<TABLE width=500># N; [! i" S6 u# R2 [; ]! I
<TBODY>( j5 V! F# |& z+ {8 P2 w
<TR>
2 f3 n% s. ?2 J: H& q<TD><PRE>Method 01 7 I ]6 o6 [+ b# {4 g
=========
/ I% t3 X$ T5 \+ I0 n+ W) q5 j, ~9 u
This method of detection of SoftICE (as well as the following one) is" \& Y! V, ?: v, L& }, B/ @
used by the majority of packers/encryptors found on Internet.3 x2 C V- `7 m
It seeks the signature of BoundsChecker in SoftICE b. B4 s. r3 B/ B+ ^/ k3 j, D6 b. o
, _, M8 b; T0 ^# ^& e' }2 b' r) b6 c mov ebp, 04243484Bh ; 'BCHK', r2 Y' s: M) N4 `8 H: L1 N
mov ax, 04h2 u! I1 q; E4 \* P% Q# a
int 3 5 ]+ l" _* ~* D; C* ], G
cmp al,4
3 k8 m0 F/ |' z6 |/ C5 p jnz SoftICE_Detected
$ v( d8 D o$ i4 N r7 z ~
3 g. y6 t" c: E4 {* D8 ?___________________________________________________________________________ B& G+ }: p2 { V/ q& W6 h7 {0 o
; Z8 P/ ~6 |5 C6 pMethod 02; ]6 a- a$ r2 m- j( T6 }. b
=========
# G" K3 A3 F) g; G+ d+ T; q4 A4 i
Still a method very much used (perhaps the most frequent one). It is used
# M0 y9 F/ G1 |8 D. z' Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) f2 H. F" T. Nor execute SoftICE commands...
& M: Q- g* J6 e3 p( |& {7 z$ tIt is also used to crash SoftICE and to force it to execute any commands
% ?& Y2 r/ R: j: |(HBOOT...) :-((
8 ~" b4 F( X5 ?) E! C; o1 z8 J% g9 T4 T# L4 ?& H3 q4 ~
Here is a quick description:
! N0 `9 G1 n: W P-AX = 0910h (Display string in SIce windows)# [. n4 P+ w( s Z, g E" h& R
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 s9 Z( z% j. V, t- e6 C-AX = 0912h (Get breakpoint infos)7 g% C$ q' c2 c
-AX = 0913h (Set Sice breakpoints)
6 }7 p4 K; w# J5 u. Q-AX = 0914h (Remove SIce breakoints)$ f0 h9 G) _& B. u- Y+ A
4 u/ u5 u, ^) M. nEach time you'll meet this trick, you'll see:) A: v2 A/ L; d( d3 f# F
-SI = 4647h! O& }. I6 N# o3 O- I6 p1 }
-DI = 4A4Dh! y1 K8 z0 L# V/ y7 a) k, @
Which are the 'magic values' used by SoftIce.
- o- p1 D" p1 i' V# @8 n8 @For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 V8 q/ y; G4 a, z4 ?2 L
/ A3 G. b/ s6 k. a, Y& p% O
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, p: z- C( g: [. VEnvelope utility use to protect DOS applications:
) {# @8 K- x6 N$ E( D9 J7 F# S" z+ t7 J/ y6 d7 B# w: n1 b
4 H; |( H; a; n0 c4C19:0095 MOV AX,0911 ; execute command.- g# F( v. T$ }$ O8 K& {
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& {' Z; j5 Y" y* H- G3 T* U% j4 I
4C19:009A MOV SI,4647 ; 1st magic value.
3 ~' r3 v+ p3 w/ y" w4C19:009D MOV DI,4A4D ; 2nd magic value.
