<TABLE width=500>' X( |, I* x; j7 j
<TBODY>
( S6 f0 F) @1 r$ N2 x, r9 R4 M<TR>- Z" I: \3 ?% R; ]( a
<TD><PRE>Method 01 8 Z1 q+ D a/ {4 t& J" J; ?+ v
=========
- n! s0 v9 ?" f, l8 ?3 [
/ l3 e" U0 _3 v5 A6 aThis method of detection of SoftICE (as well as the following one) is9 ?! h) D, a) {/ Y6 b
used by the majority of packers/encryptors found on Internet.9 d+ q C' B. f1 q! L* R. {1 I
It seeks the signature of BoundsChecker in SoftICE) v/ r2 I1 P, g1 h4 B
7 `" [! l4 u0 ^ P8 q& p G
mov ebp, 04243484Bh ; 'BCHK'. d; [. h: e/ C# V. M4 D) W0 f
mov ax, 04h8 p. I6 R9 n6 B% y
int 3 % J* b0 E& A# ?4 U9 t+ j& `
cmp al,4
: K* O; X9 P, {! z jnz SoftICE_Detected
4 f) y3 u9 V J/ X8 F: Q0 F/ S x2 b3 ]1 b6 P. ?& l* M- [+ E
___________________________________________________________________________, q3 `: G# Z7 X/ Z- b1 s' z3 @
) Z. Y& y$ R/ X% Y) v$ L
Method 02. n6 C0 l- ~7 g* Z# ^
=========4 `% r& X9 x2 H, a) D" i
) N7 X# L0 q4 p3 x
Still a method very much used (perhaps the most frequent one). It is used. H e9 j, w G% _% `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ ?$ D4 Z9 }( T \7 l8 l7 t
or execute SoftICE commands.../ }! r: P4 b3 n* l. b
It is also used to crash SoftICE and to force it to execute any commands
& @0 \' b l3 g. l" ^9 |, x: S* b(HBOOT...) :-(( / A$ o i, ~! W- H- w% w
) N1 }6 }, y, uHere is a quick description:% }+ ~: s% j: H# ^
-AX = 0910h (Display string in SIce windows)
1 x1 @% C/ O( M# s: F$ [-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ A4 o# E- U3 s, d* P
-AX = 0912h (Get breakpoint infos)
* A+ i& H" s; `3 y/ |- `" r-AX = 0913h (Set Sice breakpoints). u* R6 R. j- H3 n6 a
-AX = 0914h (Remove SIce breakoints)! B/ s E4 P4 q% A
" [4 @% r: c! u- C" ]Each time you'll meet this trick, you'll see:! L5 A. N2 g; K( X5 V
-SI = 4647h
" ]6 s! d! l3 B; j$ R7 k-DI = 4A4Dh
1 d3 |; p5 J/ e' g2 zWhich are the 'magic values' used by SoftIce.
