<TABLE width=500>
( ~5 u: g E0 F" }+ X5 W" |! C<TBODY>
- Q+ L7 b/ @. U. A<TR>
. N) z0 l5 N) n3 X5 q& d8 v<TD><PRE>Method 01 $ b1 W k/ _& W+ @1 f0 w
=========# m5 I0 X$ V8 T9 E
$ O+ X0 Y4 R' _9 R
This method of detection of SoftICE (as well as the following one) is% ?# v7 b0 R v1 h: ~- G4 L9 W6 J
used by the majority of packers/encryptors found on Internet.$ S5 g, H; m0 O7 s$ D0 Z
It seeks the signature of BoundsChecker in SoftICE& P$ h1 W+ I7 C [! E
+ L" Y* g+ o& f: g0 c mov ebp, 04243484Bh ; 'BCHK'4 e2 N* D; i+ R* j. [: c- G. U6 D
mov ax, 04h7 Y5 F# i. ^- n1 ?$ r& B: Q" X
int 3
7 `$ y' V, w9 ]" ^ cmp al,4
- x( X, E+ B" H jnz SoftICE_Detected" D' u+ W+ C# |. O* S! ^! e3 \5 C
* \% X8 x H6 q; x% o7 l( y. R___________________________________________________________________________! @, ^) F. A+ m. p
% N; E" ]! U. e! [
Method 02( u8 Q4 O+ `( D) j
=========
( d% H- ^$ _ p0 [- K7 C' y
# S! ~2 F( k) t3 C0 j0 gStill a method very much used (perhaps the most frequent one). It is used
: I8 ~/ G& X0 y- H" u' yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 I# i, l. u* a- e
or execute SoftICE commands...* Q" {) b6 f( k1 f! I2 d
It is also used to crash SoftICE and to force it to execute any commands
2 B# q% _2 ]1 T) p/ a7 B(HBOOT...) :-((
/ L' C5 Y' C% C' W' E* x$ [& s
! Q$ q4 X# Z5 E" L+ F. ^! U9 ]Here is a quick description:9 g0 `. h# T& ?% d' {
-AX = 0910h (Display string in SIce windows); R( E2 ^# A4 Q, P8 g" B9 f4 R
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) v/ P& @! U- s) f8 M9 i-AX = 0912h (Get breakpoint infos)
$ u4 Y' e" y7 X$ C( C-AX = 0913h (Set Sice breakpoints)! z! Q& C6 m( T: f* P
-AX = 0914h (Remove SIce breakoints)5 B& E$ m5 L, d+ L3 H5 j0 p6 u1 J
7 l+ L7 N. @8 \: P5 g
Each time you'll meet this trick, you'll see:
) A& y- _1 o# \. ^; x-SI = 4647h( y7 w% R" O, O* p/ I
-DI = 4A4Dh
1 k& y6 h" W/ d" { MWhich are the 'magic values' used by SoftIce.
% b, q" l' o; @0 R2 d) ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 o, R- @( T! I! V) g
8 V- ]1 y" N0 e. ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP4 B) Y$ D- s2 b" T: r
Envelope utility use to protect DOS applications:3 N n% n* i1 S8 t* U5 }
2 S; J6 D; \/ i; o% e1 k4 ]; h
" [- p( s- ~2 w- {2 D/ g$ h
4C19:0095 MOV AX,0911 ; execute command., T& V" x, p% T* W9 k
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ `4 ~6 B: R! z9 Z8 w4C19:009A MOV SI,4647 ; 1st magic value.
6 |5 I7 Q7 W; Y/ c4C19:009D MOV DI,4A4D ; 2nd magic value.