$ y. Q- d( A0 q( W+ w9 K: X6 E. m4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 ]# I+ o1 n) B$ r7 r$ C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% S6 z" z2 N D+ X
4C19:00A4 INC CX. Q% P- s* }- R* { l+ P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# p6 U) B& C2 |" d" R: M
4C19:00A8 JB 0095 ; 6 different commands.% [" Z% s! G" x3 b
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ u1 s5 |' a( S" k( P8 y' b! V4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) N8 r, D; A4 _# f6 d
, ~, ?, @: K8 ~- h: [ @4 gThe program will execute 6 different SIce commands located at ds:dx, which
* [ h+ c# t7 p7 }* J8 M1 y. Hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 |! ? z' R1 ^) y6 D5 q0 l* l
& T t3 M/ W: m, `0 g( p, E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 @; s( t7 ?% ~4 C, g% s___________________________________________________________________________3 Q- [1 P; q9 n7 V5 ]5 @/ o
# u3 i2 L* R2 F1 Y/ J6 g
5 c1 m1 k8 G1 X1 DMethod 038 D: x8 Y# i' `3 \2 R/ D
=========
) N) [& o: Y' Y: {& L" h% ^. E4 v# O* `* P5 \( `2 G9 C& Z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( p9 z/ |" k/ A- d0 F
(API Get entry point)
* s) g' Y! B! o0 v) m( G l+ o 4 |5 q. M; i# B' C. s9 g0 \ @
7 n9 ?" ]2 e2 M xor di,di+ W, F6 Q7 x* Y5 F4 V: u! Y
mov es,di1 P, Y. A y: ]" E
mov ax, 1684h
- `0 Z* e* j( Z# o4 t8 r: u mov bx, 0202h ; VxD ID of winice
6 }3 j5 `, F" v9 z' j int 2Fh
6 @9 N9 E6 s) u2 x# O! V8 U mov ax, es ; ES:DI -> VxD API entry point0 p9 ]' k. A5 t( b
add ax, di
% p# ~( b& f k M0 @, u" Y test ax,ax/ k7 [0 V( Z. ~
jnz SoftICE_Detected1 _( M/ d& }; j$ K$ C7 l5 `4 w
4 a& R. ]5 E* \0 q# m
___________________________________________________________________________1 J7 _! N) j, c o" \
8 M* L) U9 n; b3 N/ n
Method 04
# S3 T. i+ Z {' B$ H0 ?# d/ w3 K=========1 v5 `( J0 N& b: z5 ?% G) S2 o
8 |2 b& {1 B) G6 c6 J) ^$ L9 rMethod identical to the preceding one except that it seeks the ID of SoftICE _- g) Y9 T7 _. O/ S
GFX VxD." a' ]! r% y9 V1 R2 }
. a4 l- D, M$ I$ L) ~0 g
xor di,di2 I3 u9 b! ~+ D4 d. @' n
mov es,di6 ]5 R) @; n: o
mov ax, 1684h 3 l8 V- Y+ W+ o: p
mov bx, 7a5Fh ; VxD ID of SIWVID+ N5 h/ ^' a. q7 x2 M# N
int 2fh% C4 f: J% W1 L) L; Z- D, P
mov ax, es ; ES:DI -> VxD API entry point/ z& `9 v5 w# Y2 `. u4 w, g: A' U5 d
add ax, di
" N; }. W* h6 p) ` test ax,ax
7 i+ a, \( E5 R0 Q6 a( j jnz SoftICE_Detected
# E# d* s; U7 Q5 G @# t* X* r
; ?- I3 p/ d& U. X6 L__________________________________________________________________________; @7 P9 a& a2 l/ ~. G
