<TABLE width=500>
7 ^ \% ?# K _) f8 O<TBODY>
4 k2 K4 o# _; A4 O) c( @ ?<TR>
/ `, L2 ^ ^! ]) b4 }1 _- {<TD><PRE>Method 01 , n# S$ c8 G( _
=========
/ [: _) e+ |/ n# H; u0 y; d- b1 T& F" w" c
This method of detection of SoftICE (as well as the following one) is$ O0 w& |: l8 Q. C
used by the majority of packers/encryptors found on Internet.
: o( C$ b, U% [* _- p8 ?0 [5 gIt seeks the signature of BoundsChecker in SoftICE
3 \5 U3 Y; K, c2 r# r) Z& @( e7 {: o
mov ebp, 04243484Bh ; 'BCHK'
6 {/ b0 @) v# ^3 V; B8 D% E1 w mov ax, 04h
6 w5 {, b/ U: \8 R3 Z8 F, L int 3
. C& ?+ s# ?4 Y6 p- z$ y cmp al,4
2 ^. Z3 \# \) l: L: y9 N jnz SoftICE_Detected
. l+ C" a, L5 q0 y; f+ ?
1 j" J7 G3 `2 t. |___________________________________________________________________________
% `6 p3 g( j3 a8 i8 m0 K8 P/ j3 u+ b, o- _$ Y
Method 02
1 t3 s7 E2 Y3 d# u( j=========
5 k+ |; C; J0 L) b( K4 M( B' X- l9 q& p, Q) Q
Still a method very much used (perhaps the most frequent one). It is used: W/ `) B# @- t' L# H
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; {4 _( Y3 |5 @+ a
or execute SoftICE commands... I# A0 A7 w' h; u! U, [& M7 Q
It is also used to crash SoftICE and to force it to execute any commands
& E1 e& Y3 R2 t(HBOOT...) :-((
4 w+ z$ t0 ?7 i, @8 ?+ Q
* o; L2 x! E( iHere is a quick description:$ a1 D7 z& z% N( e& c5 V) O1 ]
-AX = 0910h (Display string in SIce windows); j6 d# H1 \, K2 f: y; M4 v5 P
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ R& |( }7 Y9 C+ F" C. i-AX = 0912h (Get breakpoint infos)8 Q5 M$ ^8 t' L; B8 ]1 y
-AX = 0913h (Set Sice breakpoints)) B% ~* j$ }3 K9 C+ x4 J
-AX = 0914h (Remove SIce breakoints)
4 U; p" S7 g5 n+ z# x
* P+ y' l3 C2 O) J/ @4 i3 w0 DEach time you'll meet this trick, you'll see:
7 E" ?$ u8 N( q% k9 l3 h Q-SI = 4647h
6 f6 |2 l% A3 s: c/ W* {9 J- c-DI = 4A4Dh
/ r7 |0 l* ~1 @4 M+ K9 tWhich are the 'magic values' used by SoftIce.
J7 _4 |6 p3 t1 v- eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; g/ C' P+ v7 M. B6 O) M# B2 _* R" l* I7 X! z( J# y& U+ r
Here is one example from the file "Haspinst.exe" which is the dongle HASP4 f2 N- _% E; c) x5 _- Z
Envelope utility use to protect DOS applications:
2 c1 K( o$ i$ a. C c# m' e+ l. J
) O- v# b) Y3 c
- c+ f3 E1 v# i; Y6 r) O( x0 A# x4C19:0095 MOV AX,0911 ; execute command.
: E8 z% K* v K* s4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ M9 g5 }6 ^& y$ H4 i4C19:009A MOV SI,4647 ; 1st magic value.
6 X4 g E) f9 p9 G5 A4C19:009D MOV DI,4A4D ; 2nd magic value.
1 k" I" h1 x8 d3 h0 m4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 o, v5 I0 h: { P9 x! j! ]4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 C% k" y' o( w) a% P
4C19:00A4 INC CX. Y0 c! ?: v" Z, S* k: ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. W1 C2 D+ r7 S" I& Z# G$ T" J1 h, G' U4C19:00A8 JB 0095 ; 6 different commands.: ?) v9 ^, ?7 j% ?
