<TABLE width=500>' g- D/ @) W3 _4 q
<TBODY>5 E7 S; ?# J$ e2 E" ], n8 _
<TR>
4 x) h7 `' y8 k% S<TD><PRE>Method 01
$ |( l+ W) K$ ^=========3 }& O, E& F1 Q6 @ h/ e9 |% l
5 S6 C$ }1 c( t, R: e. s8 RThis method of detection of SoftICE (as well as the following one) is
3 C( T" y7 _8 F1 Q3 V9 x5 Hused by the majority of packers/encryptors found on Internet.% D, \. k3 V. B9 P" z8 C( I& L
It seeks the signature of BoundsChecker in SoftICE
5 Y5 Q/ l* X" @! V: r9 ], ]. S$ B$ R# ^: j
mov ebp, 04243484Bh ; 'BCHK'5 s3 M: Q& B! l# {) Y! P
mov ax, 04h
) m# m, W. \ [7 B/ U1 o: W int 3 - `( Q0 `: k) V M! E
cmp al,4! s6 R. u( W O) E
jnz SoftICE_Detected
6 h& {* D3 h- {0 w2 J, O9 |/ n+ X( K* z
___________________________________________________________________________
# W6 f/ X. i* y7 |$ i* y W' x+ C
Method 02
. a4 F+ }! I3 [8 s% Z7 X=========; Y% E1 F% t1 j
' U2 p: B* D+ A5 k3 }
Still a method very much used (perhaps the most frequent one). It is used
" x5 D% ]7 X2 t' }$ z5 }2 r4 zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 j" B) C, o. U* t/ w& c
or execute SoftICE commands...
' G. t7 N9 T* @; r. bIt is also used to crash SoftICE and to force it to execute any commands- {8 X+ p0 ]2 N1 X6 ^2 t# K
(HBOOT...) :-((
' |5 N4 E7 C/ c% K F, Z1 a0 X( r
+ C4 L( R4 c% S$ [$ ~7 X |Here is a quick description:: `$ z. P/ g' G Z
-AX = 0910h (Display string in SIce windows)
$ ?, p9 s9 P3 n-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 i& B2 D- }( d O6 T0 \. T; p-AX = 0912h (Get breakpoint infos)6 Y9 K, A6 P9 W+ \/ H5 l
-AX = 0913h (Set Sice breakpoints)
* T8 [$ f; r/ c: f# Z" Y-AX = 0914h (Remove SIce breakoints)
6 n+ W. ~( s! {2 {0 U
! I7 K" ^- ]+ s/ N# ZEach time you'll meet this trick, you'll see:
+ S5 K! u! C9 B, h-SI = 4647h# @4 i$ Z% e! I. T# y$ h0 n
-DI = 4A4Dh$ `# ~- p! v' `
Which are the 'magic values' used by SoftIce.- ~2 i+ a- F" p2 r+ g+ g* Q4 }2 ?
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
y; w1 l' h% L/ H, t9 Z' j. g6 J& v, [! @0 \ t7 X: F$ _) D
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 I* D3 B& h6 Q
Envelope utility use to protect DOS applications:
, e& T. @/ s% i5 M! o, ~3 U2 I: F# ~% A* D8 k: H. X
2 B5 F( H9 O5 d4 n2 ~* x; r! X4C19:0095 MOV AX,0911 ; execute command., v. X) C- t) j' M3 a1 r
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# `& N+ R" G% _6 c7 S+ ?: [5 [4C19:009A MOV SI,4647 ; 1st magic value.
; ]. c( ^ c% s3 v4C19:009D MOV DI,4A4D ; 2nd magic value.
# U6 X5 W7 D6 g) z3 m2 `5 ]4 l4 g9 S- ~4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), P4 a2 C3 B9 J( i% a# p( a
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' h! a: _7 E% x: L7 S9 C) t! S( k4C19:00A4 INC CX
# I$ K1 B" e+ t; ~5 t4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) h1 G d! Q% r) B5 O
4C19:00A8 JB 0095 ; 6 different commands.