* g; S- N# j g* p
: V7 H' s# S8 A* vMethod 05
1 _) y* w3 _+ S: x i2 Y: @=========$ _( o% j+ S3 X3 d; K5 s* T* k
! H$ H, |( r2 d$ {$ I* x7 X) n
Method seeking the 'magic number' 0F386h returned (in ax) by all system
! |1 t) z4 H1 H5 `) @5 rdebugger. It calls the int 41h, function 4Fh.: D# F, S( W! h% f% O3 m
There are several alternatives. x3 {& n& X6 W0 M4 a0 F( }, v
% M$ ~& @& ?) g7 N, S5 m; i
The following one is the simplest:
+ U! c8 H! z2 B \
9 I, j6 a4 H% t* k+ n mov ax,4fh
" g5 m+ v. y" i. Q( g; g int 41h4 q4 v8 }; _0 I
cmp ax, 0F386
) l! P/ u8 d& A( I jz SoftICE_detected s; L% n4 _( i% O9 m1 |1 z' M w
, ]# M. a1 Q/ R: _
: N- F7 E! V/ T
Next method as well as the following one are 2 examples from Stone's / t6 o5 |( t! H7 }4 ^; i# j
"stn-wid.zip" (www.cracking.net):
0 Q. {$ J% {: D- N( g) n9 L/ k! F. @ s) a
mov bx, cs
% i( s. [. X, a. S; _3 M lea dx, int41handler25 p [" K2 P; j ^& g
xchg dx, es:[41h*4]
. q3 `6 M& O6 x- h2 n, H: Y8 B xchg bx, es:[41h*4+2]% D# f* q( v9 `. F( h* q) q
mov ax,4fh1 @6 p1 ^4 q {, |' M" f; o" w
int 41h( d6 L1 T* ]$ e; ]1 p
xchg dx, es:[41h*4]) @: `' p# R% {0 P
xchg bx, es:[41h*4+2]
- n1 J( x. n5 h8 t7 v; W6 \ cmp ax, 0f386h7 j0 [& e( m- i6 u8 \
jz SoftICE_detected
- X9 X6 X8 } }/ l
6 P7 a3 y: {8 mint41handler2 PROC
2 d- |: y" ^1 R" a! l iret
3 Y3 H" y, D6 H1 a) @7 Z# w1 g' Q3 pint41handler2 ENDP# i7 S9 t$ b* k& x, K# [
1 Z* b/ J0 t/ g/ j' F8 J8 f% R
* ~" {8 s, X u) z
_________________________________________________________________________
5 _% \! F, M6 N d8 _6 s# o( i' {! }
. n9 b* R( }3 u0 m0 J5 `4 [Method 063 @9 B1 w1 Y# O2 a$ }0 F
=========/ f: y5 Q9 J5 f% w$ I! s0 S7 R
( S6 I0 N0 ]% B1 Z1 f3 ]/ {% i9 A- Y
3 b0 h- q4 w. K, `2nd method similar to the preceding one but more difficult to detect:' A( T0 V- V7 a1 E+ o3 c* C
& p# y' F" x% a2 O
6 k( X4 a/ B2 x& h7 rint41handler PROC4 j+ d: W8 J3 ^: T8 Z2 e" ]
mov cl,al
7 s$ X# Y) k& ]/ F, H# N! X iret1 }8 l0 @2 M! \ j: U( [+ x4 o: x
int41handler ENDP
& a* A( M. ~. G* J/ D/ S/ x1 R# y' x1 [4 A! g2 t$ I
0 x9 j9 Q- W5 e) w6 s0 m, r
xor ax,ax; g# n3 g/ U2 i9 }+ |$ h
mov es,ax
+ ~8 p& v: P6 B$ R5 K mov bx, cs5 X e) F6 W' t# |5 Y) p$ p. L
lea dx, int41handler9 W# g, Q' B% U/ v% d
xchg dx, es:[41h*4], i( K4 X& l" I5 ~8 Y
xchg bx, es:[41h*4+2]
$ e& d3 V4 ]4 U in al, 40h" E Z( I9 K3 e/ ]1 G+ S' ^
xor cx,cx4 C/ @! O; d0 S$ Y4 z8 W$ I
int 41h# n7 _( {- ]4 B6 q
xchg dx, es:[41h*4]! P L4 x) w1 }; G* o$ |. k' u
