<TABLE width=500>. ?9 L1 l7 ^; c. w) b4 F" ?
<TBODY>
, w5 v5 q# q% D5 e; f$ @' ^. t<TR>
0 @5 w% ]- R0 u* f! E<TD><PRE>Method 01 4 J5 |% P# U6 y8 B9 [
=========
& Q; G) K1 V1 P. `$ p$ c; G
7 R( t3 t Q9 U [4 t: r% YThis method of detection of SoftICE (as well as the following one) is1 k1 E% Q5 b3 l; f1 F
used by the majority of packers/encryptors found on Internet.2 s- Y( o1 K2 d3 M8 U
It seeks the signature of BoundsChecker in SoftICE# A* ?( E' |5 c3 K; _" l6 \
; M( \" y2 s5 x+ B
mov ebp, 04243484Bh ; 'BCHK'
; s' I' V" U. ~% ` mov ax, 04h9 z# }# o3 L& s4 Z; o: ?+ c0 s9 R
int 3 ) t" U. u5 P) M/ h. Y% ]
cmp al,4, y# ?# f; o# V7 M9 D" v1 [/ y( ?
jnz SoftICE_Detected0 M2 r- U& E% L6 }* g
% w$ I1 {6 d K1 q# |
___________________________________________________________________________
8 L2 M' C( Z4 s$ B9 I& h3 K3 d! ^, q: H; ^: {, E4 y. E" X' V
Method 02
' L6 m: X S4 j! }! t1 Z7 P=========$ d( r, O& \0 N% s' ]
3 H. U8 v: {+ Z8 ]9 E; }
Still a method very much used (perhaps the most frequent one). It is used
: k; l* ?$ y) n% g; xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 S5 j1 f. k }0 J& i
or execute SoftICE commands...; i* S- A& j+ _, `7 n0 G" }! p/ }
It is also used to crash SoftICE and to force it to execute any commands @9 V# n% ?2 d9 b8 v& G
(HBOOT...) :-(( $ J4 ?2 g" s6 {9 z3 E) N3 x
1 Q8 D8 s: k9 B3 }/ q9 O3 c
Here is a quick description:0 m0 {5 ] o+ J; a1 J6 c) C
-AX = 0910h (Display string in SIce windows)
) X. D( i+ K9 q+ P; X2 \0 N-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! \0 H) O8 K# Q \-AX = 0912h (Get breakpoint infos); u5 G; r% T5 M/ I) {$ T( |
-AX = 0913h (Set Sice breakpoints)
1 ]# h( K. z5 p; D: v( @9 D2 r9 v-AX = 0914h (Remove SIce breakoints)5 h; l' C4 n* h) w0 w: r% v; n" Y6 J
' t$ r. d6 b( F& w2 e' B- n
Each time you'll meet this trick, you'll see:) ~6 N8 M8 G V$ t6 v
-SI = 4647h4 L; A' y( k+ M t
-DI = 4A4Dh0 x; _/ m2 r- t& a7 _0 }' B; p) |0 b
Which are the 'magic values' used by SoftIce.
1 I6 Y* C; B9 O+ \# Z# F9 TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ y2 o, T M! c! g1 j" L/ K
4 T; C: E) ?8 N2 R8 k h8 {Here is one example from the file "Haspinst.exe" which is the dongle HASP3 H8 ~7 ~' F' P
Envelope utility use to protect DOS applications:% h/ l2 Q9 @9 h% U& m+ O
1 Y) o- x" F( D8 ^9 P1 y" v; ~$ k& f0 C" N+ R( j5 |
4C19:0095 MOV AX,0911 ; execute command.3 d! K+ g6 }; X
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( C$ e- v+ I6 j$ Z$ H. z) U- l4C19:009A MOV SI,4647 ; 1st magic value.6 E, h; }- f+ D6 q
4C19:009D MOV DI,4A4D ; 2nd magic value.