5 }; J" x3 M# g- w1 W& oFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.! J5 S& l" e. c2 E% `
: r" k' Z' I# |Here is one example from the file "Haspinst.exe" which is the dongle HASP9 ]8 C% I* U# r& z
Envelope utility use to protect DOS applications:
- u6 X3 b: T8 F, E1 c2 a6 p5 @! I% z* f
& S. Q0 |0 q- [1 y. c
4C19:0095 MOV AX,0911 ; execute command.* }$ ~# a9 w, K) a& E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ s1 {2 O9 M9 Q. O9 c4C19:009A MOV SI,4647 ; 1st magic value.4 A: D2 _9 q9 Q) x( ]% f
4C19:009D MOV DI,4A4D ; 2nd magic value.4 ^& {& a8 o X8 N8 e9 P
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% f8 W! O; O* K6 J# d
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( Q9 V8 Z5 N! E
4C19:00A4 INC CX
! P% U- @4 ]) n" I& t: x4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% c, s: ^$ h4 V/ ^) I# A* X4C19:00A8 JB 0095 ; 6 different commands.# g( ~# R* z# y# C3 T
4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 ?! H) e3 w; O1 M! {
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- b! Q" p% p+ t8 I! M- f
3 j! z( v- ~) }; P! a2 Y' k7 aThe program will execute 6 different SIce commands located at ds:dx, which) X3 ?% u2 f, l6 j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# O7 [+ p5 Y4 y, x2 M J. t$ ]8 R$ o9 c
) G7 C5 J& h7 q3 d) e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 t8 G* h4 _3 D8 h n4 g* s
___________________________________________________________________________
' _) W8 h' \2 V, q! d4 R: U- k: T0 p8 S" r5 H, Z4 {% R
5 H0 R) i" }. y4 Y: a! @1 ^Method 03
# E+ ^. Y* P6 ^) \- p3 n" s=========7 H! n5 W7 e, | q& u" ]
+ i) C$ X |: ]6 P" rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" b) Z7 c# b( _2 |" f6 [4 A) w9 P(API Get entry point)
5 |3 U0 n3 @8 F" N% h2 {
1 ]+ S) _1 g6 i* H& e3 [. N
% p& Q& [+ v4 l' b/ X$ w3 o xor di,di
/ w9 A$ ^9 K3 i3 D2 {7 P' p2 O& w mov es,di
# l7 G$ p; T9 u, K mov ax, 1684h
1 G" |* p" i" a9 `. I. U2 f mov bx, 0202h ; VxD ID of winice3 X6 @2 T9 s. x$ _- L/ ]: N
int 2Fh) B2 D( Y' P1 E, Z! B9 g
mov ax, es ; ES:DI -> VxD API entry point
3 t1 a& R& h! }& w) Q add ax, di4 q8 k4 P l5 h$ j$ X3 a
test ax,ax& x" B+ B- C8 \! D/ Y5 V
jnz SoftICE_Detected
: @- n j( m& B5 E6 e0 N0 `8 q0 {& z: _ c0 P7 X& n# I
___________________________________________________________________________6 m4 @& b% |: z2 X1 [+ _5 g* O
* M# Z! Y/ b: _3 oMethod 04
" r' t' I8 e. V# M=========4 h! @7 m8 y5 e! U* K0 K0 t* g
* h- z' Q& C: i, {Method identical to the preceding one except that it seeks the ID of SoftICE
8 e, d3 ?) r) s: kGFX VxD.& Z8 ^( j; Y/ [( d ?8 o
7 L1 R% \% G6 a1 P! j$ E xor di,di- f x1 h# z" z# ^- b1 o8 q9 a L
mov es,di
o! j; }0 c j+ U: `1 s mov ax, 1684h
, ?. g* ]: e2 x N7 H0 U mov bx, 7a5Fh ; VxD ID of SIWVID
* P/ m; q V$ ~5 d0 h4 P+ n1 y) ? int 2fh
! ?1 R p$ j! a7 a/ l; z+ K mov ax, es ; ES:DI -> VxD API entry point
9 h3 ~0 w" _0 n, x& d T add ax, di. i! q7 Q2 d/ y* A d
test ax,ax( N5 n x! s2 }+ D; R6 b8 l) l, v
jnz SoftICE_Detected
8 w) f5 [' P) ]6 T( h+ ~! G. h3 ]1 r: B
__________________________________________________________________________9 s) u5 q- {4 i
3 c3 _ }3 x5 e. W- n2 N
3 P7 Q1 j7 y7 i' g- U) |9 i* o2 iMethod 05* t# T$ O9 i J% R, T* u, i) c+ ?3 ?! j
=========6 }& \0 V4 R: E6 O6 q# s3 e
- ]) N6 _/ ]7 W- S3 cMethod seeking the 'magic number' 0F386h returned (in ax) by all system
- V- x5 I: J8 K0 G. l6 c% cdebugger. It calls the int 41h, function 4Fh.0 A7 O j$ ~( [- k
There are several alternatives.
