<TABLE width=500>
" o+ P0 ^" U6 T, b2 o, w<TBODY>
; ?3 m/ ?$ l1 x, |" Z4 d/ i<TR>: C8 F; \7 s$ } G
<TD><PRE>Method 01
; I, V" A) D O$ u: g4 g4 l3 B=========" S& {% [2 m' o5 Y/ ]- h
+ B9 j% L3 C' }9 p( YThis method of detection of SoftICE (as well as the following one) is' f+ E! `' M1 Q T+ y& v l
used by the majority of packers/encryptors found on Internet.+ A8 ~- [: s7 ^: B# C6 ^9 x
It seeks the signature of BoundsChecker in SoftICE
0 L* b& d6 U3 k" s$ Y- ?
# i; D- S' g" z# ? mov ebp, 04243484Bh ; 'BCHK'
3 n9 \5 ^, j# i mov ax, 04h- y- w" f; P( X: E+ u o& w
int 3 + @8 a4 S6 w; t8 r; l9 h
cmp al,4
# [! Q0 I% w) K4 l0 [ jnz SoftICE_Detected
1 Q% `6 F3 S' ~+ H4 L. g/ t1 Q* Q' Y: e/ i: Y. G8 Z
___________________________________________________________________________2 ^1 X) U2 W; _' z
, M% A4 u( O, N% A: E; J& VMethod 027 x& l* w2 ^3 q. E$ H) {+ U
=========
* p, H I! j; c6 c# I+ W! F! i- A6 G- T! I# V; D0 P
Still a method very much used (perhaps the most frequent one). It is used: k1 C& ?$ K; b) g$ X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; x# k1 F- u+ y" p$ `: i) Por execute SoftICE commands...
~; F/ q1 D( j/ W- sIt is also used to crash SoftICE and to force it to execute any commands, l2 V1 E1 ]7 g$ A& X& F, l7 ?
(HBOOT...) :-((
( ^9 M% E' o2 p+ j
1 c* e9 B5 T, A0 l, U: G0 kHere is a quick description:
' c; S* C3 q, S0 y R-AX = 0910h (Display string in SIce windows)8 @/ s8 E1 m- L7 u7 J5 o/ v" M
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; u L) ^7 f2 a: D/ C-AX = 0912h (Get breakpoint infos)
+ U8 @ V0 ] ]6 r9 r( z/ h4 B8 l-AX = 0913h (Set Sice breakpoints)
. H' `" G$ z& D% u-AX = 0914h (Remove SIce breakoints)
- N* Q0 Z) y, L% z' C, t5 [0 k Z6 s" G
Each time you'll meet this trick, you'll see:+ @6 b& |( c; E* ]- M
-SI = 4647h* ~* `+ u0 P1 g9 \* r6 x- T
-DI = 4A4Dh
7 q5 n" B# k# B, O- ~Which are the 'magic values' used by SoftIce.
' e9 o; ~* d8 l6 I5 e1 dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 ^4 n! \+ c, r4 Y/ F- w
6 [) F$ k6 {4 Y3 `Here is one example from the file "Haspinst.exe" which is the dongle HASP; r& o) k2 u4 T, F* @
Envelope utility use to protect DOS applications:' ^6 l; u9 H6 d
5 x7 z. I3 N- j3 ^; X/ B
% t% u; g0 d2 ^) v
4C19:0095 MOV AX,0911 ; execute command.! }& u9 {3 u) h9 b% G6 T- X
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, D+ F( P) I5 v1 O: G4C19:009A MOV SI,4647 ; 1st magic value. v; `* T! P" p( A) J
4C19:009D MOV DI,4A4D ; 2nd magic value.
x2 t( R" Q; |4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. Y- o1 s/ _1 ?- s9 t% p4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! N9 I% @; B5 m# K E6 G& O1 v8 Q# \
4C19:00A4 INC CX' B {. L8 U+ i: P9 N$ x, r
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 C, F8 O- T6 \) ?