" h' z% g9 [& r6 @4 G$ l$ V4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 V3 }5 l5 R8 c/ L/ z- @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- N& V# D4 Q) K1 X! X: f4C19:00A4 INC CX
9 \- x, q( o1 y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* s0 y0 C. E+ l; s0 o1 {" U4C19:00A8 JB 0095 ; 6 different commands., F& H$ _0 ^! y# \! U! R' N% X
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
B* E a, c' E. B7 l$ j4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 `% u0 m! H# r: @- V5 k
" D/ z E) c T3 k
The program will execute 6 different SIce commands located at ds:dx, which
3 E" x/ m( k( N1 F! `0 Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( N0 d% L: O( ~" U+ f% F
( `; k q1 p' ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; i2 F& X6 k, h3 j G' @: v( O
___________________________________________________________________________
5 Y0 Z3 _$ A. F; k" @9 [
: ?: k% t7 W5 w, u$ Y
) U, q. s7 g; _: f2 qMethod 03
" S1 x& i8 W* C) Y=========% M4 v( `* f( L) b
, j( n0 J O. }) F D
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 l* X. r) F2 K a
(API Get entry point)
* x, G* Q4 ?* l+ p6 `" \) G* T c1 ~3 t1 |# G; p L) U+ t
: \1 ?# X) n/ F I% l, l0 B
xor di,di
) y( F1 p9 O) H+ C- P( T mov es,di
. }' i, t* c3 ~+ A. ^ mov ax, 1684h 5 e6 u( T3 Y' y
mov bx, 0202h ; VxD ID of winice7 s) g. j, p" B3 Y
int 2Fh
$ j8 C& n3 S$ s8 q! A9 E4 k mov ax, es ; ES:DI -> VxD API entry point
1 @; `5 D# H, D% o; p% _0 [2 q add ax, di
2 T/ h* @+ O4 ]+ j test ax,ax& L. R5 a& E! t, r( n$ R# T" G# ]' ?
jnz SoftICE_Detected
1 j* }( {( m% l8 m. p9 f+ J; N) \1 C' C' m8 J" }
___________________________________________________________________________
! |/ j* \% |6 k+ O9 n" m; g
8 H, ~% N( O2 ^Method 04
8 i! w* Q9 L& D+ h6 a; I=========
# H& @& X* s* W; s! ?, l, }; x9 n U! i
Method identical to the preceding one except that it seeks the ID of SoftICE
" T0 Z; n7 p/ z) @* QGFX VxD.: p5 g- Q4 a! t3 H
# _1 t4 w9 I% ~) z xor di,di
4 T% i1 T5 [, _2 M1 H6 t mov es,di
( L; M) X6 [6 d mov ax, 1684h
/ p9 z5 W" Z, R, @ mov bx, 7a5Fh ; VxD ID of SIWVID
: o' J$ p' B g H6 Z7 U) b int 2fh* e1 G: M4 D2 W7 |! `
mov ax, es ; ES:DI -> VxD API entry point" z! c% d* k; c( T
add ax, di
$ h6 B( i- G1 Z- Q4 p test ax,ax+ P/ B3 }0 f, w+ v# R# M; ?6 G) ~
jnz SoftICE_Detected
) X' ^; V- w$ E: k5 v5 U* r9 n/ i0 k3 [, S. X
__________________________________________________________________________( G! L7 v0 C! U# @) w: b
+ _4 z+ M: \$ o' ]/ Z
+ v$ p* y5 g7 Z9 R- B/ ?; j- KMethod 05 N6 }' P k# H0 i
=========/ a' z5 U! J8 t8 t# F
0 ~2 _" K9 v* a- W5 @4 l6 {( x
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) X/ e4 f3 L' \8 r% xdebugger. It calls the int 41h, function 4Fh.