+ c6 G' g5 q/ `/ E5 U* i" X4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- R' E% p8 k6 ?7 W0 O4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 K( T8 Z$ `- j; R/ @2 a3 c
4C19:00A4 INC CX
[5 B8 y' e- Y) i% U4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* ^% F2 Y7 }3 O$ |# U2 h) N4C19:00A8 JB 0095 ; 6 different commands." @# W; A9 r% W5 s- a4 l% @
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% [/ C, P- a% x1 T8 k
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 f. [- W. a, M+ I% h' X/ c" F
+ O. t1 Z Y6 h& v3 H- P/ p4 W @The program will execute 6 different SIce commands located at ds:dx, which3 v9 n8 {7 z# v' l% c& j7 h
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." E" C8 Q3 `* M' g& [
' U& m8 I) Y3 f& Q% n, q5 H* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- j5 K' W; b5 }1 ^: J- v. X___________________________________________________________________________
m( \7 H8 M% L% D" L, R
, m* u1 P* ~5 P# ]- N+ z
6 @7 T6 @5 E4 I* Y2 L4 v" yMethod 030 _7 s+ K r9 E& x
=========! N1 h: E, U5 J7 `1 S1 B
8 h* l8 [) Q! |
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 z, g' _5 L; O# q' s
(API Get entry point)* O% g' ^7 `( \2 u" B. N8 k3 C
; ?3 K7 R' g B" u( y* W/ ^
1 M$ h/ r& H f# s! m0 J8 h xor di,di2 {) ^( F, `7 n* C. B
mov es,di, Y- x. n7 X: Z
mov ax, 1684h % a# u: q/ V4 [2 ]
mov bx, 0202h ; VxD ID of winice! G2 y' D! L, m/ m( W7 u$ X
int 2Fh% o5 U' d N3 z& q1 d0 u
mov ax, es ; ES:DI -> VxD API entry point0 }: ?6 s& ?, t" [$ R
add ax, di
4 {3 Y) Z# Q7 [& [6 T test ax,ax
5 Y. c! j/ d4 y. H5 d' X jnz SoftICE_Detected
6 v% O8 j) L& H: {; n* Z. I% `: p1 B( _" N0 ]- a
___________________________________________________________________________
! d, l$ u/ Q+ p2 p, n# y6 F% f& i; m9 a, F6 z4 b
Method 041 m W- D4 `0 m2 V* c# j o
=========
; w* {* r# i7 Z
1 Q' L7 K0 ^& m5 J5 M1 r! bMethod identical to the preceding one except that it seeks the ID of SoftICE! n% P# }! W+ k$ p: z
GFX VxD., X9 U# q! m* U6 X) T8 @* K# J: |4 D
9 L$ Y! \6 q2 ^$ G2 o xor di,di' S" f% V# n: Z6 _1 x: W* @& L
mov es,di* v. J( ~0 b- T: L, x# F
mov ax, 1684h & k0 G0 @" N& y5 K2 Q1 }
mov bx, 7a5Fh ; VxD ID of SIWVID3 K& E% o! t r3 O0 s7 \( ]/ V" E
int 2fh4 v* x% w; s4 v
mov ax, es ; ES:DI -> VxD API entry point/ V2 u5 d' E' I! n ~" |, h
add ax, di* N" x$ K8 T d; I# y
test ax,ax3 R& y2 e K% I
jnz SoftICE_Detected
1 L, b: ?" k7 u0 y$ n
3 P9 t$ ~8 A' M" L' A1 _: {__________________________________________________________________________% o* H9 {, Q, d6 u# e% `
( h0 B% ^) O. v) J8 g1 u
! q8 F6 o9 i8 b; X+ ?& fMethod 05
* f" A! ?4 n& N) `=========' X2 j$ z2 P! } @% r- C4 t2 O
( ]+ s3 d7 w5 Q5 L+ h' W* BMethod seeking the 'magic number' 0F386h returned (in ax) by all system
5 z A$ p2 W- [' @debugger. It calls the int 41h, function 4Fh.
