<TABLE width=500>
5 }+ Q. Y6 F2 W( h! j, d# V$ `$ g- J<TBODY>+ D2 L+ a6 V: {# T# {
<TR>
/ n9 J6 J3 ?9 \) T+ X; R<TD><PRE>Method 01
* b- t& V5 E3 p% R=========
5 R0 |+ P* D% ~# D6 Y- Y0 Q. B8 F( ]5 f
This method of detection of SoftICE (as well as the following one) is$ D- j8 n. D' p( {
used by the majority of packers/encryptors found on Internet.4 c$ F) N' S( o7 w& s
It seeks the signature of BoundsChecker in SoftICE( t) l8 M8 K1 j! r
# I3 N- U. b' ^1 Y mov ebp, 04243484Bh ; 'BCHK'9 `& j6 y6 h" r! c6 t# P
mov ax, 04h
5 {8 t5 z9 F( n# l3 w8 R int 3 0 N+ X9 _. T0 R- [6 h3 k
cmp al,4
2 Z% @* f+ p y jnz SoftICE_Detected* x, K: b1 `; L5 F+ p
?1 I$ p, A; |* e4 q( ]
___________________________________________________________________________
, Z' K. G7 J8 W. o3 O
( ?/ ~/ P( C6 s8 }- bMethod 02
, R7 L: f. \, s=========( J/ i) V+ |5 P5 M" `) M
" N c2 x' R, s, A) @5 Y
Still a method very much used (perhaps the most frequent one). It is used
7 n" R+ ~4 {/ @to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- x' k# k# x1 S9 i" e% i5 j- xor execute SoftICE commands...
4 L0 {. w: f, O5 B9 e- G1 bIt is also used to crash SoftICE and to force it to execute any commands
+ ~' Z# o% X8 u1 _2 o(HBOOT...) :-(( ! }9 c) }' t g5 h
9 u8 s, U# g0 u2 f& r2 G
Here is a quick description:
' w- j/ j) {5 A+ W' ?-AX = 0910h (Display string in SIce windows)6 Y: C2 Y6 j8 w
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); B" ^4 ~6 c4 b: E' r* i
-AX = 0912h (Get breakpoint infos)4 S5 n, x4 g1 [& F" i8 N0 D
-AX = 0913h (Set Sice breakpoints)5 {" H/ h9 A7 s% R! M# {: R
-AX = 0914h (Remove SIce breakoints)
( J! P( q( H j7 r( z2 a+ |. Y9 w! @' O9 {9 @( W* x' q$ n
Each time you'll meet this trick, you'll see:/ ^$ n6 V6 {5 E/ ~* y% B* h
-SI = 4647h
6 r$ D% [: E5 c1 s6 C-DI = 4A4Dh
& {7 ]4 H. Z8 Q% xWhich are the 'magic values' used by SoftIce." T* `; x( e+ A1 a9 o4 ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 a9 b' F+ P, e% ^: A) f/ B x5 \5 P2 Z4 @8 x& T6 O# D
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 e$ b8 e. M( H5 n0 l! C, q
Envelope utility use to protect DOS applications:
8 _( C) }4 N: a) |1 ~. L; V) @ t& s* b6 |. t" ]
) w! T2 z! H0 _) ~* S4C19:0095 MOV AX,0911 ; execute command.' A6 ?$ W$ U7 v2 s$ U: z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- j8 _- z" n j, G, {4C19:009A MOV SI,4647 ; 1st magic value.5 u8 x) n0 n0 a( {0 X5 f, e
4C19:009D MOV DI,4A4D ; 2nd magic value.3 P- D7 A6 ] k. Q3 Y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 G+ H' L: I: X