7 `6 B( @- p, u0 M! _1 ^& CThere are several alternatives. 4 f# |/ d. F& U A! O6 R6 x D9 f+ H
5 l3 ~ @- p6 N, p7 g) }, f
The following one is the simplest:
+ y7 L) p; S8 e3 G* \# L7 n
3 @& `8 [# w# l! N% } mov ax,4fh
4 N) f+ X% E1 D# m7 v1 f+ D int 41h
0 s9 R$ e9 z0 d) `6 \! I cmp ax, 0F386
@# J1 ^' I( E3 k7 e jz SoftICE_detected
* e9 h* @( M9 K# L5 z n* W
! T# A0 C3 [$ {* U- D+ t7 x. F
Next method as well as the following one are 2 examples from Stone's 0 k: n; z- G4 K
"stn-wid.zip" (www.cracking.net):
8 J f0 g" k& x$ {- O) H$ _: ^% C4 C: k+ a0 Q* r0 a& O- f
mov bx, cs. s& c% z2 Y5 D2 ?0 _
lea dx, int41handler2
0 H$ c; e8 o% N2 m4 B xchg dx, es:[41h*4]4 m6 M4 [, Z# a6 [" V- k* l2 r$ N6 q
xchg bx, es:[41h*4+2]
7 C2 e1 d# j9 ?) N) R0 l. u- J mov ax,4fh0 p* ~% @- n- e- O9 v
int 41h
# J" _, q) P; R xchg dx, es:[41h*4], [2 s* S" m% j: ^: t. p/ n
xchg bx, es:[41h*4+2]$ s1 B# m0 F0 g1 T! Z7 Z
cmp ax, 0f386h p$ \$ w u/ ?7 h; I+ _
jz SoftICE_detected
" m. W5 m3 {# R( j* w* i* E D* `+ C0 D6 D3 E- g( x
int41handler2 PROC
( @. m, o( ^+ I1 W2 X3 q H iret
( u( Q! E @9 h5 rint41handler2 ENDP& @& O) a2 P/ e( A7 J
5 e# M0 l! H3 V+ {4 f
3 k# V8 g4 e; h7 Q [2 _7 x_________________________________________________________________________% |8 C& g; d+ i' m! f! w. \9 m
2 L; i! U3 e5 V" L8 C9 ~
; j+ u0 O! N8 }( ^) Q5 E2 p
Method 06
. t3 R0 g$ I4 A+ _========= `+ Z" w2 a. }: `
, x( e5 w% t g' o+ _1 s6 v% S
+ ]! _" Y, Q/ h) A/ p8 [2nd method similar to the preceding one but more difficult to detect:3 m+ h% X W- ^6 p: B9 K8 |6 b+ ^
" P0 \$ I2 v) `* a, h
3 q5 F7 F* p* z4 t7 Kint41handler PROC, i2 j: O8 l. t$ ], X; {
mov cl,al! r4 J$ }3 K! m# o% u6 x/ O
iret4 q2 g6 q% Y6 I% I& s! x
int41handler ENDP: G2 l$ x0 Z# ]1 l4 e
/ L5 v( Z# m9 Z2 s: z
9 k! z* G) U5 n/ |2 D% }" q xor ax,ax; Y3 ^. Y! P! D1 e
mov es,ax
9 W1 _* w4 P! r, L2 x9 t, A* r. A- K mov bx, cs$ c/ V& g7 A' T+ \) N; ]9 }
lea dx, int41handler1 z- i+ W) m9 t B
xchg dx, es:[41h*4]7 F+ K6 t' i" F' v. i* i" j
xchg bx, es:[41h*4+2]
2 l7 G/ W; J5 E5 y7 I" |6 M in al, 40h
# E8 k( J9 }/ d& T7 n xor cx,cx
2 @5 \8 @1 |+ Y2 Q% A; c1 t int 41h
% a* r5 D5 \9 \' Y; V xchg dx, es:[41h*4]
$ m+ e# [) J. I+ g, w1 E xchg bx, es:[41h*4+2]3 y D- r0 \# ]; w( v( p3 Q: t
cmp cl,al
" V1 _& `' G" _! F7 P: a jnz SoftICE_detected
1 L7 e& a* j+ U' I3 B! o; }
' l3 Q2 I' O$ F7 i7 L0 ?% D_________________________________________________________________________/ Y2 I$ e% Q) }; K) q5 ?