' e' \* \0 Z5 I9 t7 X7 FThere are several alternatives. {+ q% E$ e/ F5 `1 K. I+ n" X- ^4 [
0 D! g2 O9 m. m
The following one is the simplest:
) P/ A, c; h6 [9 b0 X2 K; O5 X4 W/ h" _7 w7 S
mov ax,4fh
2 b* ]/ n$ g ?) r' o) D1 C int 41h. g. K4 u. t' T. w& A+ P
cmp ax, 0F3866 P6 `+ H0 g4 {* ^: D; k
jz SoftICE_detected
5 o$ X+ @! a# V3 t S( X# n6 ?0 E1 z
# X$ u+ Q# t' b+ E% b0 q. dNext method as well as the following one are 2 examples from Stone's R. P5 w, Y. k
"stn-wid.zip" (www.cracking.net):* x% l1 j; A" [4 U4 O
9 K8 U( G G& ?5 q0 I( W! K9 ?
mov bx, cs4 \/ h& q8 ^' T7 c2 p! n# g1 U
lea dx, int41handler2
- F5 j @/ ^) w- e xchg dx, es:[41h*4]
# r* Q' u) l) U& Q5 M: x7 n5 {% b xchg bx, es:[41h*4+2]
; r3 ]7 J# _$ g9 D mov ax,4fh
& L) C7 c; b: c9 w int 41h& F' I5 a4 i: P: u
xchg dx, es:[41h*4]9 b) x" L6 F8 j; _6 a
xchg bx, es:[41h*4+2]* [. u3 A# B( m s% k5 L- [
cmp ax, 0f386h* |- X2 }+ L' i# @$ H
jz SoftICE_detected- @: Z7 U! a. ]( Y8 v) }% \" v) K
" L% J- y; P& W( G' p; ^' t1 [. Aint41handler2 PROC
- j1 j) H2 f# O3 Z iret
( `: _4 }9 R1 z3 e5 f8 ?int41handler2 ENDP
. E7 u0 m. ?! k) Z0 V4 z
% {7 D0 O9 A W( ~ m: ~3 i- H' t7 P7 V+ H7 G
_________________________________________________________________________
. O3 ^# D l) @' g
3 x8 w/ N* P8 [+ W: \2 ^
! d7 t- _! E" `$ b& a, e) X7 OMethod 06
3 G+ Y+ W& D2 `; \. n6 A6 J4 R. [) _=========
+ s1 v( P* c* x+ B* k; w# Q3 r' Q% ]) j* A' Z1 o0 T1 o6 E6 ~$ t+ [+ T
8 }* x0 A" a ?% A/ S# K! ^
2nd method similar to the preceding one but more difficult to detect:+ e' G2 ]: x/ T# O" H( l
0 r) o F6 g: @; F, I' X; Z: h" g% M, d! I3 ]; |
int41handler PROC& n9 p. U. p: h+ k- J1 ], h
mov cl,al
: w- C7 u: H0 S' [7 p iret0 W3 n# f" h+ J4 R, F
int41handler ENDP- \" b6 I% J+ D$ G. z- d% c2 O
2 F% Y% G! ]0 P6 [
" g7 Z A1 d% y/ V. }/ y
xor ax,ax' Y* X4 ~0 i4 `# S$ z
mov es,ax. P+ A& F- c) E3 l% b) \2 B
mov bx, cs
9 h2 e0 N$ W! a# H& |9 ^2 n% l lea dx, int41handler7 t6 P( \% K2 \9 I- U* L
xchg dx, es:[41h*4]" l- d8 h/ {1 A0 c& Y& T+ q
xchg bx, es:[41h*4+2]
. y5 f9 |5 V1 q9 j0 g; Q: l in al, 40h3 C' Z4 `9 r E$ _1 k" r
xor cx,cx+ k' O4 P" _( R6 d3 Z
int 41h5 {9 i3 F% J9 {* G0 ~0 R4 s
xchg dx, es:[41h*4]
2 G$ }& @5 K1 p: Y. L4 T, w4 F xchg bx, es:[41h*4+2]
& H. I; Q7 I8 h) C cmp cl,al
6 ?: A7 T# |5 Z1 P& U jnz SoftICE_detected- l `' u1 Z4 n: o