+ Q( t: _& L: c0 r/ p" h* i; B4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" ]5 V8 y2 m* S- j1 k4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% p2 ]6 p" @4 J6 j% o( K5 H' B- V6 p# p: a, U' E: q. w' Y
The program will execute 6 different SIce commands located at ds:dx, which- y5 E0 _$ j* u1 ^2 Z1 U" O- m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# @7 U; }4 G: \% ?. i) L
N& g% a z, M( C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 Z; i9 d+ L9 D4 `: v1 M( m5 ^% O
___________________________________________________________________________: c7 r8 U+ y) ?8 X; J% [
/ U& D6 Y7 U& V( `$ E. {1 f
) V; ~- w" x% K' p1 p$ {! SMethod 035 c+ b5 `- S/ ?: k4 X$ X
=========
! m4 c3 S J' l" }3 Q1 I
0 ]- K3 l, u6 B* g. y0 d* Y& S' U p3 sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 l! Y* [/ y& a1 q
(API Get entry point)/ D0 O5 E2 Z& ^6 d
9 T4 ]; l2 W$ R! N
7 r6 y; w- M* c% \) K
xor di,di! z+ Z$ u! Z9 m
mov es,di
. q+ Q7 V3 a5 C6 a mov ax, 1684h 7 m. ]& O7 W/ x; m- H9 G9 j
mov bx, 0202h ; VxD ID of winice8 X3 V8 J! R# ?) K, }2 a
int 2Fh
( ^# _7 y1 S( W% l. j5 F' t mov ax, es ; ES:DI -> VxD API entry point( k( k; X! q3 h5 |
add ax, di$ V5 e* y+ R! A9 K% i; d$ V5 Q, A
test ax,ax6 w3 K+ ~: d/ Y8 G# Z* l
jnz SoftICE_Detected
1 d4 ? e& j: A
. [4 n6 X8 k/ Q0 C6 [___________________________________________________________________________3 n9 {# B2 |7 _
* `' l) t) `% iMethod 040 `' v6 Y# m( P9 W9 ]3 {' T' y
=========3 ~3 X# o1 c9 b. @9 j+ ?& |; X- W
! Z9 P$ t2 c6 R* A' FMethod identical to the preceding one except that it seeks the ID of SoftICE
- e3 {3 x; O& p4 y; ~. W8 tGFX VxD.3 G5 X9 E$ A" C1 p
0 D/ i2 @" K& _3 Z# d
xor di,di
8 g* r- M! C5 W- l mov es,di
4 f3 l, E- C( C2 Z& B" a0 y mov ax, 1684h
/ z- B. {; _: R, P# g0 L9 i mov bx, 7a5Fh ; VxD ID of SIWVID
1 L* n+ k. E' M& j! o. ? int 2fh2 S+ y$ S/ P* V* Y6 {5 e
mov ax, es ; ES:DI -> VxD API entry point
& A* e2 g8 Z( M) N3 X, v: w add ax, di1 C" B! H* Q. t; f+ L
test ax,ax+ L+ ?" {( V2 p) c7 ^ T3 S
jnz SoftICE_Detected3 A# G# U* {; b( S- z t
$ e7 K: U; ?$ `. `
__________________________________________________________________________8 M4 E I+ q6 k# ^0 T. N9 _% C
8 S5 _& n! r9 y
6 n- W3 ]1 [% X0 [- ]" E5 F4 wMethod 05
) E3 C% @1 c2 Y& ~=========
" s- }1 {+ T2 T8 x2 I5 }6 D" U+ z! e. Q; J" ]% R+ _
Method seeking the 'magic number' 0F386h returned (in ax) by all system
. c9 o$ {6 b5 Z1 ^. o; Q$ q/ Wdebugger. It calls the int 41h, function 4Fh.% H5 g0 U3 |2 T8 v
There are several alternatives. 3 W# N8 O$ d& ?( c
9 M% x& E! v) D; K, ^; h
The following one is the simplest:2 x7 B Y. v: V$ s, l& @
+ @0 ?3 }, G9 m1 e" U
mov ax,4fh# @0 h' l" r% R/ Y
int 41h% @( n) w7 [! A- Z3 V8 E& b! o# ?