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 E$ s5 i4 K/ ^2 ^5 T" v
4C19:00A4 INC CX( v- _$ ^% |; O Y0 D
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; K( e e" @* F6 ^$ Z0 m
4C19:00A8 JB 0095 ; 6 different commands.3 B8 b2 M( I: n9 ?% C' d
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 w. U1 U% U1 w' C5 j/ t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ N3 \& b! J2 R! L- Z/ `0 p
1 D% O5 ^1 M/ ~6 w/ qThe program will execute 6 different SIce commands located at ds:dx, which
2 H$ Z$ y( S# z* M8 m. aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 G# q* p6 t8 M. Z/ d; u
, O: b1 b5 b& T$ b) b9 W' i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." \ J: l) }4 v$ M2 Y
___________________________________________________________________________
6 Q' X1 w, T- H, }! c
7 e8 C' G' C7 ]" C1 }. q0 ~- y6 T
; p: W6 r9 u+ j% |2 SMethod 03; U9 D8 i" d! k% B7 W8 X6 C1 |
=========
1 O) Q, f" i" A/ m: n1 Q% [3 Y/ D+ \* a _5 w) H6 V
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 I: ?8 D4 k1 e* M1 H+ t(API Get entry point)7 z0 s+ E: @/ m0 w% `1 F% z/ x1 {
; A2 u, p! T( k7 i4 _" X, A
" L2 A% O( |3 t/ T6 p9 ]/ \8 ]- R
xor di,di
0 y& m7 U% _- g6 Z5 ~6 s mov es,di4 ^2 g2 T6 E& d
mov ax, 1684h : s- m5 ]1 z* L- Q$ l; e
mov bx, 0202h ; VxD ID of winice
( n7 O( a' o+ k# m+ s3 } int 2Fh& Z' |' O: ?2 k
mov ax, es ; ES:DI -> VxD API entry point
; m$ i" i" t# x) r' E d add ax, di9 m& @- n5 i$ ~
test ax,ax8 I' P% j( y G( J: d, c! [3 r
jnz SoftICE_Detected5 K! m5 e% s% f% D6 ~: r
$ Y# R1 h! m. z& C6 G+ G# |
___________________________________________________________________________
$ u) |1 D6 o) y$ n
% v, V& p7 j3 Q% W# F! A1 E" |Method 04
1 }0 x. M; T! J; B- q0 t=========
7 a @: j/ B& x4 G& @+ q/ U& i5 R3 ?, f* H! z1 t, `- z
Method identical to the preceding one except that it seeks the ID of SoftICE
! F0 T- ?* {7 U$ zGFX VxD.: U. ?8 w8 D$ P& `; Z1 b
; j% C2 ~$ T. }( s% @, _* A8 L
xor di,di% t) z6 I: z( C& _% X' i
mov es,di1 y0 y! {8 b' s- B+ G5 z/ i
mov ax, 1684h
5 |) X' f; F) d% h+ o mov bx, 7a5Fh ; VxD ID of SIWVID
! u% \+ w3 z9 g; m int 2fh0 X l3 V+ C/ k4 O2 W
mov ax, es ; ES:DI -> VxD API entry point
' W' v& q* k% \% ]9 D! {0 `0 ` Y" T add ax, di( U. w: }8 |& `4 M
test ax,ax* C% R3 V4 \) V1 Q6 h
jnz SoftICE_Detected
% ?$ N6 ]: ~- Z! K% e
( r$ i% H! [: j" B__________________________________________________________________________; a3 [- y. @! g3 K/ \1 G