7 ?2 k9 J; Y2 f8 F1 Z7 E+ j
Method 07
! M4 k% L' Q; q: `* f=========0 q Z. m% l) r4 ]! e3 i
: R( `# P# w! J: RMethod of detection of the WinICE handler in the int68h (V86)
5 M3 k1 R/ n- x" B5 ]) q- F; h7 \ i- ]1 z
mov ah,43h( [% k% B- }& f! g% K% [& R
int 68h
+ k0 x& P; w0 h8 ]; h7 a cmp ax,0F386h
% |0 f' i' y) Y( m3 Q. m jz SoftICE_Detected7 i! V$ {. k. n; T+ t+ C
: P0 W8 c! h. W& ~, `
: g! F; e e/ h=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 S8 g" L+ ]/ O( O0 }, @/ ~( m app like this:. N9 K2 k" ~$ z$ u
, U, ?" V. L+ j Z6 n1 C' n- x
BPX exec_int if ax==68
! Z; ?& l- e" u; P0 P: j! Z (function called is located at byte ptr [ebp+1Dh] and client eip is
: \/ ?5 w# o4 B+ W1 G; A4 c3 ]1 I located at [ebp+48h] for 32Bit apps)
6 g. {' ~( R) z; O8 {( N2 q3 T7 D__________________________________________________________________________ w8 u( i' t, V5 `- W% H* k
* t5 J% J4 t: W* s; F6 R( X( G
) k: ~# j/ T d4 c
Method 082 C0 P' E2 Z$ D7 d( h! H
=========% R6 _- q" k! H, ? A: s
4 c9 F: h$ @# o# I, t
It is not a method of detection of SoftICE but a possibility to crash the
# [( C9 }4 M9 Bsystem by intercepting int 01h and int 03h and redirecting them to another! X! s% ^# }. {% L2 k
routine.6 M2 e' V- M6 B$ J% B% D' x* V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' l3 L' ~& m( `( ~8 M3 B# g) L# `
to the new routine to execute (hangs computer...)4 G% H% H' t, |$ a, C9 S
/ \: S1 k+ r' ^* ?4 N/ A
mov ah, 25h# v% K' \7 Y f
mov al, Int_Number (01h or 03h)4 x$ ^$ X. U0 _" Y% ]! k; J
mov dx, offset New_Int_Routine( }2 l8 Q3 k- n; C
int 21h
+ c5 D3 h7 z& j, D) h3 z) i4 g# i. [& A/ {3 N# C) p0 z
__________________________________________________________________________
) ^; v0 U, u6 \1 d$ J$ T! T" {
_: a: p0 @8 D& |3 p# `& ]Method 09' u5 @3 ?, T' o8 B$ e* h
=========! u0 j B' P6 h( Z
/ k5 U( e' I% \
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: j6 L9 \# v. d6 ?
performed in ring0 (VxD or a ring3 app using the VxdCall).3 Z. q _4 g1 I: `6 M
The Get_DDB service is used to determine whether or not a VxD is installed% w. ^1 e% T5 u1 ]) h) c1 _4 k+ Y
for the specified device and returns a Device Description Block (in ecx) for
! D% H# H: R6 G0 o8 p4 Qthat device if it is installed.
, R6 x, j+ D+ `4 q9 f
7 ^- ~$ [0 p1 P* g7 X; E mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: p" b3 R# h! I6 w1 e# E4 `# |1 D2 V7 D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 p/ o' _( g! h% \( h( ]) K
VMMCall Get_DDB% j* C. ?; h* P: K! p" R% N* }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 P3 O( i; g( {/ ?