cmp ax, 0F386
. m/ j: X7 m; o0 `' m jz SoftICE_detected2 l8 P$ r: {" s. V: D" M: {
) L/ X4 s" R; A- }
/ x' }7 M/ H2 X9 K- p" g* `
Next method as well as the following one are 2 examples from Stone's , @0 O1 m( v1 E8 a
"stn-wid.zip" (www.cracking.net):
% L1 ^% x6 s3 n, a+ H' Z3 ~* O! j8 U4 B- ?5 f! h
mov bx, cs9 F, ?, M0 A& E1 }* \% y: u+ E) ^; ?
lea dx, int41handler2
5 e! t d. o7 E" `: r) l xchg dx, es:[41h*4], F( U" M! l9 J$ N' l s
xchg bx, es:[41h*4+2]
# Q/ {0 A9 _6 m. [: E$ F mov ax,4fh
% [& P* X" e+ C& o int 41h
' @1 v4 T% e$ o& l0 u( y. ^6 l xchg dx, es:[41h*4]
1 g4 |+ r0 T9 T" K# V3 R I xchg bx, es:[41h*4+2]
0 ~! \, C2 W% ^1 M" ?* P2 [ cmp ax, 0f386h
. L0 Z5 ~' g c9 d% d8 F jz SoftICE_detected: X0 C+ ?9 l2 G& B: X; K- M/ @ Z6 Y
" w( o6 X' ~" y4 N9 |int41handler2 PROC
t: m' w* m! y9 p iret
9 j& w. i3 c, L5 [7 r- d" H6 U& J( hint41handler2 ENDP: }6 I7 i0 N3 l* X- r; q( R/ p4 t- j
+ s' O* g& W$ A U; M
, j2 N; {- n, j; q& F_________________________________________________________________________
9 t( o6 ~2 N C5 Z: c: B1 D1 ?7 N W# l3 g6 q9 o
6 J: m0 B a5 ^/ |Method 06
3 ]7 p) n" e1 P2 M: e! o=========9 N* o& @1 l* ?' @1 s
- i5 J' D; ? K }0 P2 k- F
: }. _* ^' u2 E" e$ q. E/ i9 T2nd method similar to the preceding one but more difficult to detect: _- n) S5 C7 V/ C2 k+ X
# P9 F: D8 ]& d- p0 T% E
& v9 O: H) \5 p9 H/ v5 U0 T3 n1 ~
int41handler PROC
, t- j' M+ N" g( ~( o* Q& c mov cl,al2 g7 b+ ]2 t) D5 s( V& n/ s
iret# ]9 r" O5 ?1 ?6 R/ ?' `
int41handler ENDP
) E. h0 g" d' d
5 s D! {) q$ d
" K+ B2 D# D7 R8 \8 z+ g xor ax,ax
! X! z/ v4 s6 ~) F+ K1 N mov es,ax
3 F9 m. u2 R: h2 B mov bx, cs
, m2 U, i+ f# B7 h6 A# g) J' b' t lea dx, int41handler
4 p5 M) f/ |$ b/ x6 k xchg dx, es:[41h*4]
. t" [4 C2 W/ K; m" v4 X k xchg bx, es:[41h*4+2]
& n' T/ i% I0 t% D% `- c. D: x in al, 40h
! m8 K$ a9 h/ q xor cx,cx8 ?% ^' r( M% y
int 41h) \2 q( ?6 o* X/ a$ y
xchg dx, es:[41h*4]4 ?# y! |: S c, K* E2 q! J
xchg bx, es:[41h*4+2]) a/ r: C' ~5 [' J/ ^
cmp cl,al
) a& |8 m2 C! j) Y& t jnz SoftICE_detected( i, P+ k/ t( p: r8 Q( s5 S
; n7 S$ q3 ^' I1 O( x- M; _
_________________________________________________________________________ a5 C, Q. `1 Z! G& b
4 E! M: s. M9 c1 g$ k' e3 n, `Method 07