. E) t( K; y: z" U( _0 m* k' h
2 V) |' R5 H2 g* t" v' V( MMethod 05& q; T" i, x& z% n- T! S( Q
=========/ A; v! R2 E# b) }; f9 d q* p
5 m- g3 Y2 m" ]Method seeking the 'magic number' 0F386h returned (in ax) by all system* L& y6 S6 }2 u+ `* ^
debugger. It calls the int 41h, function 4Fh.2 W- g& }/ x$ }
There are several alternatives. $ r3 X8 ~" Z+ Q: q
$ z8 n& s% a2 o8 yThe following one is the simplest:: [4 |- W- t0 Q) ^* Z& m- A
1 H2 I! }6 } \! ]; S9 G( S8 f3 i
mov ax,4fh
, M2 F) Y4 d! Y# A* c int 41h
8 l" ~9 ^/ `8 \; U. o) b+ m cmp ax, 0F386- V' `' h7 h0 p( G( T& J
jz SoftICE_detected) s+ h" Q7 x! X$ ?9 l8 R) Z, U
0 v8 V/ L# g+ f0 y$ T
' `5 k8 z+ O1 |- b! M( _Next method as well as the following one are 2 examples from Stone's
7 v6 j9 G+ R% d( N# P3 t9 a4 X"stn-wid.zip" (www.cracking.net):1 }/ [! N# N! X( ^
- R7 Q' b0 d0 u' H' L mov bx, cs
. T8 m. _8 o* U4 {2 Q# O& A lea dx, int41handler2" s6 U! k5 ~ J! b' l6 R p) S
xchg dx, es:[41h*4]% h% m$ v7 N8 \5 G' a* |
xchg bx, es:[41h*4+2]) |/ f& o: q+ J- d
mov ax,4fh
" S4 |2 z, g8 n: m6 |% } int 41h
- d, x, G/ I! s2 J' J w xchg dx, es:[41h*4]( u1 E0 A# n( Z, S
xchg bx, es:[41h*4+2]2 m7 R( G3 h( o( G. t: Q
cmp ax, 0f386h
( C# X; o+ e7 L jz SoftICE_detected
5 q$ N+ o& @/ S3 N+ Y/ p) X/ {1 q
$ P0 `- {) Z. o, ]3 n! t: ^- ?int41handler2 PROC
* D2 T( m) t, E$ x8 B$ @ iret5 D. i$ R& u4 P" d# o7 t" T
int41handler2 ENDP4 Z z& [% B$ d; Q- ?0 c
$ e4 Z" i: {/ @
; e5 O, {0 \- z
_________________________________________________________________________
1 ~, B! k# h) v6 G: X6 Y
4 L s# c7 q+ }* t' V9 j3 `) W# f
: E: P' l% K+ l. G+ L9 C5 Q5 SMethod 06/ `+ \6 ?' A: a7 c. X8 T8 x+ l
=========
$ N7 G# B# n1 e3 k& m
* w% e6 s# R- t1 H* S" \0 i- x! J
3 z( n/ G/ }5 k9 M2nd method similar to the preceding one but more difficult to detect:5 @- X! ^' d4 @' W; a; z0 b$ s2 N
; o. \* ^1 H/ F. Z% q; R7 g8 |9 Q' y1 r1 Q& k5 H" ]6 b: H: k
int41handler PROC. A" ^- F6 S) b" Z7 [
mov cl,al
7 I0 ^; z5 B: P- [! d iret; D9 u$ }& ]" V( o3 t
int41handler ENDP' q7 L1 U& | h4 X! |4 n/ t
4 s6 Z. N$ i, E# h0 ]7 \( U0 t8 r
5 R4 w% T+ B( @2 K S+ a xor ax,ax
; B6 S& T ^% M4 {& x mov es,ax2 X$ I8 Y; M, ~8 z, C8 z. Q
mov bx, cs: j/ x. O: S. s6 L
lea dx, int41handler- M# D0 s3 r. C* ]' U
xchg dx, es:[41h*4]% T- q% A1 h7 U2 h
xchg bx, es:[41h*4+2]% Q. \* O& m; S5 \! s: T
in al, 40h
; y2 S9 z; d% i8 U: v xor cx,cx3 i& }% ?+ T- x3 w6 Q$ {' O
int 41h
4 t7 J: L! F3 i xchg dx, es:[41h*4]