7 Q* a, V8 {3 g, f8 R' u4 F# ~; q
_________________________________________________________________________( t. ]4 a( U6 L% t( ^% j% V4 t6 j6 e
9 I; [3 Y5 ~# s% v' u5 F
Method 07
7 v5 ~6 h, [5 k2 B/ U& {=========
0 e* v" y% _- _- i: E
* Y+ d: o1 U! `' O. p4 QMethod of detection of the WinICE handler in the int68h (V86)5 U9 {$ }. `- X5 d& t1 X* Q ]
) K9 n- N" i7 w0 Z: @ mov ah,43h
+ d& |! E c# M* @ int 68h1 p0 V) |3 _6 ?1 _0 [! V# Z$ ^
cmp ax,0F386h
+ V* B, t- |, h0 X7 U. s3 |* M jz SoftICE_Detected
, T8 b8 X- E3 Z+ V9 L3 h, o! B4 v+ x3 P
! D0 [3 n8 V5 {; T=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' L0 \* R8 a/ m2 }3 [8 ^! k
app like this:9 t: [1 P a" @7 h. }) x2 X9 k
Z4 V, X2 e4 [
BPX exec_int if ax==68/ }- t, n4 h: U, x% R7 x
(function called is located at byte ptr [ebp+1Dh] and client eip is
+ g7 |1 M$ R5 M3 _ located at [ebp+48h] for 32Bit apps)
/ J; k R9 U9 Y3 k* }: G4 d" W__________________________________________________________________________
% A( D0 ^/ ?' @" a# a
- ?6 r& T4 U3 h+ i) j5 b' v( o- g" Q# e
Method 08
- H% B8 L3 f9 c4 }=========
@ n( F; d: m, A/ d7 g* {5 q7 ~. L; u( w: ^1 Y- x& ~
It is not a method of detection of SoftICE but a possibility to crash the# i: h0 [, J, M
system by intercepting int 01h and int 03h and redirecting them to another1 t; l. j4 z$ _( _) t4 D6 W
routine.
; c9 a8 ?! u2 tIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& |8 E% R8 r( J/ O( g# w9 sto the new routine to execute (hangs computer...)
1 Y Y) y+ ?! p" f( ]2 Y) _8 K% p
7 |. G' z3 q0 S+ b2 @, q; q mov ah, 25h7 ?4 K* {1 t" X4 h
mov al, Int_Number (01h or 03h)5 m% P4 {9 ~6 d) i! s
mov dx, offset New_Int_Routine( X; T1 Q5 T; E5 b
int 21h& [% q9 Q2 v% I2 Q
( U( T, A9 F9 `__________________________________________________________________________
4 O8 {, F6 x: B) G- [4 b2 Y% k, u) y
+ j/ L3 N- {7 U# y. ~5 X+ w7 y7 WMethod 09. N& F; }8 H3 r
=========
* \; o! d0 r# m& ^8 g" J" \) U3 Z5 ]* G. P- i6 f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" S* \$ M- S; t' T2 o+ w" cperformed in ring0 (VxD or a ring3 app using the VxdCall).' `9 S& ?0 Z. D' K( L
The Get_DDB service is used to determine whether or not a VxD is installed2 y$ }, M/ ^3 s8 r
for the specified device and returns a Device Description Block (in ecx) for
2 ?* f% o& e) [) D; i# Hthat device if it is installed.