$ i* N$ O- x/ L1 [9 Z=========
/ `% [- ]' u8 T2 y9 Q/ B- M7 ]
3 Z( l5 e7 `" Y& b& jMethod of detection of the WinICE handler in the int68h (V86)- _9 m1 j( ^; v9 A
& P0 F! X; W+ o. |' |4 k6 k mov ah,43h
( }7 y$ z7 l: M, g) i int 68h8 X; A* e3 D3 C5 V. j1 ?. q
cmp ax,0F386h7 j- @# }3 o1 Y" ^' c3 S
jz SoftICE_Detected( A# ~! [+ \# V( A! S4 u
c# S3 V0 n* p9 E8 P
, a0 \( R N; J: j
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ [5 S8 Z' H9 L- M/ G app like this:; m* V) s# f7 _/ M$ t' g: W- F
0 @) @8 \' s# o3 s' B, d6 q BPX exec_int if ax==68
7 z( m/ F: u& \6 q- H# Q( z (function called is located at byte ptr [ebp+1Dh] and client eip is
/ W/ i% [) Z! q4 h4 c6 W) N% ?3 B located at [ebp+48h] for 32Bit apps)) D' g) n1 M5 f0 ~6 G( _+ D
__________________________________________________________________________* k8 D; p! R1 ]9 Z7 d
. \) p; w) M8 w& R. M/ f5 M
. [) a! u( G+ r7 ~( R
Method 08, V+ A! j, [- D ?+ B
=========
M. y2 O; t6 p+ _8 Z
5 z# a* m& F# HIt is not a method of detection of SoftICE but a possibility to crash the+ n% Y$ U8 P$ g! v( O2 J
system by intercepting int 01h and int 03h and redirecting them to another; u! A5 b/ J7 [0 L. Q O8 O
routine.6 R" `* x+ L. i% ^& x- |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 N* C8 O2 j" T% \5 P# X7 Sto the new routine to execute (hangs computer...)
2 X; @$ u7 e+ r& B4 j2 g. ]4 S- Y6 N9 U" X) s j2 o
mov ah, 25h
) _7 e3 \3 ]) e) o4 M mov al, Int_Number (01h or 03h); f" |( S# X/ F3 f3 s! r1 B" e
mov dx, offset New_Int_Routine
' ]) G O/ e7 L+ p8 B int 21h
' ^7 |8 ~, H7 K/ A9 N4 v2 T- a9 U/ B) X9 Z; ?
__________________________________________________________________________
: t: n1 D: f7 x0 y2 w" w* P& W% N+ p! I0 d0 p
Method 092 {: N; a3 ?+ b ^+ |
=========/ O i! M/ a9 V. _
: A5 i( b0 h# zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; a9 b: `) k: |: C' t3 L1 ?+ G
performed in ring0 (VxD or a ring3 app using the VxdCall).7 G5 M- J2 @1 c+ p# f
The Get_DDB service is used to determine whether or not a VxD is installed( Z1 A) B% ?$ g* p
for the specified device and returns a Device Description Block (in ecx) for3 u0 E, G: x; V# T
that device if it is installed.