4C19:00A8 JB 0095 ; 6 different commands.
# }) }7 p! o; x4 d4C19:00AA JMP 0002 ; Bad_Guy jmp back./ c1 b2 A; @& V4 ?! [
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). m1 q0 Z+ \) h y! p& v8 d9 I
& {, w0 ~8 K8 SThe program will execute 6 different SIce commands located at ds:dx, which
+ G g Z$ X- G8 jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 a: }$ u2 ~5 o$ v& h# a5 v3 m
4 F* d, {, X; U3 M' v4 V) ^$ G* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 r( ~4 d6 X! g& R6 l" p
___________________________________________________________________________" z/ W! c E3 Y/ P/ K( \
, N- J. d# o$ {0 c& Y7 r2 k. r+ ]
Method 03
: }# O+ T% Y6 q1 X6 t' c2 S/ O, s=========( W2 W3 U, _& L2 A2 y
+ y7 [& e2 m8 k U& \- u: C: oLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& G& b& P. c( ?$ S" T
(API Get entry point) ]6 P0 R9 I. k! X9 X# ?9 }* H
' g, T- ^$ ?7 H
7 R A* c% Z n# s+ T) V xor di,di$ P6 @ ^; h3 H
mov es,di4 R% ]8 t3 C) Q+ d
mov ax, 1684h ) g/ D" Q# @2 {: \! t7 s
mov bx, 0202h ; VxD ID of winice
+ h. z' m/ ^: ^+ N6 \ int 2Fh
6 B) w/ ~( d9 t mov ax, es ; ES:DI -> VxD API entry point
. g- z. h7 W. J) C- ?" c( c add ax, di
5 V9 o5 d, k. u1 t test ax,ax
8 H0 |0 F( [! D- i& z# e! ? jnz SoftICE_Detected
7 e. P1 C4 c7 x/ R- A, C5 b% t* f" {( o) y/ x% f. [; [2 l, d- m! d# Y
___________________________________________________________________________$ q5 j( W( t. M% j7 {+ k' Q1 |
% K1 l9 X1 _7 q% e" g3 {Method 04
1 j- ]- w' Y0 m- z=========
1 n! _, k% Z" D
/ O* |5 w$ U9 H. e2 ^Method identical to the preceding one except that it seeks the ID of SoftICE
% z. a# \5 }. l1 ?* iGFX VxD.# l, S5 N( Y& \
3 p9 I. J; f5 E- f; S3 @
xor di,di
" e' m4 C% n4 g2 ? mov es,di9 P* @ e# [) |% b N Y
mov ax, 1684h
# w# _' X% L9 F mov bx, 7a5Fh ; VxD ID of SIWVID1 N+ M+ M6 _8 c# J: x' u
int 2fh
* ~9 v: _* j: V) {; ]' g: R mov ax, es ; ES:DI -> VxD API entry point
{- U7 F/ s( z: e4 ? add ax, di* `) R! Z0 k" d: g
test ax,ax0 U' x( P' |2 J4 M
jnz SoftICE_Detected
9 [- g. D* c5 s! N" a
7 P3 i6 y8 A3 d3 K__________________________________________________________________________
: k6 g7 U% m1 C5 N3 l* u9 ~5 C
7 ~* w5 O& M' g( i& ]& O, H
1 F9 O7 l; s( Q% g3 a* j2 KMethod 05; g) J/ J' `9 ?) H
=========1 B8 A0 j2 o1 E
7 P' O( S. G9 |" Q: ]0 {Method seeking the 'magic number' 0F386h returned (in ax) by all system/ B/ S/ f9 Z1 H0 B: `
debugger. It calls the int 41h, function 4Fh.