5 e& y' y# H O g+ C# O' `' h! j! t e9 c$ h: w) P* |3 ^; j# }2 c
The following one is the simplest:2 y7 k2 N: |7 r+ H7 i
* i2 M% p) _* r2 {/ G6 n
mov ax,4fh/ N% }% c6 z8 h/ C* A5 I
int 41h
7 h2 T1 U, l: }" C6 | cmp ax, 0F3867 o( s6 _8 ^' g6 d. c/ t
jz SoftICE_detected* a i) H4 l% W1 l: F/ P b1 X
# J6 _/ m4 h. B$ x1 J6 Z2 d# z- ?+ a. S( P b
Next method as well as the following one are 2 examples from Stone's
) Z: S- L* U% g5 U% f"stn-wid.zip" (www.cracking.net):
7 J; ^7 D' L3 h2 b+ l9 M+ `# [5 J
. `5 x/ m) ~. c) C5 y& |: e( o mov bx, cs4 d0 Q* s6 D8 g5 ^( a
lea dx, int41handler2& m# n( X {2 W# r/ O/ T8 j8 x: R9 Y
xchg dx, es:[41h*4]
' Q' E3 P6 n: U c# V9 T. M* g* a xchg bx, es:[41h*4+2]' o+ J2 D' Y3 t6 C" t) |, m
mov ax,4fh
) G/ Z! q% s1 X' v8 _+ k int 41h# l) s! A2 H' H0 a# {
xchg dx, es:[41h*4]6 c/ b% @4 {1 R- e3 r- E, m4 E
xchg bx, es:[41h*4+2]' ?' x- q$ }! A8 _
cmp ax, 0f386h
2 r; [( h4 l* ?4 w, z+ h7 t jz SoftICE_detected# z; C0 Q9 i4 }2 G7 [+ I' Q# G
1 N9 `) q3 z. ^1 [0 B
int41handler2 PROC2 ~+ K* \+ n" V
iret# f: C5 J; s' j4 z& I& I8 @5 W
int41handler2 ENDP5 s! e* E) r# R# r
1 i$ R e ~& F3 M0 E0 U
' B2 \ Y# W" @! r) P_________________________________________________________________________9 ]( Y0 N, \0 H% t/ j3 [& i
0 l2 T I. G7 z
6 d& K8 T, M9 x6 {) BMethod 06- |" b3 w& I7 S4 ]9 k
=========
* ~# c1 c& s! O8 h* K, T9 v
# r, E7 T, s/ v% o) ^& e/ B% E7 x$ L3 ~# \# I
2nd method similar to the preceding one but more difficult to detect:
) I$ Z I; E/ k' o; o
! b- h5 ?& V& y, A& p# Z O: U. d) F# g9 u4 q9 F M
int41handler PROC; S) M7 Q0 w5 R2 k5 M8 l
mov cl,al. {, Y- _. B+ a9 g. j
iret
2 l. l$ i6 G' q1 Pint41handler ENDP
. N* ?; e, a3 m5 z; l
* V! G7 }( D( e; i$ [" C) K9 a0 `0 o. i* ~! U% P8 _' r2 [' C
xor ax,ax& a+ n5 c2 w0 G# N
mov es,ax
' R4 E4 i( @2 t$ c$ q& j mov bx, cs6 e I4 Y0 o& ^+ N6 X
lea dx, int41handler2 X$ D. K6 d5 Y% e7 B
xchg dx, es:[41h*4]# f# ~. o; r6 B! p5 Y3 D& S& q/ C, J& C
xchg bx, es:[41h*4+2]% i; v: B& z* b
in al, 40h
8 G( l- K G+ w* e& ^7 C4 S xor cx,cx9 ?; |9 S" V2 A0 y( O
int 41h+ Z0 o6 `% M% O1 q1 c% b
xchg dx, es:[41h*4]
% x, V/ V v2 n! Z xchg bx, es:[41h*4+2]9 ]& R; V6 S; B8 J$ B3 J2 f
cmp cl,al+ D, v( y# I W4 V* W
jnz SoftICE_detected7 u- o9 d( z. D( [
8 q6 O* r: d# r; l2 J- m1 J2 }( h. H_________________________________________________________________________
7 m9 u/ R2 Z$ X4 c7 E( M7 E j, f8 C+ [
Method 07; x" S& z$ ]3 G7 u. c5 C
=========1 t' _! E3 c7 i7 h, i% @0 [
5 ^' _* H1 T! Z) X/ AMethod of detection of the WinICE handler in the int68h (V86)
% I3 q* {( q! u/ u6 K6 e( e' }& U$ I+ T$ j8 E8 A3 ]( F2 i
mov ah,43h$ K2 c L# R1 c& B
int 68h
! W' e4 E$ V1 m, K3 B; K/ H cmp ax,0F386h+ z# c3 P. d( `* l0 t
jz SoftICE_Detected: g! s/ @9 ^ y9 }3 G