: Y' h6 N/ L0 ^2 p# B5 a+ T
$ x: e- T4 j9 j7 F5 L D mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 V9 a/ u# m- h# I; y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" k. \2 C3 t% C$ v. e ] VMMCall Get_DDB
t7 H6 z5 b& l: t# d0 m+ u mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 A. K& M- [* P5 R2 @: b* b2 ]& D
0 R+ L1 f Y. E# ? F5 dNote as well that you can easily detect this method with SoftICE:0 b6 [9 i P. ]4 i( L6 C
bpx Get_DDB if ax==0202 || ax==7a5fh
" v) B9 B; O- ]6 _- P# C* C( Y( X' [ p; h- y: v+ w
__________________________________________________________________________5 l x6 c+ S6 ]; v0 A' t
7 c& k% }. ?" {8 v. w" x: Y6 T
Method 10
$ r- Z- j& _, `% \# }+ ~ \& P: L=========
4 h; `1 _, `" d2 f) q- ^+ R1 p: W/ _; G/ R. p4 g7 h
=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 d% R: u4 J' M+ s' J SoftICE while the option is enable!!9 Z9 J! z/ q. ?1 L2 \! G
! z7 ^. W$ | [6 h) _) \This trick is very efficient:% [. T9 x% ~2 A! d
by checking the Debug Registers, you can detect if SoftICE is loaded
, J/ E e9 s/ i7 E: N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ X. N. V' y/ g! H' T% b- `) i
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ @0 J# A7 y; q" w! Bvalue (in ring0 only). Values can be manipulated and or changed as well
9 C2 A L4 `+ ~(clearing BPMs for instance)# J, m" M* w g
* S1 y& G8 R* |3 K( f7 n) g
__________________________________________________________________________
3 }: R- ]5 k! p" u l' H$ q7 q: |6 z$ k; T
Method 11
6 J9 ^9 S+ y6 u0 J3 S=========& b0 _% `. q G$ i
. ?; F0 G1 k$ M) b0 mThis method is most known as 'MeltICE' because it has been freely distributed3 ]; l" n$ P! j1 B q
via www.winfiles.com. However it was first used by NuMega people to allow* x: p+ X+ `+ T! ?- y
Symbol Loader to check if SoftICE was active or not (the code is located
; F5 d6 m/ ]5 k: G; pinside nmtrans.dll).
) K7 B4 V- A& f% B
; t! Y7 I* H" W2 c" \The way it works is very simple:7 ` p. h$ I Z3 x, e, y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* t3 V9 M8 g7 W5 J$ b6 z6 S& @WinNT) with the CreateFileA API.. ^7 _9 ], J7 {; A
0 O8 C* e& K- S* X0 J; F: fHere is a sample (checking for 'SICE'):
5 r8 a: O; Q, ^, Q( }: k/ p$ U5 e! B/ F2 y: S, I& n1 l
BOOL IsSoftIce95Loaded()1 n* P& F+ S9 V' r
{
/ y W3 @+ X, z* K- [ HANDLE hFile; , o* e; j; o5 P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ N4 Y6 F. x. M( B1 [: v FILE_SHARE_READ | FILE_SHARE_WRITE,$ ^; [) q0 M& U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, @" E: \! s4 V
if( hFile != INVALID_HANDLE_VALUE )% x) {+ m- {. S6 H5 i/ Z' t3 N
{
7 o) T9 ]6 Y, K1 {9 b5 _0 y/ c- G CloseHandle(hFile);
% k; v+ ?, ~* s1 U* ^0 r! I! f return TRUE;
& Y: L; G U' V# o2 x }" S) \0 V. z/ j0 D
return FALSE;
" b) o8 V4 U' i) n/ p6 ^0 ]: [}
; C: u( Z+ `" q( {: j5 g& `' x# }$ \1 Q* g' Y% { G! i( J; E
Although this trick calls the CreateFileA function, don't even expect to be
' K, z' q+ N, O9 I8 e4 Xable to intercept it by installing a IFS hook: it will not work, no way!
* ~. u- ^ R& iIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 f. e/ w5 N0 J( ?) D/ J" Y; Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* r" F' z2 Y' z6 vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
: q6 V+ Q9 K9 Q. I: n7 Wfield.: n0 x' t$ z( j/ v5 b" H" F1 }& L
In fact, its purpose is not to load/unload VxDs but only to send a
8 C/ q% Z' [9 D6 r$ x( ]* }W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
R! P: ?- s2 r# G1 @$ bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
# h$ ]! z' p& e/ q: k' {: [, C5 P- Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).+ ?8 n; s3 u9 T4 q4 o( K
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 M2 G3 p1 F0 X
its handle to be opened and then, will be detected.