' r) S% x% M" J( m- ^2 ~4 EThere are several alternatives. 8 N' ~; Z a+ \0 f" t/ l7 L
8 u" g" s) L, d# u& K5 l
The following one is the simplest:* o8 j" z v% s- Q$ @# s
( i% b3 o% d* Z, u
mov ax,4fh1 Q/ V4 j8 a1 K# ]: p, P- o! p" ?: d
int 41h
1 W# g3 P5 x `$ e$ w2 Z+ h+ D cmp ax, 0F386
4 i+ g7 u( K( ? jz SoftICE_detected
! \! `6 t, S" F5 r4 p9 w3 C& g) d, v& l3 \- c
) I! m% p( j! b7 \Next method as well as the following one are 2 examples from Stone's
/ v! q- ^' S5 N8 U"stn-wid.zip" (www.cracking.net):' }! k6 [4 w. M" ]1 D
" h2 j% I% f- G( r9 `/ C! [
mov bx, cs; W1 X/ q( {1 C
lea dx, int41handler2
. F, L( p0 L: Z; X9 D xchg dx, es:[41h*4]0 f0 B& d; T9 v N' b
xchg bx, es:[41h*4+2], h, N6 y. Q) U% e2 Z
mov ax,4fh
, _8 y0 z8 W! w, c, m int 41h6 G: K' _& S0 L8 X. x5 M- l
xchg dx, es:[41h*4]2 J; {1 B" X* n, p0 r0 {
xchg bx, es:[41h*4+2]& G I$ i& P* Z+ S
cmp ax, 0f386h
; N; T3 ?. y5 R6 \ jz SoftICE_detected
1 j, V% u& E* M; L! v5 a2 t6 C4 J! d+ ^* P" I# ]
int41handler2 PROC l' B8 o( D( c5 ~. S
iret" H8 q; p$ y% W; }) b G" P
int41handler2 ENDP/ D( o* D# P: k# o) s" h F
: @: X) M4 _; z% I ^7 E* V' g% |
, q( O: K: x7 Z `/ _
_________________________________________________________________________
+ x6 u' Q6 E1 Y9 v5 d4 `# H# ~/ _ `8 L5 q7 b% C" {
3 |) |2 v/ x3 O- K; _1 }" HMethod 06' G/ N; v4 X3 | L% y# g u( B
=========5 y- J8 _/ J( R: x) V5 Z7 A. Y7 O
' S6 I) a. u( T
) [+ B5 B1 U% m% O1 V2nd method similar to the preceding one but more difficult to detect:8 H* J9 k. M4 W3 }' l- ]" ^/ Q3 w
0 R; c/ u- D2 S/ _ W+ Z& J
5 \! }+ ?4 R, ^6 }4 T/ nint41handler PROC
$ U# V# y' @3 F- | J9 m mov cl,al' t; c. \0 j& Z1 n! r& `) ^
iret+ \( k) Y0 _: x- D+ y
int41handler ENDP
q6 t. ~ \! X% A; C% u. H2 B4 B y% t% Q/ Q, L$ c+ F
+ a9 E- H" H$ l4 R; ?" F- r
xor ax,ax, m7 K/ \7 d! e7 ~% u; i, g$ o7 G
mov es,ax
2 n* H8 F! C% _: j P mov bx, cs! Y! ?) U1 l5 p0 f7 T' I5 N7 ]+ H
lea dx, int41handler, i% D }1 V+ w! u5 v/ N0 E$ T8 s
xchg dx, es:[41h*4]
- U4 x% A6 z- n) w" @5 V7 s xchg bx, es:[41h*4+2]% W/ a* d; s! [2 [3 x+ j
in al, 40h
9 z. Z1 N* t% q: R7 i# \+ \# J xor cx,cx$ q( |9 I$ j" i. V# i, W5 j' x
int 41h
" e* A8 K% I) K. j' G- c* V xchg dx, es:[41h*4]
9 \+ o5 ?. t p" f; V xchg bx, es:[41h*4+2]" M$ X! t0 _3 _: Y
cmp cl,al
% v) C% ~* e8 O6 I M# v# e1 Q7 p" S jnz SoftICE_detected+ H# D( k, m: S) n, y
. a6 ^) o+ v/ l/ r
_________________________________________________________________________# ^" t. g: N. s! i3 _7 q6 X
- N9 f7 o9 b, v, nMethod 076 ]# M' R2 K( l& l$ h) I
=========
) h2 N% V5 q7 N0 p
* B n% E# }! T1 pMethod of detection of the WinICE handler in the int68h (V86)& F2 c5 Z6 l( D
1 q# h4 y& [ x' H. T+ s1 {# T0 | mov ah,43h; |- { }# @$ U, C. b6 |
int 68h
& y+ E& j3 G& b0 X y+ m! [5 T cmp ax,0F386h$ T2 ]& b! W7 v6 h0 j" c
jz SoftICE_Detected
: \9 ]2 z- B v2 G9 e% c# W& J' Y$ p9 e) e; y4 Q
" m6 C( Z1 q4 Z# u7 L6 M