[' W) D/ h% S* ~ w; b8 R# X; y
Note as well that you can easily detect this method with SoftICE:
- o9 h; k5 S, A bpx Get_DDB if ax==0202 || ax==7a5fh3 S9 R* ^$ O8 h5 U! j( K8 S
$ i9 E3 t! o7 s9 J* b__________________________________________________________________________
4 c& T/ f( i" z5 Q( `# H- f
u& p, @8 @1 d3 EMethod 10) C3 q# e4 Q1 v$ B/ b& a
========= R& ~9 \% y; W0 s7 ~9 D5 x0 H
4 g2 {2 D4 H- A1 c0 i. i) k
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# B$ g+ V, V6 G! C SoftICE while the option is enable!!
# ~8 k+ h1 B$ U% j9 K) i! J
# O0 P5 h8 C6 N4 sThis trick is very efficient:
# n; o+ p. `$ g6 z8 X- Uby checking the Debug Registers, you can detect if SoftICE is loaded
) F# A3 x' I: Y" M. k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 t& O; p, s# W. C$ Cthere are some memory breakpoints set (dr0 to dr3) simply by reading their2 R2 {4 P$ G% F1 [. \' J
value (in ring0 only). Values can be manipulated and or changed as well' K H- s& W* ^4 l) }3 k
(clearing BPMs for instance)
( V6 D3 @. Q2 f7 O$ f
3 K5 ]4 u# `4 D$ Q__________________________________________________________________________+ S7 H6 e: U J0 z# G- S
% `& ]/ n: Y `& h+ r2 Z. r% D
Method 11
2 b" W y8 x4 I! w0 H=========5 H8 t$ z4 V6 h- J) ^7 O
3 y7 V" Y6 p0 j+ K" S3 o
This method is most known as 'MeltICE' because it has been freely distributed
* L0 b8 a7 q7 I5 h! j; a0 S+ Yvia www.winfiles.com. However it was first used by NuMega people to allow
8 ?) N( b; V: r: ^/ `& XSymbol Loader to check if SoftICE was active or not (the code is located
0 l! r/ Z7 f7 ?9 d' W7 `inside nmtrans.dll).+ \* O2 L) O; n7 b7 i+ m
; p; F, R$ U* O* v; s M: i8 K/ K
The way it works is very simple:
9 r y, s) M- s4 tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 f) t7 X. W( E o- `9 v1 ?
WinNT) with the CreateFileA API., Y* n% Z3 Q. g$ e- q9 g
' n3 K- u. O, `5 _8 {Here is a sample (checking for 'SICE'):' Z4 { R9 Y! l5 V. s
! j7 ]3 j+ q- t8 F* i6 a/ g* G2 Q
BOOL IsSoftIce95Loaded()9 ^9 e+ b) U% p, d# \, Z
{
# b7 F3 F; c% w$ [8 A0 R- t HANDLE hFile; & h# F* M7 {- j0 d; r+ \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," \! ~, E2 W' A9 c0 }
FILE_SHARE_READ | FILE_SHARE_WRITE,5 q6 H$ S/ {$ h5 A U7 y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ \! C B% H8 h* N0 }
if( hFile != INVALID_HANDLE_VALUE )5 p+ R+ X# }- Z! S0 ~9 L
{
5 @+ i# W2 F9 |$ ^. K [& C; F5 w CloseHandle(hFile);7 @( z' q: Z1 h' r% R
return TRUE;
, r0 E' B I& l% l }
0 N. T6 d; `% n- t6 i& ^5 W return FALSE;$ s: _( _, O( y, d; f0 t" D' s
}/ U2 T& P% J( |1 }: P
7 {: w; b. M: Z" o* }3 b9 D- k
Although this trick calls the CreateFileA function, don't even expect to be" d) ^' A, j8 V; J5 l4 ]+ Q
able to intercept it by installing a IFS hook: it will not work, no way!, G+ u$ r# M# t( V6 z1 P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) \" s$ V. b1 G( ?; V3 [2 g% e
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 j3 i5 N9 T1 b' Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- w, M$ X- l" |1 d, N' W1 I8 m/ tfield.3 m; p: A+ I( e R+ r' P3 l( n
In fact, its purpose is not to load/unload VxDs but only to send a
1 w' b: b1 G% eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 @; R" n2 _) O; p- C
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; l4 |$ ?& \6 }2 _5 V0 _% Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).2 B( K1 I& |- \. [
If the VxD is loaded, it will always clear eax and the Carry flag to allow
4 j$ i+ f k: j u' v% a$ Wits handle to be opened and then, will be detected.0 a+ ?* W3 O) P1 Y) h) r0 P& ?+ B
You can check that simply by hooking Winice.exe control proc entry point9 p) B* \) S2 C' A0 j" i" E1 ~
while running MeltICE.