' O7 v) q4 X& c
" f& e; u- r+ g
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. m0 b7 I6 f5 R1 C. f1 U app like this:- u" @- j- w1 y. @
6 V9 l) ~0 O7 w
BPX exec_int if ax==68# l) Z. Q7 |, h
(function called is located at byte ptr [ebp+1Dh] and client eip is
, u. G+ E: k$ R. Z3 o" e located at [ebp+48h] for 32Bit apps). r8 h; |" M. N& y4 V5 R5 _
__________________________________________________________________________
& M+ c- }: z8 ^ R( W7 y1 }! i R6 x6 @. i$ x' D! f
0 I' _) F. [7 c/ M" B
Method 08
0 J1 @& O3 N/ A; o=========
& T) u& m0 j0 v6 y5 D9 t5 x- d8 _7 {
) J0 [( u/ ~) ?& I# z3 c9 ZIt is not a method of detection of SoftICE but a possibility to crash the( B4 {& M% [/ L( k: r- B9 g
system by intercepting int 01h and int 03h and redirecting them to another4 ^0 i# r, Q; n, z" k5 J: W
routine.5 d2 ?6 c# @" R) e8 a% \; f5 Z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' H# p) k* d/ g1 \& f( vto the new routine to execute (hangs computer...)5 T+ Y6 {+ ]3 L& V% x$ Y0 t& t
2 b: J3 v" \! a. u0 k
mov ah, 25h
" i, w( @, t, O6 i9 E mov al, Int_Number (01h or 03h)5 V$ u; j$ }& C
mov dx, offset New_Int_Routine; I% Q" o& [' Q7 T* @( ]
int 21h
: v$ D. o4 l* K5 B O* X1 m* s' Q+ O* E3 p# o! }3 H1 ~
__________________________________________________________________________
! K! l* f% j Y) E% I
* {0 C/ O* x& W! t' W! HMethod 09
& ~9 E! s3 ]% F& S7 r* A' i5 F( i. X=========
! p; m/ r: z g' D( h
' ~9 R. i, R0 K t/ x* o3 V# [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) l5 s1 s4 K" {3 Q( Q* J- H
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 N o/ g7 {/ @( G6 ?The Get_DDB service is used to determine whether or not a VxD is installed
8 ^: ]$ f' e$ J/ p, ]; ?for the specified device and returns a Device Description Block (in ecx) for/ B! N3 I2 H, I2 g7 k. C7 g: O# s
that device if it is installed.4 ?: x# U! _& l) ~% g
/ {6 o3 F2 ]" |% q7 Z& {# i mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" ]* V# n r+ t/ j
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 U1 H; a& e3 a0 M VMMCall Get_DDB
$ p0 Z: J6 _* n; t* `+ Z5 ~- Z% a mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 v% ?8 _- P; N$ e; S8 ^* y
; E! u& R% T# [; k; C
Note as well that you can easily detect this method with SoftICE:
: N% ^9 W" R5 C/ N' H2 t4 a bpx Get_DDB if ax==0202 || ax==7a5fh/ r3 [; j3 J7 H! @2 ?9 ]2 `
6 b: L2 b9 Q. I__________________________________________________________________________
0 Z# k/ z+ b7 m/ `# W) W
* V3 o0 R5 L2 ^; {; X% U* R5 \6 YMethod 106 l# i2 l$ ^# |) P
=========% j4 _3 l1 t2 w9 B& `6 c/ u
) O% ]- V4 M9 y& w
=>Disable or clear breakpoints before using this feature. DO NOT trace with8 D/ m3 t0 ]& b; o! O8 G0 u) W
SoftICE while the option is enable!!