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% }5 A0 r% E0 D% H+ J' G
app like this:
' k# l0 B' F' X2 P8 Y
) N& \0 c% \% u BPX exec_int if ax==68
5 y Y; p3 y" d# z% @/ x. E (function called is located at byte ptr [ebp+1Dh] and client eip is
# {6 Y% [; J( c* A0 D9 r located at [ebp+48h] for 32Bit apps)
5 o7 V q/ V3 w+ t; \__________________________________________________________________________
3 ?& Z3 \$ a% B9 D& K0 @' X/ u& T! Z4 P+ D7 S% b" h
* s0 g& r$ |1 Q8 \# [
Method 082 j* n) v; K( |& @' r" G
=========
$ N w. ?; A& @9 Z" o
! |/ u1 E+ W0 H% ~$ IIt is not a method of detection of SoftICE but a possibility to crash the" x4 y I! K3 h6 A
system by intercepting int 01h and int 03h and redirecting them to another
2 U7 d+ D% S% l1 s9 ]4 M# \routine.
( A- J t- z( R/ y5 \. {/ zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, S3 Z* Z1 U d7 e
to the new routine to execute (hangs computer...)
* ~, q& s$ u! u' H4 b$ h. G! s2 H" l, M
mov ah, 25h
* n& a, d+ H! w1 h0 v/ H* Y mov al, Int_Number (01h or 03h)) X" p( ^8 I" f; F
mov dx, offset New_Int_Routine
3 z5 ^9 X5 T' D; q E/ x int 21h# {2 @0 s7 D8 [6 F/ v
/ {) ?7 j4 y3 K- m* h
__________________________________________________________________________( n, p1 l6 G7 S# N" W1 H! |
6 ]: P+ p- s; t C' M* H1 rMethod 098 J9 j1 [ J5 h' }
=========8 e' c9 F" c/ B" G5 R- E6 R9 z7 E
- i5 ?9 v1 q* n. k7 P
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 D# Q6 ~& ]4 l; q# Wperformed in ring0 (VxD or a ring3 app using the VxdCall).
& N3 J3 {. U7 b r7 qThe Get_DDB service is used to determine whether or not a VxD is installed
) ?+ R: Q7 e1 M6 r: N. o0 z$ h6 zfor the specified device and returns a Device Description Block (in ecx) for
" Q0 K$ D+ W/ n O8 ^' O0 Z7 kthat device if it is installed.
3 g, P( f, X2 F& s1 W
4 `( c( R' F% Z" W mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* j# O: B1 u- B! ~1 `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), D. i; d# e% j& X( A) ~; Y3 ~9 X
VMMCall Get_DDB; o8 F! o$ x) M( o7 E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; P, d( z2 t+ A9 r: O! K% e
) z. L( U3 E0 N- x9 }8 W I. ~
Note as well that you can easily detect this method with SoftICE:9 ?3 Z5 O2 p) P/ X) w
bpx Get_DDB if ax==0202 || ax==7a5fh+ A) u9 ?9 y# ^( |7 h
) T: P9 @8 L H& ]( c2 e
__________________________________________________________________________0 Q( ^ L2 y5 r
& z W' Z; R5 i3 l5 I
Method 10
2 N+ \: A9 q! ]; ?. Z( M- ]2 q=========# X; r% a8 s' Y. S8 S! Q. h
8 g2 i/ a; G( o0 f5 P/ [& s/ L0 a% O=>Disable or clear breakpoints before using this feature. DO NOT trace with1 }# q8 `/ e; Y- O6 K- W
SoftICE while the option is enable!!. W& S( x8 [* X9 F2 e/ [2 Q Y
! d$ E- {7 z# A2 a2 Z5 v2 PThis trick is very efficient:. ?3 ^8 b' Y' Z% z6 d+ y" O1 J& _
by checking the Debug Registers, you can detect if SoftICE is loaded/ e" M1 m+ b2 u- g% H1 y/ ?