3 l: U% g$ |' p% _0 e, ~, @! P$ B- U: T& X% k
, H2 o0 ?4 B# O1 O
00401067: push 00402025 ; \\.\SICE" u7 p0 h* e- ^* k! x& J& a
0040106C: call CreateFileA
4 \' a+ d" N; W3 c6 |/ H 00401071: cmp eax,-001
: ?5 z2 o k) q& }4 A 00401074: je 00401091( ^* R0 i; `0 }# \' ^) x+ X
4 S2 d- K0 B% n
, U; r% a. N9 f9 R- R1 _There could be hundreds of BPX you could use to detect this trick.- p0 V: G, R& `- I
-The most classical one is:- Q: K, \" {/ L1 w9 y0 D2 K5 |
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ ^ \5 K0 g. `+ E1 c
*(esp->4+4)=='NTIC'6 ]5 p8 V$ E3 I! z* |
. u, {2 }1 K6 C$ O' n-The most exotic ones (could be very slooooow :-(
% c2 a& T1 D! ]! ~7 C BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; z7 a4 K3 R6 w2 w! v ;will break 3 times :-(
: @+ B* W" b k. {( q# h( r, z3 T9 ?% O4 `/ D1 U' g' i
-or (a bit) faster: - e* w* z) i: U% T
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 T2 I2 Z. d' a- V
6 S# g* x+ }" `1 \( L BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 m4 w+ y" ?9 P2 o2 Q1 R
;will break 3 times :-(1 G5 s9 X) I; f6 J1 h
, R- r! S- \- Z$ z% W2 y, s
-Much faster:
) d! w' q, A6 E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
L7 n6 Z& M: X: d, m1 V/ S- J0 ?& k+ K8 m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) O) N0 @' x V+ \/ @function to do the same job:) V8 B/ H, y; x8 |+ ?! ]
' N: y4 U8 f0 a. t
push 00 ; OF_READ
1 Q1 U8 A2 {4 F* l+ {. C) S" H mov eax,[00656634] ; '\\.\SICE',0
; ]/ @ y0 n/ T3 ]) a7 ` push eax
8 y. j6 \: F* ~* S" g, _ call KERNEL32!_lopen. A7 y. m5 I! O' ~) T- w; n0 W
inc eax
+ k5 C7 }" @! i" D1 ^ Q" T9 D jnz 00650589 ; detected
6 J" M. s# Q3 F1 K: |- t. Z. i1 j9 c, E push 00 ; OF_READ( t0 M4 {! P4 L2 u7 o/ P. G2 W8 r
mov eax,[00656638] ; '\\.\SICE'
! z: `6 M' H, { push eax7 i. E# q) {7 z6 |* T0 b9 E- y% K; ]
call KERNEL32!_lopen
8 j/ _) ?/ t- L z- N8 r0 F inc eax
% M3 n. V- X7 g2 J/ r) J jz 006505ae ; not detected) Y8 F+ v! ]# J6 I7 N/ j
9 {1 k1 r1 w% P
# v# U" Z3 k; E* Y6 h0 @ \__________________________________________________________________________
* [1 n' G& @2 H9 v% n) n' T
7 L) y6 p& t" E6 c' h7 yMethod 128 ?: T- Z6 x! {2 O' g
=========' m; _" l5 K1 ]4 F
1 |" f& [3 F: J: AThis trick is similar to int41h/4fh Debugger installation check (code 05
6 U0 x' F9 U, I3 G- I+ K& 06) but very limited because it's only available for Win95/98 (not NT)
; ~; G) ?6 d3 `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: z& s7 L& _% A5 L5 T6 l6 |) I' E% F5 F/ z+ O& ~7 |4 d
push 0000004fh ; function 4fh
8 H" ^) m% u: U% D8 D" r push 002a002ah ; high word specifies which VxD (VWIN32)
+ ?: s0 _! u1 ~ m. x9 Q ; low word specifies which service