6 u: }- e! Y& @# t9 }! o
- w3 t% `5 _4 _- H7 y6 P mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 d+ o4 i2 m" ?/ C3 [
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 Z: K) y3 H% b! D7 X) e- ] VMMCall Get_DDB5 Y# H& i$ x$ O$ |" F2 B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" u: V: Y t& h5 K& Q2 h. d
, j, U" f" u Q: N9 Q9 u) U% g' `* m* {
Note as well that you can easily detect this method with SoftICE:+ u% R, s( S j
bpx Get_DDB if ax==0202 || ax==7a5fh
4 s" M2 x- B( c0 {! d' ?/ y/ g7 H0 M
__________________________________________________________________________
. `4 q' U" R* S6 ~4 v3 T c' v8 [- @2 @& b! p# W
Method 10' _$ c5 M) K9 z2 Z
=========8 K% i6 J8 Q0 G% Q
" q8 R+ T7 |# N& n1 g% O
=>Disable or clear breakpoints before using this feature. DO NOT trace with* O9 ?5 w7 G. z- x7 T
SoftICE while the option is enable!!" D0 D& o- h# q1 h' t6 v# I" `
# R4 ~" }- B, d) X6 E7 i
This trick is very efficient:
+ T/ v% z: x% p, Y( R* Y0 R, [# xby checking the Debug Registers, you can detect if SoftICE is loaded- ?4 j9 t- N# ]( t- r
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 \6 {6 A8 K5 G. ~4 A1 U9 Athere are some memory breakpoints set (dr0 to dr3) simply by reading their% j8 R, R0 ~! h( \" g
value (in ring0 only). Values can be manipulated and or changed as well' }2 v! J) @ W5 s% [2 y- E
(clearing BPMs for instance)
9 q7 Y/ S" g5 f7 q- x2 @5 o; @1 V( o' e8 F2 t4 [( W
__________________________________________________________________________
" x2 l, w/ f# l1 O$ J! q7 M2 x' w7 V
Method 11
) V3 s/ p) O, d% U2 ^3 |/ b=========
7 E, `1 c- m% l3 s4 J7 d5 `2 K/ M9 }7 A
This method is most known as 'MeltICE' because it has been freely distributed4 i" ?! j* v8 A! L( q+ T
via www.winfiles.com. However it was first used by NuMega people to allow
9 d( r; m% m f5 ySymbol Loader to check if SoftICE was active or not (the code is located
: U0 ^. i) P. p/ Q+ Q3 winside nmtrans.dll).
( f; L) k7 X3 b3 W; ^. ~8 k9 U: T, D1 q3 a. h
The way it works is very simple:
+ s" ]/ ?, Q: g7 y& l7 _It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 R+ [% M5 ~! z* i3 gWinNT) with the CreateFileA API.( O7 z9 V& c& Q4 W% S& [4 R
5 x; C: l& S7 n( _/ E7 ^
Here is a sample (checking for 'SICE'):( F5 b" a5 B* F& _3 m v+ J1 w9 m
% \5 D+ k) a# U: ~+ NBOOL IsSoftIce95Loaded()5 t5 W' J# r) f. \$ r
{5 F% K6 }2 b# W" [2 R( \2 ~
HANDLE hFile;
) z8 O, v: Z3 j8 N hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# |$ D9 S/ V9 L) U2 R FILE_SHARE_READ | FILE_SHARE_WRITE,6 M' D$ m1 f3 }: _
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 ?. h6 B2 A/ v
if( hFile != INVALID_HANDLE_VALUE ); T7 d# V+ `& c4 ^( [
{5 G9 z2 c+ L7 E+ z! F
CloseHandle(hFile);
# @+ ]- Q. c% x2 ~5 v" L return TRUE;
2 M+ T, q1 s7 ^7 M, x) K }4 K: |# H, B9 L' H
return FALSE;
3 b% q9 V5 n1 A b( v}
6 A- z, b$ K; k1 e. p8 ?
2 O; i2 X0 L$ C( z' [3 NAlthough this trick calls the CreateFileA function, don't even expect to be; h% |5 c( e5 h! ^
able to intercept it by installing a IFS hook: it will not work, no way!8 Z' f# D9 E7 V2 W: U0 p( _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 F# M. ?3 O9 T4 j* _3 I$ eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 v$ P. s* Y; d" eand then browse the DDB list until it find the VxD and its DDB_Control_Proc" G5 \# N' M" ]: u* e" U
field.* K* ?& }( ^3 ]. ~0 D
In fact, its purpose is not to load/unload VxDs but only to send a / S5 C9 F$ {0 m0 a0 y; W% b' M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! _$ ~' i% a% S' W4 C. dto the VxD Control_Dispatch proc (how the hell a shareware soft could try; d3 Q4 x" r# K1 A2 n
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 B1 D9 {! z9 {: D; a3 P3 m
If the VxD is loaded, it will always clear eax and the Carry flag to allow
' |0 r& L& m# O, |; J/ w: Eits handle to be opened and then, will be detected.