2 `2 h+ v) ]4 \" S' v6 Z# z xchg bx, es:[41h*4+2]% K. g6 Y3 u1 ]9 h' h$ e
cmp cl,al
4 X1 |8 H% j0 F5 @* B jnz SoftICE_detected2 i+ `; L3 S! M, E" q. ~
. t) d( V# C& n& S8 ~1 e8 }. I1 u. S_________________________________________________________________________1 c$ p+ T6 D2 t* Z9 B2 f
: `, P; B- } u1 Z: _
Method 07$ j: {- y# C9 w3 t# u+ ]; z5 S$ ~
=========6 {4 i( c7 b$ ?. K* X" C
1 I" W% u% N. e
Method of detection of the WinICE handler in the int68h (V86)
+ |, ]9 ^+ O( g& E, P5 j4 ?8 v3 f3 z+ S. Z% u {
mov ah,43h
/ s0 l- u4 L- ^ int 68h* v) \! u7 m* \6 e9 c, {9 Z- X# b
cmp ax,0F386h
. J, @* Z; P, |4 f: Y jz SoftICE_Detected, Q# j6 c3 _7 d4 I" t$ }& S. X
: s7 W5 Z: Y; n( }1 e) e+ X
# h" l7 d$ K3 X; K% ]) |% y! m=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" j7 P1 W0 d, z& K1 W$ y% F
app like this:# R" J" m/ m7 f* p/ z
) z7 i. J% k C/ U8 @ BPX exec_int if ax==68. |" U: V* \+ E; K8 @ B
(function called is located at byte ptr [ebp+1Dh] and client eip is
' |/ @7 ?6 a, p located at [ebp+48h] for 32Bit apps)* [- k7 n7 r# j0 e2 r) {- ~! p- Q
__________________________________________________________________________; b! A0 j H: V& J8 J
4 j7 x, U% O' R: F& F( f5 X& e- ~
9 { F) B3 y, }& c9 H
Method 08
- L+ `4 F$ L+ V3 `' W=========6 N2 g" ?3 N. s" H: i2 m8 a9 L
; N, k; c) a; g3 E# }" N& ?It is not a method of detection of SoftICE but a possibility to crash the
! u3 S; B1 h4 @' f$ rsystem by intercepting int 01h and int 03h and redirecting them to another
1 l3 i5 Q4 a" z- ]' h% E2 Mroutine.6 ^; k2 Z2 ?& Z; r+ R- ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
~5 A) W7 m* Fto the new routine to execute (hangs computer...)/ z0 w- M8 D0 X, t& T
/ m! V& L4 q0 `( v7 @
mov ah, 25h
3 C3 u% {9 v2 ]4 e, e% T# v9 k9 m6 P mov al, Int_Number (01h or 03h)* G2 i0 P% k7 m7 w8 Z
mov dx, offset New_Int_Routine, v5 c7 M% U8 _* k; X4 Q
int 21h
9 K- H% F/ M; e5 k3 P; d
3 X8 C4 k! E& m+ W2 b8 ___________________________________________________________________________4 T: d! Q# p# Y' w t
, X) X/ K W9 s5 L, M, l' o' KMethod 091 M+ M$ {: N$ h" H) T
=========
8 D8 L' |% d: `: e; h5 y3 I& H- K( B" `# O3 {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- I; ]; M- R4 H% y2 I) y" `) nperformed in ring0 (VxD or a ring3 app using the VxdCall).1 _+ N" v; [1 b) ]
The Get_DDB service is used to determine whether or not a VxD is installed
5 m$ p! |7 K+ e _for the specified device and returns a Device Description Block (in ecx) for