: Y; v: q- A, |% K( iYou can check that simply by hooking Winice.exe control proc entry point
7 w5 @$ N" X4 a* F$ L" iwhile running MeltICE.6 [( R; K& s# W; ?$ I6 D
5 y- R8 M1 h. Y1 @4 m! E/ W. ^& W" D* ^3 [, }6 @0 I0 l
00401067: push 00402025 ; \\.\SICE
0 l9 r' m3 A1 u/ x1 N6 n( A 0040106C: call CreateFileA( l) F7 q8 L7 ]9 k
00401071: cmp eax,-001+ \6 C# I& ^" o) {; a( v' q
00401074: je 00401091
7 z5 h) U1 v) }& _
1 s; c6 y7 R ^6 n$ ?0 N% D$ g' U" C3 J8 a
There could be hundreds of BPX you could use to detect this trick.
; L( c# n, @! J. x4 w8 ?-The most classical one is:
# j$ @* q. O1 X7 e7 t BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ P! r- F6 b C8 c6 j+ T! ` v
*(esp->4+4)=='NTIC'
' j. i5 ?4 x- B) L+ O; q0 Y0 H$ j
-The most exotic ones (could be very slooooow :-(
7 a5 R: N: r) R2 k$ [ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 P7 N+ [( T( A+ t7 x3 H+ t
;will break 3 times :-(2 n6 T. J1 x5 Z( U
6 h# @+ i' x, \9 R
-or (a bit) faster:
! F, M) U% n, J. y# c& S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ W9 l0 C+ }7 i' k! ?+ {$ f
3 z5 F- g' w; j( }" D6 j0 l
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* m8 Q% r p8 I0 ? ;will break 3 times :-(
; W+ c8 ~' Y6 S
, ]) l) q, B e9 J7 q5 R-Much faster:
8 v8 s Z, c1 Y A' }9 r7 d+ D BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ n4 O% [/ l+ q% ~/ Q
& f4 O; ?. n, R" W# c! G" |! ONote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ x- r" i* Z: `7 R3 `function to do the same job:
8 b( I3 o1 H0 M! X3 W$ U& Y, ~1 n/ w6 _: Z) O" }* A0 _
push 00 ; OF_READ
2 r; f; Y, h0 v' u! j. R mov eax,[00656634] ; '\\.\SICE',0
$ C, W* q y1 x( [1 y% ]2 ] push eax7 u( ]- V' i5 E, }
call KERNEL32!_lopen* v4 o9 u8 I4 G6 y, S6 r
inc eax
# |* b$ U" N6 x9 P7 T# I jnz 00650589 ; detected
' Y' T- J6 y9 i, R" \+ R- Z4 j X/ ^ push 00 ; OF_READ% h( `+ ^8 a9 K, |% e }/ E) ^
mov eax,[00656638] ; '\\.\SICE'' D, J, Q. G; G3 c& M& D# I, [
push eax y- k9 A2 h8 }0 o" m* ]: f) ]+ n- s' c
call KERNEL32!_lopen2 N$ g) _% ]& M3 a- d
inc eax, D6 [; Z, u; m& x' _8 y& w
jz 006505ae ; not detected- }3 {+ t( D6 _+ ~8 o
, h! ^( X& s8 N' |; H! f
- k- ?! O/ G3 Q& _. I__________________________________________________________________________
5 `% i# T( \ X Q0 {# s4 X8 ^: u( [' K3 ~$ A d: ^$ m
Method 12# {$ s* Z/ I; k" }: d" t; ^
=========
4 O6 w6 K$ E5 t& H; @
' c1 Y" o0 W0 h! nThis trick is similar to int41h/4fh Debugger installation check (code 052 _4 n2 I. ~8 T1 k# p
& 06) but very limited because it's only available for Win95/98 (not NT)
! ~+ t% n' `. sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: b0 `' P1 C8 }- k4 N# z) y/ V
+ Q5 N, P3 [. J' f% n push 0000004fh ; function 4fh
4 n! T5 |& _) s4 t5 o push 002a002ah ; high word specifies which VxD (VWIN32)