xchg bx, es:[41h*4+2]
/ k5 L6 G" n8 c( l f cmp cl,al: I" l: K7 A+ W8 o; d& E; `* W7 W& D
jnz SoftICE_detected
$ z7 M# Y1 o2 }: U. O" y$ V& u8 B1 w: Y; o1 y) }* }3 b
_________________________________________________________________________
2 R6 u& \( O: H3 }" ?) A$ {: Z6 E4 W' c, k! u( V% T
Method 07
5 i: o- p8 U; Q( r- ~/ M! _. u=========
7 p2 e7 K. c8 x8 |: @# m4 n4 Y
' _/ j; u3 b( PMethod of detection of the WinICE handler in the int68h (V86)
/ _! ^; {9 r6 e: s8 _' r7 v( \9 \! S- z
mov ah,43h
# s( @& e0 x: l+ F int 68h5 I9 P5 b4 r: g- r
cmp ax,0F386h' o* c/ @! O4 H5 L: H8 m2 f8 p
jz SoftICE_Detected2 o! c/ r+ b0 V' I7 [
' o( q1 m0 t2 W, C3 B1 |0 w' S# N
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ I( ?- f/ i! ?, S app like this:$ g, x- }" `! _0 g
% u( Y& o( u# M5 K" G2 T- I( Y
BPX exec_int if ax==685 w; {% ]0 c+ D- `$ y* H
(function called is located at byte ptr [ebp+1Dh] and client eip is0 k: A6 H6 D: ^) Q
located at [ebp+48h] for 32Bit apps)
0 p: w/ ]5 y7 a& F( F; G( z5 G__________________________________________________________________________
* u% W9 c0 }6 J+ k3 a* q" o# {* T# ]( z) @
) {( E7 M2 _& j) k) K: w% E0 U& f ~Method 08' Z; s5 Q6 Z3 x
=========, A, Q2 \5 J* [
/ W7 f( P' ]' \, \' ]# C. a5 EIt is not a method of detection of SoftICE but a possibility to crash the
5 {4 S; D) p( N* W0 A' }system by intercepting int 01h and int 03h and redirecting them to another
7 q c3 r7 N& ]' V4 d0 G6 P. d Nroutine.- b# g' G8 E& U" b/ e
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 ~) q& M3 `" b* Q& Sto the new routine to execute (hangs computer...)
0 _8 O0 ?' b3 h0 F) c# B" I7 E4 X8 P0 g2 k
mov ah, 25h
! O; [" i9 O& u# J( j mov al, Int_Number (01h or 03h)9 H, U4 c4 A8 [* @% p6 _
mov dx, offset New_Int_Routine
* y- c, t8 b! K5 @: C! [5 w% u: { int 21h
. n& J4 Q& X0 a2 g% N
' R" j: _8 _! s; H7 n__________________________________________________________________________
4 C( ^8 \" W, \0 V8 P0 @ d4 h g& A- o
Method 09
1 c5 k- V( [8 A9 _" ^=========
8 s- M! `, J% C0 g8 T; F) e- b o
' C% |% ?3 e- B U; f4 b8 Y; NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 `+ |7 Q0 ^ o+ D2 a+ ] [* yperformed in ring0 (VxD or a ring3 app using the VxdCall).: U9 e7 D6 n5 I* @ g2 |& N( o
The Get_DDB service is used to determine whether or not a VxD is installed
+ j) m! ?+ j& R" z8 w K0 cfor the specified device and returns a Device Description Block (in ecx) for7 `; g |' D# R! O) ~
that device if it is installed.