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 R" K* E. d3 d* |' k1 O$ ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
# h" F! Z" s! p* G8 J+ {value (in ring0 only). Values can be manipulated and or changed as well
: Z9 `3 j6 y3 o8 g# ]8 i(clearing BPMs for instance)2 p: i3 ~- o; m3 s+ L0 L
/ }$ K/ A; [: N0 {2 L__________________________________________________________________________) |; y" G3 @/ u/ f2 M3 p6 k5 R0 L! i; |
$ D$ c2 m& v% B& v2 V
Method 11
, Q' m4 Q4 Z# s! z! T4 N=========
/ K& Q ]! u% o+ K; m3 L$ H" W) Q+ q2 ~ W7 a2 [5 U
This method is most known as 'MeltICE' because it has been freely distributed# \& d5 J% N( z7 @6 w9 q* W
via www.winfiles.com. However it was first used by NuMega people to allow9 W F' N2 [7 Q3 P( _- x4 J
Symbol Loader to check if SoftICE was active or not (the code is located
3 b2 c# `8 `: r5 p m* dinside nmtrans.dll).& C* `! ]$ @ l+ H$ O" g& x
5 |3 f9 s0 y, d6 ~) s
The way it works is very simple:
7 y0 ~4 f. G2 B6 ~$ aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 o0 u& _0 G4 ?% H4 b% vWinNT) with the CreateFileA API.# R0 F( ?. F* p. ]/ L) b+ ^6 V0 R
4 z' b: G$ f% a- z6 d* Z4 uHere is a sample (checking for 'SICE'):+ @( O( ?9 k: B6 ]- N/ D- d, f
; ^' p! x( A, G; t6 \
BOOL IsSoftIce95Loaded()
: A* l$ m+ H0 t+ `& T% i* g5 b1 `{7 Y! l$ |, y) G$ g3 r, Q
HANDLE hFile; - E8 t: H6 ]) ]7 n. K9 t0 y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: F- g. m" j$ |5 Z* J
FILE_SHARE_READ | FILE_SHARE_WRITE,
% K% j) f. v3 I& h. J5 @ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- V j2 p& b+ B1 K4 ~9 H' }- W# C4 U
if( hFile != INVALID_HANDLE_VALUE )" i0 g3 j4 I- W' [
{
/ V" X, g6 h+ A$ i. F CloseHandle(hFile);- B4 T8 v; c' T- b4 O" C& B* b
return TRUE;
: \. k1 L# v" K7 E }
4 @1 N; i3 `- f; v9 a4 s1 X' q; Y return FALSE;
0 {$ X. _* ]: u; r0 e" x}
! ]8 u2 Q& @+ p- u4 r {1 C. N8 M! O0 {6 {& V, T1 o
Although this trick calls the CreateFileA function, don't even expect to be. g: a& z/ @0 r! U9 F4 R/ q7 Q
able to intercept it by installing a IFS hook: it will not work, no way!