5 K. @+ m, g0 M& _" w) |that device if it is installed.
+ o; f1 @% \) v2 V. \5 l
# H* a1 ^' n: j( o mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 @- ~6 q, ~0 @ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- b$ {8 ?& k$ W) P8 A8 B7 V% Q VMMCall Get_DDB
& Z! y# M% c+ e mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ U& k9 j) T n' x0 k
9 ~+ W, u+ j- LNote as well that you can easily detect this method with SoftICE:
* [8 i3 o3 t# \7 C& V bpx Get_DDB if ax==0202 || ax==7a5fh
& O0 w# d- L* F) z/ d1 \ k- Y
# m; i v' G+ e; T- U__________________________________________________________________________
" y( F; t; G I; \( j3 d* W
2 [9 Q# @9 h' S4 z5 `) ~0 k B0 DMethod 10; ?) Q1 W3 d3 T, A0 u4 M; e$ S
=========
5 r. L. x* ?4 ^ y. Q' m ]# Z0 R L9 U/ N( g4 k' I2 ]
=>Disable or clear breakpoints before using this feature. DO NOT trace with. }/ n/ R/ k1 } K4 A' O
SoftICE while the option is enable!!$ }# I n6 }6 B7 @* s( P
! w1 A# @- {& i N+ K) [/ ZThis trick is very efficient:
C, |5 Q) q! R+ B$ ?5 fby checking the Debug Registers, you can detect if SoftICE is loaded! `9 B6 Q5 M# l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' |2 d5 @! `0 v& ? f
there are some memory breakpoints set (dr0 to dr3) simply by reading their0 J; m& b0 m `5 g$ C
value (in ring0 only). Values can be manipulated and or changed as well
/ N: d" T B% A(clearing BPMs for instance), w5 p, _: _0 k/ L6 M5 `/ |
( w$ V: ?/ s0 l- o__________________________________________________________________________$ x% u% u5 t6 W+ A
* H: ^& f ]9 yMethod 11
& x# b9 z; I$ m- k3 r=========- d8 @1 ^7 f: h& S0 A
/ N# l" M. U* G& A
This method is most known as 'MeltICE' because it has been freely distributed
$ r7 \% o6 M' n/ c2 S0 C* jvia www.winfiles.com. However it was first used by NuMega people to allow' i9 m) b" a; _, y
Symbol Loader to check if SoftICE was active or not (the code is located6 H Z) _( R+ m6 T0 w
inside nmtrans.dll).
, T) x9 f. ]+ g( I+ H% `* Y
& _1 x$ N+ s5 ]2 K$ nThe way it works is very simple:
V0 A+ r7 i6 R9 [, H8 z* JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* G2 L+ @% S% X, t& ], u# z, ?WinNT) with the CreateFileA API.( q" l i$ t: j( |
: M, i- [! g" R( [ c5 rHere is a sample (checking for 'SICE'):
1 O+ b4 S8 U( f7 @+ J8 ^. B8 V ~0 P
BOOL IsSoftIce95Loaded()
( `' h; Y# P% F9 |/ ~0 N* i# I{; b5 n7 a6 d4 o8 {" a7 ]. X
HANDLE hFile; 0 A0 x5 t* c5 u' Y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 ^6 L- Y5 y2 o3 q5 o FILE_SHARE_READ | FILE_SHARE_WRITE,2 {* y. f& }, s
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& Q6 @% Z, \/ Z) W' j9 T- N
if( hFile != INVALID_HANDLE_VALUE )
! }4 v3 H9 D& O: R; [) C {
; Y, t9 q) s9 ?7 t. z' t6 l" S CloseHandle(hFile);6 K" V: Z j7 k ]6 ~
return TRUE;& \, L; G# \7 z
}
* [3 G- g7 C- J$ C& i4 p return FALSE;1 d& e' G4 E# v9 P
}
4 z8 W4 x' s |+ c+ r* O9 C2 Q* u0 p9 k9 w+ B2 K; O" i
Although this trick calls the CreateFileA function, don't even expect to be
) D6 F. [- D" E r' V% b! {6 R1 a/ |able to intercept it by installing a IFS hook: it will not work, no way!. O3 w6 w. R! D; _4 j, c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ o' t Q- f# I% z% }6 b; G% i Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ z- U1 V) ]$ C. d7 O' b8 g! G
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" \1 b8 X0 h7 e7 _( [$ K8 I2 Kfield.