9 [8 N6 l9 n5 s5 z! O i# l0 L7 c: g6 i! G
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 }( }* F2 d& m6 ~2 \
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
U4 W/ Y. g6 {& B. o VMMCall Get_DDB
% Z6 e+ l, M7 N1 ]( W. O" D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 t& t H2 I. F0 P4 W( g9 D; y, U
! c* @! K& |" |0 v$ q6 q; d/ H! K
Note as well that you can easily detect this method with SoftICE:( M" Z/ E4 |4 y# U4 o
bpx Get_DDB if ax==0202 || ax==7a5fh, _' F5 P. a) s) J" D$ C+ b' _
( I- C! g7 X- }2 M6 F__________________________________________________________________________
7 a- U$ T: X2 `6 d$ y5 I% H! j: O8 I* ^$ U5 J: A
Method 104 A% n" s: C: K& q
=========
; i! b6 _8 T0 }
# @. Z9 c5 {; w4 @=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 n! O4 i% L& {8 x4 {, _ SoftICE while the option is enable!!4 c- _+ i! |- I8 K8 n. |$ A
$ e# t+ b- ~5 M' X2 d0 NThis trick is very efficient:
$ @: B+ M: M' Y/ Z9 }3 c0 V2 c/ Fby checking the Debug Registers, you can detect if SoftICE is loaded
) f! x+ ]3 k6 \/ H! a8 ^$ ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* ^8 l3 a# |* f% g+ T+ W/ I0 `there are some memory breakpoints set (dr0 to dr3) simply by reading their
! P* P, R; |% w/ V; Avalue (in ring0 only). Values can be manipulated and or changed as well- {: G. V+ l2 a
(clearing BPMs for instance)
$ L2 p. A1 }; L1 s6 y+ w8 F- N' x- G
__________________________________________________________________________8 f1 X1 a v6 @- e# S" ^8 V, j
4 {8 x/ n$ x% i& j! }Method 114 C/ u ^/ q h, x
=========: Q! w g/ j0 o* w6 h
% f% h+ Y1 K8 d7 e" b9 K8 s- h+ m
This method is most known as 'MeltICE' because it has been freely distributed. y Q; [" G9 I# g1 X
via www.winfiles.com. However it was first used by NuMega people to allow
& m; o# c: @$ s. P4 p0 oSymbol Loader to check if SoftICE was active or not (the code is located
4 m. j, |) \% ^( v# Kinside nmtrans.dll).! X6 D5 M9 A$ Z1 |
2 p( y4 x e q2 q6 t' m B. r
The way it works is very simple:: T, U" y5 ]. f8 f/ s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 N! j; i+ ]) W# j K, c$ S, p
WinNT) with the CreateFileA API.3 w& z# c# c9 L% ?' B o: r: R; _
& h* { C- u S+ G7 {/ P
Here is a sample (checking for 'SICE'):7 j$ J/ [2 z2 Y
+ G. x& W% q# i2 G# Y+ z$ R3 nBOOL IsSoftIce95Loaded()* ?6 a) M; Z, O; r8 S5 n& j) o( H
{( s( o2 C5 F; ~* J/ v$ N
HANDLE hFile;
6 n- J1 t$ N' \+ t4 d# t7 F- F( ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( Y" C* s0 m6 x& e( v. V5 i
FILE_SHARE_READ | FILE_SHARE_WRITE,
) _2 q+ {, e( i0 }% P# p NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; J+ i; J1 h8 Y% E* V. l5 Z2 u' L if( hFile != INVALID_HANDLE_VALUE ); u( j8 m+ n1 o6 y
{
/ @. b# M! S& F CloseHandle(hFile);
' }! b; P7 m5 x+ w: N+ \' _ return TRUE;
. s, v v8 W T }0 d7 T/ L7 g) a: D
return FALSE;2 r" _" P3 m. B) i; F8 W1 A f; c
}% r; @2 n, f( K
9 b- n" D2 c+ g- ]# J( F( p
Although this trick calls the CreateFileA function, don't even expect to be% R3 P0 x) \# Q2 Q, g V+ d5 E
able to intercept it by installing a IFS hook: it will not work, no way!
6 ]) Z# Q& c3 S% e- d- s6 sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F/ D) u4 @$ D* I9 }# s( O
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; r2 y& Z$ M9 \* [and then browse the DDB list until it find the VxD and its DDB_Control_Proc- D2 t! x# i- {
field.