. n! E/ d9 g9 u3 A& ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 W5 x2 f- K9 e: S6 O1 z5 D
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ c: E5 c8 C+ [and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; A0 J( ?( h" X' ]& wfield.# v* M1 s, `3 a/ [: R R# y, w4 k
In fact, its purpose is not to load/unload VxDs but only to send a - S- i9 g' I! @( |# r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( g' X: @" F! x7 I; l- r6 z4 p& V
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 |+ d# t9 h5 d( e0 tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 E) q0 e4 a- i- z+ gIf the VxD is loaded, it will always clear eax and the Carry flag to allow
' E* d0 K& ?2 B j; _/ `" S3 Iits handle to be opened and then, will be detected.6 ^1 @( \' o/ N$ e
You can check that simply by hooking Winice.exe control proc entry point( ~. [# ^( y0 T* L3 \
while running MeltICE.
2 H Y, [+ e. ?6 j9 G5 P
: @8 @9 t9 t; `! d8 L4 q; J y2 @. `1 I3 ~
00401067: push 00402025 ; \\.\SICE
/ ^/ t' J3 d. J- j; P 0040106C: call CreateFileA) o1 R4 T' t/ }1 f; M* y
00401071: cmp eax,-001
/ g6 x8 _( _, I 00401074: je 00401091# J+ [5 d$ N4 Y
% |, K5 t1 i3 F7 V+ [+ t7 B$ Z3 Z4 D" q4 [- m; C( a
There could be hundreds of BPX you could use to detect this trick.
' c9 T1 a) N1 X/ {/ |2 I-The most classical one is:% |1 l" S7 J/ A5 G; j8 U U
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 T; s! }7 V$ S( B6 _" Z *(esp->4+4)=='NTIC'
# w& X! L" g; {; C [' @/ F; ?! W* b* T3 R" M/ X9 P8 `1 F Q: k" q
-The most exotic ones (could be very slooooow :-(
* Z" H3 n0 f5 }& J2 A! g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" x8 }2 h3 T+ m6 V* K' f ;will break 3 times :-(
( t* h) y8 G' m1 G! q4 O1 X0 {* A
! n* P" _# u+ R# S! U3 F-or (a bit) faster: ) ^8 a# W+ A5 \. A' R F. }
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* L9 v$ z; {+ M! r$ g' T/ E( o- C' }8 `3 K- G q6 A7 S2 C) _& \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) d" N6 ~# R9 w3 y8 R3 g7 ~, N ;will break 3 times :-(
# K2 ]0 q& \$ x# q6 d( p2 w3 @* y+ h# W' ]; M7 b
-Much faster:3 `2 b$ D, n/ W
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) H: @8 Y" i9 `- F
9 N! g% v9 t8 f/ eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
# H/ {7 M- |1 x I3 A9 |function to do the same job:
; i2 ~6 m e7 p& f, o0 d
! v7 [! c; g+ @$ d1 _$ f push 00 ; OF_READ
8 a* i1 a" T2 @# q& L& n mov eax,[00656634] ; '\\.\SICE',09 z! E+ E% m$ O% k
push eax
2 P- ~( b: j2 d/ L' W% s& ~ call KERNEL32!_lopen3 [$ M. O3 r/ z5 Z% H, H. p
inc eax
1 }, W" |5 w/ F9 P3 @ jnz 00650589 ; detected
& T+ i$ J n# F5 G. Q push 00 ; OF_READ) K( {/ ^# X7 @8 P! j, l( C
mov eax,[00656638] ; '\\.\SICE'
8 y, c, T7 f7 x2 a5 w9 v2 s8 Z push eax
0 m7 s& n6 D- \9 W& N4 m7 C call KERNEL32!_lopen6 f5 F4 V* G. Q! s, \
inc eax
4 [+ N3 X- f% M6 w jz 006505ae ; not detected q, }$ x1 A6 l4 B! `0 e! v, F; T
8 E1 E$ h$ l! [( _- |
/ a/ w, A3 t$ m0 A
__________________________________________________________________________ s4 S0 K, v8 P$ \; B R
% `% k T2 L8 [
Method 12
0 n% h4 H. D' V; h' T( }- V+ e=========. \: i. I7 q0 `- M+ c# g