0 h3 m9 l6 o9 i l4 dIn fact, its purpose is not to load/unload VxDs but only to send a
{; b( V: L/ \2 [( t& i& KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ C R: Z) n, M" V- zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" Z, ^1 r9 z! `* Sto load/unload a non-dynamically loadable driver such as SoftICE ;-).5 [8 _; \% w; x, ~: Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 _+ |# a3 _# B* y/ wits handle to be opened and then, will be detected.( C. @ r1 i3 Q4 X5 N) i
You can check that simply by hooking Winice.exe control proc entry point
4 ?7 b( ]- n, p9 pwhile running MeltICE.; f8 ]! K! w( I! T9 [7 U: T! h1 Y7 J! D
! {. t& k0 |# b2 u- ^8 v. J
3 I2 D$ m' U$ u( V 00401067: push 00402025 ; \\.\SICE! h) G% A3 M+ m* W% z# k
0040106C: call CreateFileA
' w+ L7 b5 w0 r8 n3 K' r B! o 00401071: cmp eax,-001
! d; ?& v) T+ A0 p1 c! R 00401074: je 00401091
, P7 O/ j) M r2 K6 v3 e
; E8 l7 A) Q7 V
3 z C2 R2 p" g2 aThere could be hundreds of BPX you could use to detect this trick.
/ G$ y) X' E9 F-The most classical one is:
7 {4 L7 D' H6 G% [: x9 ?3 m, { BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- a9 |3 Z) o" i2 S! |
*(esp->4+4)=='NTIC'5 t3 z2 G# n- v4 i$ d
6 \3 b- y" r5 p( X/ e6 G, m-The most exotic ones (could be very slooooow :-(& b1 P! [( n! h" T% a2 C8 H) @
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, h' W% R6 k/ k8 r ;will break 3 times :-(
% J, i0 \. y3 P/ S+ H& Q
2 |6 E% {5 m$ w' t) N-or (a bit) faster: ! S& A p1 m N" ]/ V# J, ^% ^, R8 v7 j# W
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( m$ }& G/ S! q3 L* s
1 N; l, _; b, r' j
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - T9 w y% Y( b3 G, A$ C, ?
;will break 3 times :-(1 v# I+ W, d$ @0 b$ X1 H0 X' b
/ r! l3 l- A$ [( I; U( [2 P4 Y4 n-Much faster:
# D, `' \! p! N1 `, j BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( X. o7 L/ [. `& o1 E# y3 F
. k: o# w+ j1 `# u0 g- [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# n r* d. X% L* c* D) L
function to do the same job:2 Y: v5 P% z ~4 p9 a
6 ]$ {: Y @. U0 q' c$ S
push 00 ; OF_READ
& ~& L1 H3 v5 k$ ]6 _. T! \5 F6 w mov eax,[00656634] ; '\\.\SICE',0
8 n7 X9 q, z4 W2 Y" t O% w push eax; o& K \1 u& G8 m" c V0 a
call KERNEL32!_lopen3 D$ k+ t* |+ B% ~
inc eax
) \5 O! L# z& E" U( N# b3 B jnz 00650589 ; detected& W1 g, B7 a" I6 C' ]; g2 o
push 00 ; OF_READ
0 \1 {/ S; K9 D/ a5 e. j8 y8 V mov eax,[00656638] ; '\\.\SICE'' p# C) p8 }, T9 X# g; b1 W
push eax
) m( f3 ?. N( F% K& H call KERNEL32!_lopen! f4 K# U; v5 x8 f: k
inc eax2 I2 X; h `0 B
jz 006505ae ; not detected& Q/ G/ ~0 M2 R- d& N* w( z' }0 K
9 ^/ k! E1 K% p9 @
2 ?( W9 y h# ^- o' k: V+ l+ i__________________________________________________________________________; W3 I1 Y( j2 ]) t" v- Z& \' [& D( M
3 J5 j! j2 ^4 uMethod 12
5 @5 m, E: `6 M=========
7 S8 r) f; ] F+ V5 ~4 ~$ i1 q3 }1 B1 R' q5 Y
This trick is similar to int41h/4fh Debugger installation check (code 054 I) N: I! j3 |" l; j
