 j+ S' y& P- G* P/ B1 h jz SoftICE_detected
0 [. h6 P0 K: z) h* c$ Q$ F+ A% k- @: s9 j, D8 Q. x
Here again, several ways to detect it:0 \- ?- @. E! Y& M( p+ S
4 A: J$ m$ E5 P0 c S
BPINT 41 if ax==4f
, ~# P; v* Y* ?9 U" ?3 w
. s- D( O; K/ H- L BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& t; P- P2 H: t5 C; q6 r2 B& N$ R4 w0 a, }# E! a4 R
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% Z. |# e& D6 j
2 \) k4 c Q% i! D- i
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 Y. `1 p7 T& F+ V6 ^# t/ } J& |/ ^6 `
__________________________________________________________________________9 R" M9 X' [8 c9 t
) _0 l) D5 R( Z+ [/ Q7 L5 |) iMethod 13, j5 T; z3 f; ^1 A* V k5 \$ t, q g
=========
5 T9 ~# j) Z9 q3 g% c/ i% u* k
, q/ G. Z; |' Z+ f# A& QNot a real method of detection, but a good way to know if SoftICE is
S# p! g! q5 ]& C; hinstalled on a computer and to locate its installation directory.
! ~( A1 S" M8 `+ L2 x6 @It is used by few softs which access the following registry keys (usually #2) :
; Z$ S9 e0 _& J6 l2 V+ u8 M+ [& f- R# L* Z) P3 y; x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( o/ ]6 i0 l" w\Uninstall\SoftICE, Y8 r2 Z! U, e2 P4 k8 E! _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 h7 ^! ]' a5 L @# z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" d6 ]# R) y7 u; X) q- a* r: x7 z
\App Paths\Loader32.Exe
; c; ~; G9 _4 A
q% ], b1 B- T+ G( j3 f9 `4 R8 I* v
% @* p C6 e# v, f9 h) o2 D4 kNote that some nasty apps could then erase all files from SoftICE directory4 k8 @7 [! ^8 {. B7 p. W. f9 F
(I faced that once :-(' X+ s0 _- p( }- r1 X
1 E7 G- h9 s7 [9 }, |1 |Useful breakpoint to detect it:9 q! O1 P* i* V7 _
+ G% U7 [ Q6 a' l& g& f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 L. C6 ? k1 ]/ o8 J
* w3 }2 c( ?8 C# a6 L__________________________________________________________________________/ r- v" r. E5 B: P% {9 B) r/ i
7 B$ E4 W" r, R( @7 P/ h3 d! X, M2 U* P
Method 14 & v4 e: a! P2 |9 x0 g
=========
& h6 ?' g: ]8 Z" h5 g
" r0 M6 o# O* n- p; f% `0 gA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 I+ T7 o7 O+ R; j
is to determines whether a debugger is running on your system (ring0 only).# N' s0 X4 K8 ~( I: I% k, ^
5 y6 ^& ?7 v9 Z, L, A
VMMCall Test_Debug_Installed
6 {8 A: {% B$ g. b- |8 J. m je not_installed
( x3 d. T( ^, A& s( y# _% N( `$ \& y, ~7 U$ v% n
This service just checks a flag. \' \. j0 p' S9 `! R7 q" y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