$ O% C0 \, v. h& G P0 b
' w) ?6 G( K: o. UThis trick is very efficient:0 x* O6 u. u3 H% b8 y
by checking the Debug Registers, you can detect if SoftICE is loaded% ? C" | }: g# `7 G5 ]+ y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% }# B' B- N# l- q/ Y" cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
$ e1 x# `: y6 V/ H2 d8 vvalue (in ring0 only). Values can be manipulated and or changed as well
( M( ]. Q- z3 S7 _1 b- c: `7 ^0 d(clearing BPMs for instance)7 v1 v9 v" T+ Y) @9 S C
2 X4 w0 K) J V: t0 i/ Z__________________________________________________________________________
# P* P- w. y; b* P/ j+ N" B! C+ W* n8 t( W
Method 11* p# U8 t6 L. l0 W9 r
=========
8 ^% _5 x! K3 I. e
~& Q3 A. Y2 wThis method is most known as 'MeltICE' because it has been freely distributed) T* W, e5 E* {' }" r1 r0 X8 M
via www.winfiles.com. However it was first used by NuMega people to allow S) A& H6 H/ h& \) I# Z( d
Symbol Loader to check if SoftICE was active or not (the code is located
- ^, e2 ^$ V! v! f4 Y h Kinside nmtrans.dll).
* B3 i2 Q4 S+ ^+ d
& J* p- C+ a3 G* h: x3 H fThe way it works is very simple:
3 h6 {5 u! f/ M' i# m: r# E& ?8 _: @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. R/ F7 @" j+ W+ ], y
WinNT) with the CreateFileA API.
# j% w( H' Z4 a; r' j
$ Z0 G" i: I2 z7 R. o; q qHere is a sample (checking for 'SICE'):( ? ?3 f" l8 B! B$ F
, g/ J1 m; A: _2 y0 ]; l9 a! _, ]BOOL IsSoftIce95Loaded()
+ T1 K+ @6 |8 ]4 [( S3 \, X1 Z{) u! u- u) z; j- ?
HANDLE hFile; & Z( Z& c+ p) i+ t
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; C/ \! L7 K z0 I, l+ j FILE_SHARE_READ | FILE_SHARE_WRITE,, l) u5 b# w3 Z! K7 s/ A6 W l7 `
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! S6 i. [, }7 g' z G6 X7 X7 l if( hFile != INVALID_HANDLE_VALUE )/ p$ e% F( G6 G1 m/ j
{6 N8 U: M9 k( t* I
CloseHandle(hFile);* v0 S+ r2 R: ]" u) D; z* T
return TRUE;( O: Y, R$ m' q9 O# H! ]
}6 g5 ]; A# }8 u; ?1 _8 V8 [' p
return FALSE;5 a3 U- e. m! u8 I |& @4 {0 ^ b& o/ l
}: T/ c" D* y% P. y/ e
! K8 l1 k0 M* i- J( g# ^Although this trick calls the CreateFileA function, don't even expect to be
6 C# ?/ e4 n# \# N) Mable to intercept it by installing a IFS hook: it will not work, no way!
% o: N) X$ `( v0 u, M! LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 s/ a; A2 E1 ?9 c" A( A; Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* c* s- A1 h: Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. I d4 }$ d/ c, N: ]; r1 [# Q
field.