2 p5 F C, J0 ]You can check that simply by hooking Winice.exe control proc entry point. u: }5 [( v/ t5 j* B: O8 k3 N- ~/ L: T
while running MeltICE.
# ]5 Y! d' H( W* x5 V- E* W8 h" P' f1 [" v: |& W9 q0 _
* |) b1 K! d& M1 E- F# q e 00401067: push 00402025 ; \\.\SICE
# b3 I' b9 D- n- C) A3 P4 k 0040106C: call CreateFileA: b0 u9 `& V. u. @/ v* b5 |
00401071: cmp eax,-001" ^( W P% D! q2 l, n3 @ n
00401074: je 00401091& n, B. j: U% d& x
/ D& M, Y3 x" r5 b! Z4 u# y6 H! K9 S
1 P; b. F2 H. p& W4 x( WThere could be hundreds of BPX you could use to detect this trick.
* h3 _5 ~( |/ y2 P+ _-The most classical one is:
1 W% t# g& _$ s9 D BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* R' m' z1 y e- j- D
*(esp->4+4)=='NTIC'
- z/ K2 a' k- w/ \; ^( L% [
. g2 f! s% J& j-The most exotic ones (could be very slooooow :-(; K4 t, a9 l1 L& T# V9 H+ r% Y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 j2 H) M8 P$ ~$ Z% A ;will break 3 times :-(% i$ C& D' E+ G6 }1 m5 X/ c
# J% f5 P6 F f( b4 R9 L! u8 T$ F; |
-or (a bit) faster: 8 ^8 Z+ }* w% z, P1 P* I
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 ^" H% p# B! o* a* c3 W6 P, ~ b9 }6 A" k8 S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. ?+ C6 s) l6 l5 i1 `/ `5 h ;will break 3 times :-(% h2 |2 t9 w* J" u2 d/ z; I
5 \8 M5 |0 o& T% @& D-Much faster:
8 k5 Z2 b/ e7 } BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- d; |: m! H8 O; x$ y
. g* o+ M7 G4 b, o$ s! GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' ?) ^7 \+ j- t- S
function to do the same job:, o1 a+ i: \# j2 M- z9 k
( a% {" N5 G/ K/ A" e push 00 ; OF_READ
+ L* d% M! w' ~ mov eax,[00656634] ; '\\.\SICE',0
1 z3 v$ X/ N( X9 c M- c7 ~ push eax: h6 h% X; d5 w% @
call KERNEL32!_lopen
5 T+ Q0 {9 ~( X2 g" U0 T- V0 e inc eax
+ I9 x7 @9 F5 M5 l8 J jnz 00650589 ; detected
) a' N, v& [ K/ s, l& C push 00 ; OF_READ
% k2 d8 ]5 y+ j; ]. k2 \; U% r5 D$ w mov eax,[00656638] ; '\\.\SICE'- [+ M4 N1 [) O' |! Z* O
push eax
4 h' B Y% N1 {) @ call KERNEL32!_lopen
* z8 s( I# n; Y5 o1 O! z inc eax
/ `4 C i3 x% S8 t6 O' D jz 006505ae ; not detected. _ e* o2 L3 t3 Q
) D$ @5 b7 F- j! Z- G: l* c& l1 p% W5 I( f7 J- Q W5 z( V$ \ ~
__________________________________________________________________________
m" o( N4 g. v; j: X2 w
7 n+ F6 \& t/ @* U+ h5 ^* c- ^Method 12
4 O0 j2 ^! K2 X2 j/ i6 j2 f/ F=========
7 V: L2 B; O; R0 B0 @
* w8 {5 d8 w9 i& w# w# I+ `This trick is similar to int41h/4fh Debugger installation check (code 058 `1 P' F: n+ P
& 06) but very limited because it's only available for Win95/98 (not NT)
- V( `; a2 r" o J) Bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ e9 }6 E1 m' h$ O1 K8 D4 H5 F
+ S7 J! k" u* t( p3 q) P push 0000004fh ; function 4fh7 ?& P5 l/ `! T; q9 ~
push 002a002ah ; high word specifies which VxD (VWIN32)