& 06) but very limited because it's only available for Win95/98 (not NT)- m @8 {0 V; @* J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
~+ t: k5 \: f R+ y# Q, r t6 T. {' j0 P# k+ |
push 0000004fh ; function 4fh
4 Y$ e6 H, X3 W* s1 G8 Q% g" l; d8 ~ push 002a002ah ; high word specifies which VxD (VWIN32)
5 [! u6 ?" P: o) k1 W ; low word specifies which service5 m$ e& w: G0 ]" Q7 C" J
(VWIN32_Int41Dispatch)
8 \# R r! _ @8 f& z, l1 ^$ X call Kernel32!ORD_001 ; VxdCall+ N7 t' _- ?- k8 x6 s9 L( _
cmp ax, 0f386h ; magic number returned by system debuggers# a8 B- N& R9 X/ [$ ~. S
jz SoftICE_detected
& h$ \% w8 `8 O4 N
# p6 t$ y+ X T7 o' G6 b) X. mHere again, several ways to detect it:$ A6 U( H- G6 r3 {) @
a3 q" ^: l* G3 H
BPINT 41 if ax==4f0 F9 C8 E; }% K+ x6 D8 [1 ~$ s
# C9 j' P9 |0 N6 _; G ~, T BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% v S& Q) W& W( N
; V7 C7 }% N8 `2 K' G' y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; L) u8 N8 @: U# @! `! b! B, t+ q" \. v5 J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 N2 w5 ~% s# ^$ h: Q
5 }& Y5 S: `( l7 M# D, j- `* H- {
__________________________________________________________________________/ k* x; M4 Q& f: I
9 g0 g% W! M4 t6 E0 L: R% t- o uMethod 13
$ @% r @( ~6 P=========4 x; L! w% U6 {. |7 H; m5 v* I
) b. g! S8 P: s+ s% ]) E$ Q
Not a real method of detection, but a good way to know if SoftICE is
- [6 d( {. O" I0 [' sinstalled on a computer and to locate its installation directory.. k9 S2 U7 G/ G: p, F
It is used by few softs which access the following registry keys (usually #2) :
3 D, {1 g/ ]- _) X- X$ P9 Z; ^' V9 I2 E0 v; x# \, a
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
x( |9 T1 c3 N\Uninstall\SoftICE
0 L: B7 o$ f r+ Y9 q4 }0 }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 s) b( o7 f+ h
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
a# p2 P5 v# X9 X\App Paths\Loader32.Exe# B4 T, N% H8 r3 O* U ^4 B
4 P8 T& o) _/ ?! q0 y4 L* ~2 x5 v
4 g0 n7 c1 B! ^. l& K1 ?: ONote that some nasty apps could then erase all files from SoftICE directory* z% a; `( s: C) `+ e
(I faced that once :-(# q) B9 s& |* x. `2 B' b" M& @+ o
" m* D. t( Y( l. K& S- v
Useful breakpoint to detect it:
9 g" ]+ p( W/ M7 O' _0 t* ?+ D, f8 i9 l
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; X1 A/ o" M2 T& z. r
( ^! H/ V# I6 _9 C( I' o$ F$ E6 {__________________________________________________________________________
% N, [# q* @9 z+ ^1 ~
1 F/ S! P- z8 [4 i" p1 z' l/ Q q+ E
6 d$ A' r! N* W/ w( FMethod 14 ) O+ G# F; x5 P; D& r
=========
j/ R. r* ]% N- I7 w4 O* }( x0 f& g" w h; U" f
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 x) p+ L4 u9 W3 x" `is to determines whether a debugger is running on your system (ring0 only).9 |/ U' r2 I2 N5 P7 |- _
$ Q% b& H1 Y: x4 v
VMMCall Test_Debug_Installed
/ `9 W6 j; {, [2 s) Q je not_installed
5 w) @7 i. }% q
+ a% x4 P4 D& \4 R0 s- b' T/ T; L% ZThis service just checks a flag.$ Q; k. B y! D' a; I; Z
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