: @) t" F0 Z" _5 o p) E% B5 @. H (VWIN32_Int41Dispatch)* }- a3 g; e; e
call Kernel32!ORD_001 ; VxdCall6 E3 J) O: x7 T/ w! R! o
cmp ax, 0f386h ; magic number returned by system debuggers* H6 {' O: E* y r- a' a
jz SoftICE_detected3 ?# c& ]0 ]4 X5 v8 c% E t# b: `
- M' E- `; f; yHere again, several ways to detect it:1 g) F( R K& T+ _8 A# Y
- C H) x0 O5 R. j5 W
BPINT 41 if ax==4f z. [0 J! R: o$ o0 B( [9 E
. E# H' N. A, X& G# {7 a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* ]5 |( N) |" F% V
5 [8 p- {6 ]0 I0 E; G. _6 o% ~! G
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ n7 e3 ]2 o, F+ e% k' H
7 C5 B( g' F$ O7 K0 k/ U& R
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% d$ O. B4 F( @/ g, s/ n8 u. Z5 {3 { i
__________________________________________________________________________ R# ?1 q) u) N/ z6 ]; [
& ^. u! g. ^; y; N7 Y, Q, GMethod 13
1 s' ?( f- a# x) g=========9 \5 {- L3 f/ `! N
+ J* Q/ a* R0 F% Z( y
Not a real method of detection, but a good way to know if SoftICE is
- V- @. X$ D; _installed on a computer and to locate its installation directory.
; s/ I6 ^. w0 |* _/ x2 U9 z1 iIt is used by few softs which access the following registry keys (usually #2) :
3 J" E0 ^7 f" F- Y2 S# ~0 S) u$ i% e2 M8 Z- ?
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 a6 i8 F" {) S; F
\Uninstall\SoftICE
% i# e6 N$ \" L7 c$ `% k& J9 d-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 [" I- v- T! E2 D$ t) O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ U" j+ ^) S% J" s. y
\App Paths\Loader32.Exe
9 d# r1 y, k+ I8 X& B8 C0 X! |$ ^, H* v/ A v3 _0 o
8 Q0 f9 r* z; l. s: {7 q$ _/ F) b* zNote that some nasty apps could then erase all files from SoftICE directory5 S3 o$ I/ G/ W
(I faced that once :-(
& L, @, l. f1 x. S2 E" k8 y( U5 l9 J( o
Useful breakpoint to detect it:1 b1 q- [& l- u& [: v1 \) {
; C; I; a- c( L' m BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; S# t6 G X, t& Y# r7 J* R
: `6 }, h# R0 H- y T__________________________________________________________________________
2 A( G( P" f& f# b3 R
3 `% C& M$ M8 \$ t3 u
4 U% U% t+ Q9 g4 v- l3 s. o! [Method 14 6 l6 g- R3 D, i" P$ V
=========
3 f5 O$ [5 x+ V, m5 Y. C, y5 q H$ N# w8 N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) U& U* N+ A' v# D. W5 x/ }is to determines whether a debugger is running on your system (ring0 only).3 I D( y% X! h
( w( i- U$ `, q9 _1 v" ^) a1 ^
VMMCall Test_Debug_Installed
% y/ u; c$ l! R9 l( a, O je not_installed) x9 c- T2 B9 C8 z
3 }2 Q+ Q* g9 i6 l
This service just checks a flag.
) e; G! \" q" H</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