' P# J9 @ b; b$ w8 i ; low word specifies which service5 ]9 o3 o2 C4 H* Z6 W
(VWIN32_Int41Dispatch)" a6 T ~& W) q1 d/ Q6 O
call Kernel32!ORD_001 ; VxdCall
( S. F( V) }+ V1 C cmp ax, 0f386h ; magic number returned by system debuggers
& N9 |0 A: V9 W# J jz SoftICE_detected7 S, |0 Z, ~1 ~6 U
: D) O7 }$ N5 i/ I3 ]+ y! i C; DHere again, several ways to detect it:3 x" t4 j. e$ r5 o8 }: I+ O5 S
& b8 s* T. x8 A4 A8 b( F7 T- |9 j BPINT 41 if ax==4f
/ B2 a7 U$ f% O, Z' R3 h, g' b; I* k8 P1 c& u6 \( k1 E$ ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- n. c1 {& ~$ [3 d$ [' [ D; `: S) s- T; `# w
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 m" T: @) N% N) q5 k2 P. z# d! Y3 s$ p7 M
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, t2 |; S2 W1 O0 I+ p3 K
% d/ W6 G2 I9 ]" Y( |( ?__________________________________________________________________________+ v* j/ f, {) }1 W
2 F) i6 {' v0 Y: i4 j/ X3 E( L- S
Method 130 j, @" s) f/ J, p- T+ b1 P( Z
=========- m' {" p% f) `. Q+ J
. G! i0 E8 j3 i0 p" d: b
Not a real method of detection, but a good way to know if SoftICE is! K+ B2 t4 j. V! S$ y5 V8 B6 C
installed on a computer and to locate its installation directory.
3 C* x, z* J ], t( Q0 ?: jIt is used by few softs which access the following registry keys (usually #2) :0 O* d" _: j: ?- a0 t5 \# i
8 c, b9 w1 {0 w7 l9 b
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 L Y1 G, ~2 i: }" I* I\Uninstall\SoftICE! O. t/ a" x5 d& {8 i- X
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ N& v/ q9 F0 q. }0 ]& `; Q( M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: W" F9 c8 P/ `5 V
\App Paths\Loader32.Exe
- g7 R6 r) h D! g0 ~4 v" b4 [+ H. l6 ~" e7 m! p
% e+ h' o0 I5 |/ P# Z2 d! K
Note that some nasty apps could then erase all files from SoftICE directory! F8 k5 K1 Q2 @# ^4 f
(I faced that once :-(& e0 g# L- O5 @, _5 C
0 {1 L% r8 ]& z2 L$ Y
Useful breakpoint to detect it:
/ g; \) H4 q j' l/ o7 K
" ]" n. i9 W5 x/ k1 g: u3 P BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* G. U: K0 r! J d; R. l# ? l: ~. E5 S8 }) h0 Y5 B
__________________________________________________________________________7 d+ n# X* A+ k* A$ f
- N9 V/ R) K, F2 O0 u w+ X/ \* J+ \- J, v4 M# f3 _
Method 14 % I6 g' @2 L( p4 _
=========
: L2 w9 w6 r" o1 h n( m4 U8 P+ t
6 o% Q2 _+ p5 o: @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose _* C! }. J9 R. n' }- V7 O: E" q R
is to determines whether a debugger is running on your system (ring0 only).$ F: Y& G+ [! V
* @1 s: L: E: |8 `
VMMCall Test_Debug_Installed
; _& O0 Q5 ]* m4 R4 O! W# i je not_installed
[( ]' y! X3 G- w, Q- [$ S1 n) \/ x: D- O' f) p5 |- g6 P. t2 f
This service just checks a flag.
6 A' _2 F: Q* H9 P, v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