- g3 d% T( _$ U7 p. M+ ]4 }0 wIn fact, its purpose is not to load/unload VxDs but only to send a
' I5 R% P! L& [- ~: rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. d3 f: Z9 r8 T) q4 ^" Mto the VxD Control_Dispatch proc (how the hell a shareware soft could try
% N* f1 B- D: w6 Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 |! R# L) z% m. }1 @If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 h5 X# \ W% C% E! u, |& Gits handle to be opened and then, will be detected.: g( Q! Y' w) W) L9 c/ O
You can check that simply by hooking Winice.exe control proc entry point
+ X O v7 O' m5 c. e3 J+ Cwhile running MeltICE.* m3 X* Y+ e/ e& u+ L& [/ ^8 U
* v! P0 N0 ~$ }. t( f6 |) @
, r, u6 r8 |' j" b
00401067: push 00402025 ; \\.\SICE
. Z8 |3 ]* x* o- h% a6 r6 R4 w 0040106C: call CreateFileA+ v2 Y$ i0 S8 r/ n) h& k( [/ z/ A# ^
00401071: cmp eax,-001
: D) ^' b0 s. Y' [/ S! s, { 00401074: je 004010911 X5 R( y; Q, ~4 b1 x4 Z; b, P, g. S
! \) f+ X) ^/ g6 I K
+ _/ |* G4 B- ^$ HThere could be hundreds of BPX you could use to detect this trick.
: L7 V4 {* w0 r9 r-The most classical one is:
* w. u2 ?1 U; @! i2 ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 U; G- H; `. _, A% z0 A
*(esp->4+4)=='NTIC'
( u" [, |( e+ m+ B' B" s- s) O* z
-The most exotic ones (could be very slooooow :-(
4 i9 b9 a, I. l& ` BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - ^0 n" s% p" b v, G6 ?/ D1 c
;will break 3 times :-(# \1 |6 M6 y7 I* q- g
; @7 u$ s$ h5 Z; I* V- @
-or (a bit) faster:
/ w9 E! o+ `2 {( t4 V& m3 R" |" P. ] BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 T. b) |! c6 ^9 L C9 n
+ E7 |" F) n, X) e0 k! F. V6 }+ J
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
z6 u3 S+ a( G$ l1 Q n9 g% f z3 y3 l ;will break 3 times :-(
) z+ r5 ^/ r9 I7 B1 j! F+ W" n: O/ Z+ r
-Much faster:- R, @' a# x1 g$ V0 ^1 u% h; i/ @
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' }" G! |' M/ L9 T
# {6 }5 m& E% _3 [) |! zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 P) r6 _; Z7 E. efunction to do the same job:$ K8 k7 F" p! k" e
0 O; u6 R+ U0 t) U% u push 00 ; OF_READ. N/ b, [4 d+ |9 g) V
mov eax,[00656634] ; '\\.\SICE',01 Q" {% u; Q5 M2 d
push eax
" Z7 a Q: x& n0 U1 J! |( x call KERNEL32!_lopen( j) e1 c6 H' O3 i* P8 X+ [8 I- _0 X. B
inc eax# l l: P0 Q. B& D5 U1 i! v, `
jnz 00650589 ; detected, A& n* N; o" R* |9 {/ x
push 00 ; OF_READ' k5 P' k& ]5 w0 x
mov eax,[00656638] ; '\\.\SICE'- x( g, i/ ^% v3 n- k
push eax6 G7 s0 i3 W1 B: ]
call KERNEL32!_lopen: }/ I5 s! P+ t
inc eax4 @3 l9 ]* s: g7 z1 { X) x6 z
jz 006505ae ; not detected
8 A7 ~( P; N# v/ s7 d% F
& F% K" V( g; A" t$ e, u
5 R [1 ]: Z6 v# y$ X8 a__________________________________________________________________________
! z# W+ }1 B5 k c& {
4 U6 s- y1 z+ R! k" d7 EMethod 12
! L7 E3 z' c! m3 q2 W, |=========' ~ E4 q3 H1 u) y6 F
& s. B+ n5 d2 D; W+ X0 b( U& eThis trick is similar to int41h/4fh Debugger installation check (code 05
) ^4 d. \+ _1 f8 ~! v& 06) but very limited because it's only available for Win95/98 (not NT)