/ ^) p$ G& B5 z; L* r. p$ t0 e ; low word specifies which service
, X- t/ d0 k% j5 ?2 {) d0 r (VWIN32_Int41Dispatch)' A1 `8 V6 b; y, h
call Kernel32!ORD_001 ; VxdCall! e! i8 T- B. P% r8 {4 \6 ^
cmp ax, 0f386h ; magic number returned by system debuggers
1 v# O0 a, o- T5 O0 X jz SoftICE_detected" D0 q4 V/ K1 S' {
9 E: L3 O- g# z9 H h* }) m* iHere again, several ways to detect it:2 v8 z P! O5 Q% ]- u8 J2 w
. n+ M! ]* s7 T- ?7 j BPINT 41 if ax==4f
# o5 o5 T' ~/ D% `; }
, d7 i( X* G* j- U5 k6 e9 H- Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ @8 C4 I, S& S! r% v
* H: t6 r7 K. {/ n, C* q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A H! Z9 W5 e) B
. @' g. [( D& w* q5 B
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, M2 ?! v5 f2 G3 T* X
, x# J" J! u/ e8 h' n. ~4 }! |, V
__________________________________________________________________________# L+ K# t2 S9 y7 N3 M3 m% C
7 C% e3 y" j2 o
Method 13
' }* `% n R( l=========- c* v N' D# n1 l! x( X
7 H- _; e* E) d, G
Not a real method of detection, but a good way to know if SoftICE is
/ Q8 J% K# ? H- I% R3 j" m, Linstalled on a computer and to locate its installation directory.
" t* x5 g2 k- ?0 M8 G: n6 E! wIt is used by few softs which access the following registry keys (usually #2) :( B4 Q; s' o. t
' s' p, v& t5 c5 p( v5 q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, l, r Y- b+ P( P\Uninstall\SoftICE
4 F# d- a. [' a3 X0 {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ c [* A- V8 K& p+ {+ P9 {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 K, B& Q2 r" A+ R
\App Paths\Loader32.Exe
1 P1 l6 i- @' P) U' n' r3 D, G
8 D/ G+ M% N# X8 n& ?$ L: @6 k- U9 o# n: A! J1 i
Note that some nasty apps could then erase all files from SoftICE directory
$ [; M# r* W: I- e& q a2 \( ?( y(I faced that once :-(
/ l- \% m2 p. o+ C3 [. I1 J: u l* t. s2 V. `, Y, ]7 a
Useful breakpoint to detect it:6 R" }& n' I/ b% | _2 o3 l
! b. T: Y. X. i BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 c% a, B' Y& q' Y! u
7 A) V" T# k4 o- i2 Z__________________________________________________________________________
. x1 T( J0 U9 Y* z. K* W5 j& {) ?) l% t) P. ~
$ Q1 s' o+ z! ?3 ?, R4 {! PMethod 14 - A& C3 Q' J" [" Z
=========# `, u2 q5 g6 h! o; R
* Q2 _1 @1 g% o! v- H0 N8 i9 o1 x. b
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 x, a# L( o4 A1 R d" h
is to determines whether a debugger is running on your system (ring0 only).
! F- v# s6 j1 `$ o q" W, v2 O
1 I% }& t) s6 L1 t$ j VMMCall Test_Debug_Installed3 C/ j" p# y- C L0 g- I
je not_installed
) l8 S, W0 s% W
7 A' H6 e7 t4 [: O# DThis service just checks a flag.
: B3 H6 b6 h" i</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