; G1 l# |7 C) uThis trick is similar to int41h/4fh Debugger installation check (code 05
7 s4 I3 A Y2 J/ k& 06) but very limited because it's only available for Win95/98 (not NT)3 K& W2 S3 F* a" W' u; j- q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% o+ x2 D9 l3 a
! r) X) E9 s9 Y" V push 0000004fh ; function 4fh
6 ^" i7 r# V8 f0 Z6 X+ o: P push 002a002ah ; high word specifies which VxD (VWIN32)
~7 V7 t7 U2 m( y# {% p ; low word specifies which service
' s2 }+ }/ o, z& H" c E0 Z: z (VWIN32_Int41Dispatch)4 o" J$ B7 a& [) F, ^0 |9 v) G8 z) r
call Kernel32!ORD_001 ; VxdCall0 _$ D. y9 q( _ ]: U
cmp ax, 0f386h ; magic number returned by system debuggers+ r5 X* z# i0 H0 W. b
jz SoftICE_detected% c4 D! ]6 }% i. m! j* \( K
" I4 w- r* `8 H' wHere again, several ways to detect it:
: O- h# B% @6 ]: e" Z' w7 _, {5 f i, H; z
BPINT 41 if ax==4f/ P( d/ w# }4 }0 _' P
; Z/ m$ e4 p9 r
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: o$ y ?+ W6 G2 b3 }2 d/ o7 N
8 H# s# J$ ?# ]+ E9 p BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! ?) R0 A; F& D" ?7 k [
- y3 L' O8 f5 a6 V/ | BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 Q% b/ m, F' A0 ~0 C( K9 x. L
! J9 G2 N( P: F7 e+ M__________________________________________________________________________
% _. ^; B# Y) Q( g! s3 i4 s: E6 r" h5 F! P; N
Method 13
! K$ n% B: E1 s" h7 G=========
3 \3 ?$ B0 P6 ~5 m$ d: @# q( U! q" q8 ~' q9 j
Not a real method of detection, but a good way to know if SoftICE is6 ?2 t- U" C& [/ n
installed on a computer and to locate its installation directory.% B3 i* h+ G. G8 L4 b
It is used by few softs which access the following registry keys (usually #2) :8 {: d6 p# z a/ n) n
7 a- {1 m, C3 }: [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; g0 [* Y- Y1 ~% h+ _\Uninstall\SoftICE) F" Q% U3 y6 H0 f2 P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 e7 q. n: E0 e- e-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 u0 u3 G F" X3 T1 Q/ F: {% X
\App Paths\Loader32.Exe$ U- T8 \8 C. j# l; v
+ V9 _( o% }% Y* y( X( r- N- a2 H" h7 h6 q
Note that some nasty apps could then erase all files from SoftICE directory7 m$ f) O! P7 y# F1 B' V2 }
(I faced that once :-(
0 t8 ]( r: m6 n7 V
0 }! Q; ~2 Z( ~4 b; F9 hUseful breakpoint to detect it:6 R. _0 L: V. v/ o. I" H
/ e; S. \: A4 _5 x7 W b
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 |4 h V4 ]% G) K" i# w2 e3 u/ J! T4 H* ~1 s3 B$ R$ m
__________________________________________________________________________
$ ]6 Y3 V& E( j& @. L) c8 F9 c
6 m' q4 d$ Q) g0 o/ ]3 f" V
) K! I& x5 Z4 Q5 }' uMethod 14
7 [* j6 l) n8 ~4 F5 p) {=========4 T- Q: a, H. s L( f x
I, W8 o% x9 `" n9 X- [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
q- p8 B% n8 l* P- ^is to determines whether a debugger is running on your system (ring0 only).
0 y" ?0 b7 n. K& T) R1 }7 {8 ^( A% O5 R# g0 c( @
VMMCall Test_Debug_Installed
. E! }; |" g: |4 s+ M je not_installed
* T# s8 ] B( y1 K. k0 o' N" _( p I6 j( T& d1 d, r/ M, {+ N: t
This service just checks a flag.( a' V( s9 x6 F6 u' w
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