' l( I l# B" D3 |2 c# bIn fact, its purpose is not to load/unload VxDs but only to send a
% \+ P7 h: D9 q; l1 m1 P2 Z8 m5 FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" ]! r' o4 B: G) C3 Q; ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% m2 c$ U9 V" sto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 a* G/ F0 D5 W2 {, V5 k
If the VxD is loaded, it will always clear eax and the Carry flag to allow
3 b. T6 K1 r& \$ f5 gits handle to be opened and then, will be detected.! h- w8 g" G" b1 Z+ A0 t
You can check that simply by hooking Winice.exe control proc entry point
( V5 O& D& k8 ~ N' |% iwhile running MeltICE.
7 \: X9 Q% N0 i$ \" m- y6 {, d8 _. h0 X8 I/ A6 o# V, Q% _
4 }; F( o5 ~; S% g0 T: \ W
00401067: push 00402025 ; \\.\SICE
/ O9 _) }) o( s. g4 p" ^ 0040106C: call CreateFileA
; Z f1 ^' Q: D2 j. Q' {2 l 00401071: cmp eax,-001
7 s5 K2 z# z) r 00401074: je 00401091; K- m' i% B* i$ ~" s
" h* @# T( B* l$ {2 e
2 m3 q1 ]9 }8 w; i3 s
There could be hundreds of BPX you could use to detect this trick.7 ], i3 N' f5 C$ m
-The most classical one is:7 H# N F1 N4 `2 p. l2 o/ N
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 n% B9 e' P& x' |3 l; k
*(esp->4+4)=='NTIC'- o% t: W% q1 m" y
. n" U `# G+ Q$ V6 Q8 p/ [9 t
-The most exotic ones (could be very slooooow :-(
3 q/ W0 d' R1 P4 _# i5 o BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; W2 B" j/ J8 T/ r/ C) r) V( {
;will break 3 times :-(- g6 I% a" V/ C8 V1 z
" r# U. r0 A1 U-or (a bit) faster: 5 ~% L; X5 E U3 |
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ n' B' l1 Z; v0 T
. P% y4 }8 U4 W% L& i" F/ t7 C" u BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 c( j' e$ ?, p7 c3 s8 } ;will break 3 times :-(" f7 ?; \6 E( h
4 H( `1 F6 C% F( R0 r L: g' b
-Much faster: K/ l' h |4 i; F% i& @5 C
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# M+ ]" o3 Z7 Z( E( l
- ^3 g( S0 A6 r/ {2 b- F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, ~ |* c6 e7 S. C