% y1 x5 t5 O/ C3 Q( R' z/ P Pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- ?5 R; e2 u$ w' e4 b! [1 C) n' y4 Z( h1 j6 T
push 0000004fh ; function 4fh5 M0 q" e1 e- D% i5 l* V( b
push 002a002ah ; high word specifies which VxD (VWIN32)
* ~2 M! p& F' _# L+ Y' ~ ; low word specifies which service
% f$ x) M' x1 c1 t9 i (VWIN32_Int41Dispatch): v- H: W6 |( v8 f% \5 L
call Kernel32!ORD_001 ; VxdCall
v) Y6 f [. T" u- C) O cmp ax, 0f386h ; magic number returned by system debuggers; o8 B. F+ ~ C
jz SoftICE_detected
4 q2 F4 l0 T2 T) i5 Q4 D, j2 A1 ~) ?1 d9 Z
Here again, several ways to detect it:
1 y0 d% Y) i0 g/ e" M' ^) X9 C( s" ~, M8 s+ i! c' ?! [5 `& x
BPINT 41 if ax==4f
1 f/ d* [# z; E& _! k0 W
0 c! L) A7 \ ?5 [* i BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 S/ w& @" f1 t$ I
0 E G* r3 @0 D( o$ y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 [+ i* y) a F! q. n* L" C) l: z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 l, A3 c( S7 a+ Y5 ^+ [2 K
$ T& L2 x7 @# C# T' d5 R__________________________________________________________________________/ r3 z* N2 |# f& B- @
R9 @& m) I# d T/ Q/ z7 {Method 13
1 x$ o' t- K# `% r7 C) {( F=========
3 N( H% w% J2 D5 F' \
) }' Q& J, U% P. ^2 ?, eNot a real method of detection, but a good way to know if SoftICE is g8 i% z1 E: n! ?& W( ^0 e
installed on a computer and to locate its installation directory.
3 Y! y. F, }1 g x MIt is used by few softs which access the following registry keys (usually #2) :
( G. G: I( ~0 ~* u+ C. I! z
- H1 n: B) [8 {- {, k4 a. n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 m+ U5 w: `# ^1 F% m1 c
\Uninstall\SoftICE- w) v; a3 K, Z2 J* o: G* @, h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 y2 {4 E* _# Y: I$ b/ F( i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& F) i6 g' I" n+ e9 {2 y
\App Paths\Loader32.Exe- @- L% k: P. |8 p# z2 H
" Z6 o9 x* V6 {$ }: j2 n
0 ]) f7 I. J) C" ~/ C
Note that some nasty apps could then erase all files from SoftICE directory
7 \ }, ^3 S; s- T4 b$ C(I faced that once :-(9 ~ A% F4 S$ i" F* i( V7 K
+ p4 E* h! O! q* d1 A% OUseful breakpoint to detect it:8 ]( v% {" C& p( i' d2 w9 {
, ?# I) o9 c0 S, W: Q" E! V BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 A8 C5 B1 g5 M; f: c; [
" X4 D2 g5 c9 X# b$ I1 |7 Y+ V4 m
__________________________________________________________________________
) ~2 G. n6 I7 V; D
5 R0 l. G8 X. T0 k
4 b: [) a" K7 H* l/ ?# |& kMethod 14 9 I t3 s' q: \- d( q/ J
=========% T" P8 ~& f: _( j
* z, i5 S5 e* ^7 X; h$ v' _. }. xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 A% Z5 K& W# M* B% g# cis to determines whether a debugger is running on your system (ring0 only).+ K0 X" c9 I% d! G0 o6 Z* A
2 p4 L; ^$ P7 G; S5 c
VMMCall Test_Debug_Installed
, h* N: B* H x5 K7 |4 S! | je not_installed% z" N! ?( k L! D* w
+ B( Y6 b! N& aThis service just checks a flag.
5 T/ @1 a2 S, T/ [1 h! ?# D</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