function to do the same job:5 ~7 _0 \9 O- _6 o$ C. {
; e& z& B, j) @ A( W
push 00 ; OF_READ$ N$ t1 W$ V& f* I0 u
mov eax,[00656634] ; '\\.\SICE',0
K5 p* f/ M5 ~ push eax% ?, y8 b# e' H4 P. U: ]; ^
call KERNEL32!_lopen
& N: U7 W. u$ J3 |. r) |% v inc eax! ]( k" {- n9 y2 U: S I4 o) r
jnz 00650589 ; detected
" D5 T5 v4 e. A9 K# p4 e, N: q push 00 ; OF_READ
2 J) K/ k( q$ N5 ]% B mov eax,[00656638] ; '\\.\SICE') Z: j; \. g0 ?5 r
push eax
! d; I% H: I" z' e, W6 E call KERNEL32!_lopen
+ w, S* S! X! R- E8 O F inc eax
6 T$ D' ^# o% p$ e) I6 d jz 006505ae ; not detected: U/ U" a0 D3 y. L
1 u: z8 d Q% i+ z/ P6 w& I6 E2 x: P: w7 k/ n* |7 ^, m, w
__________________________________________________________________________* ~$ y8 @' a+ M/ k- [' t
# n2 m+ |6 {; I" [- C" ^Method 12. K9 i9 x: z8 ?
=========" R% I) k4 y% t! z0 h0 T: h7 l
7 M. `, W4 L/ E' `3 X
This trick is similar to int41h/4fh Debugger installation check (code 05- Z- }0 d' M {! V! P* W; @) f( ~
& 06) but very limited because it's only available for Win95/98 (not NT)
: A( e, y% Q8 R$ H tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 W7 K* L e) e# W# N q" w! g, R, J9 h4 @
push 0000004fh ; function 4fh7 f' t* ]1 L$ H8 g+ j5 c* m* X
push 002a002ah ; high word specifies which VxD (VWIN32)$ g; e7 k# I; v8 v: E# a( D
; low word specifies which service3 ?% t1 A' |7 J' l$ j; M4 C1 Z
(VWIN32_Int41Dispatch)
* p2 l8 h. L t0 a2 b call Kernel32!ORD_001 ; VxdCall2 q Y8 f3 I S/ ~5 j$ E1 K! t/ d8 i
cmp ax, 0f386h ; magic number returned by system debuggers
: a2 m! J( W- m0 w2 Z$ g& o9 P* a jz SoftICE_detected' ?- i: a" W7 x5 X- A
" y& j$ ^: t0 n A7 e: t! T. k
Here again, several ways to detect it:
8 ]. D! Z6 [% i; j' x) `6 |. L
6 [# X% M5 Q% o) R BPINT 41 if ax==4f
* Y: Q% }: A% S8 U% b. c' w; O V9 H
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. y4 \1 l$ m* O/ Y9 t: B" ]1 ]; m: F% C% l" f/ v
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 W- Y+ T' z M, T% W+ N5 y6 o4 ?* Z' V
- X3 @" b* [( N8 w' T) X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ }" r; @8 B) z3 b4 D2 ` @
9 B& O: c$ P1 q: E__________________________________________________________________________! S; q J+ I! K( E, u
& O5 A/ |3 j6 Z2 C
Method 138 P$ u- j& b F J( h
=========
0 v* J; K- _3 m0 L4 a2 i, o' x# x1 ~2 H
Not a real method of detection, but a good way to know if SoftICE is
2 m& _/ | k2 g( }8 }$ ?8 [installed on a computer and to locate its installation directory.0 V8 V. t# z9 p6 V0 {2 X$ f8 a5 s4 _7 e
It is used by few softs which access the following registry keys (usually #2) :
& F8 t, u, V, W: z
3 w7 ~9 G6 X- W9 w, {5 X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 Y" N5 f Y$ p3 C
\Uninstall\SoftICE
/ M4 \# y, j6 R) N% `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. N# @+ ^7 |7 V1 P' ~0 u& I-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion T' Q5 n2 w' F; l
\App Paths\Loader32.Exe& F* g5 Z' D0 |7 \
2 u3 z1 p8 V4 _& H4 T. h$ R1 x/ M
1 w$ B( X9 E. s8 s+ INote that some nasty apps could then erase all files from SoftICE directory
/ Q% \% \% A& t+ r: L! Y7 \( R; _(I faced that once :-(/ o7 t& T0 J- r, S- z5 R
4 i9 x% U3 l/ J% B; H8 _+ Q+ `Useful breakpoint to detect it:
: F6 P& V; ? ?# f, o
% T+ ~( O* I2 l8 W% `7 Q i" ?4 K BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- M8 b% J& w H# q, l
& V! ]/ i( r# e__________________________________________________________________________2 e& A0 w' T8 j
/ c/ e' f8 y% m7 {- o
4 ~, `$ ]* v& E0 }# ?Method 14
8 W* ?1 s1 R* X+ i=========; j: O/ S. B- o2 O" [( v& w
7 B& ?) _3 `; D6 i! i
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) C* n! d7 _' z
is to determines whether a debugger is running on your system (ring0 only).1 p5 C1 M% a1 b% P" ^) Y) ]6 E% p. X
) B$ Z" _) E, t( ] VMMCall Test_Debug_Installed6 y2 g, Y e3 {; i7 K% Z0 r2 R/ j
je not_installed3 }0 \; S# K1 L! A
u) ~3 Y. ]: q; q, g
This service just checks a flag./ F g4 ~# S5 x/ u/ |3 y/ |
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