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- _* U$ T ~9 \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) {1 G. Y; Q+ D) |3 D
0 W8 a% A. U% k' `# f. f
The program will execute 6 different SIce commands located at ds:dx, which" t$ K% S$ H/ q: ]/ a& _8 Y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. k6 l: l3 O5 s, D
1 h# L: m4 ?3 q9 Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 s x9 h/ E$ {# d [
___________________________________________________________________________/ L7 p' z- s' q$ \2 w$ ]9 A/ G
6 t# X1 X+ y2 p5 [1 b G2 N4 u( F% p8 o- B# N* H( P3 o
Method 03 o% V1 h' j8 u2 p8 w
=========$ }$ j' T/ F6 S$ |% ^0 R
. {+ ?6 X6 J6 I0 c& q! d, g
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 O! }' i5 g. e. ~" X
(API Get entry point)
1 M$ o) _+ @! ?7 [. `- G% X
2 z: `1 k% H4 i
: w' E4 K6 T6 x) q5 C xor di,di! c0 I, u& [- A! u8 I* o
mov es,di
6 M0 w1 W. |) s& l6 i& I$ E mov ax, 1684h
' Y( V1 |( s8 O8 ` mov bx, 0202h ; VxD ID of winice1 S3 A$ ]. X* z# J/ y
int 2Fh+ b( E" {. c9 J
mov ax, es ; ES:DI -> VxD API entry point6 d8 Z4 @: ] V
add ax, di
$ [) c0 \/ b8 O test ax,ax* j2 U0 h1 Z) A! v, b
jnz SoftICE_Detected1 Y. [3 N7 i5 K) I0 W9 G+ f
+ C+ `9 I6 U+ `4 D9 D___________________________________________________________________________8 s# J/ c. X- L0 ~7 c/ q: O4 c
& M( g! M |; h) u9 M/ o
Method 04! t& o" @3 \; v: W
=========- ~$ P+ z8 v# O! K. l: j2 _2 S6 `
4 ?9 Y {, X4 g% kMethod identical to the preceding one except that it seeks the ID of SoftICE) W0 v d% K# y# Z; ]9 X2 Y1 i
GFX VxD.
! Y: }7 f# D0 t" N4 L: J. D: V
0 C7 F9 S$ H3 t xor di,di! R0 O& s1 b7 u; M
mov es,di
; `2 j7 q) Z, ?0 J; q: O mov ax, 1684h
, M# S% i1 T" T mov bx, 7a5Fh ; VxD ID of SIWVID
. e2 ~( Z8 F [% _. c5 { int 2fh+ j( C" @+ ?5 ^" U& i
mov ax, es ; ES:DI -> VxD API entry point; r7 x; x4 c9 Z# Y# m% Y& ]& m
add ax, di" z5 s4 X. B' l2 f% c, p8 Q2 d
test ax,ax
' m4 I' h1 U/ ]! R9 l jnz SoftICE_Detected
; y, f( c7 T* B% C% y, i5 Q
8 h a' c0 @6 u. J$ A' f__________________________________________________________________________
. P6 v, N9 J- c! [% Y
' A: G2 @$ n- d* o
, J- a: E( f4 ]4 cMethod 051 r) u/ m4 `0 O" s- b, V
=========
2 N6 E M$ E \0 _
+ m; r4 h8 a7 G! x, aMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# Y. \( @. t6 Z9 Wdebugger. It calls the int 41h, function 4Fh.
' s7 h' d6 }) U# }( BThere are several alternatives.
0 _) b9 q0 y! Z" {
& {; ^/ J7 ~* p3 `" s& c; |The following one is the simplest:
3 _6 t# p4 T, j ?$ B8 @2 q, z9 W! N
mov ax,4fh* }! b& i+ |5 f( Y5 q! t8 P* `
int 41h
$ j( J' j: i; a! E9 w X: P% g cmp ax, 0F386
5 N9 R4 z8 ~ K7 R. W6 F8 Z jz SoftICE_detected
3 ~% u+ K; L; A
3 `+ h/ h4 X! M: O* F$ G* [) h
# \$ O8 T" ^, q; |* P& V8 r: KNext method as well as the following one are 2 examples from Stone's . h" ~8 w* ?" e) W3 x
"stn-wid.zip" (www.cracking.net):* Z1 _/ s- {8 j, v% ]( w F) \1 g: N
, F6 [- h3 _, Z9 O" ]8 [6 O& L. v
mov bx, cs7 D$ F9 P% ~' `$ R" X6 q- o8 G
lea dx, int41handler2
8 f9 [7 l' H# R% K; s/ r xchg dx, es:[41h*4]
* H" b3 B! w- r, ]0 [ D2 W7 v xchg bx, es:[41h*4+2] S2 T* i G4 Y
mov ax,4fh, |( R5 x2 }) n; K
int 41h+ D, v* U! E; F0 S$ z' M( r) Q
xchg dx, es:[41h*4]. R Q ~( t- h8 W) G, G, y2 U
xchg bx, es:[41h*4+2]
# R$ @4 c! f8 U4 f, R% P- Q cmp ax, 0f386h& B2 i: ^& P' [3 Z- V/ T
jz SoftICE_detected4 L' e* S& d, w7 ^& @4 y
5 B: C2 W% Q( P3 M4 _- r
int41handler2 PROC
# L/ }( g) K! M# z2 U/ y: H, s: V iret x8 A q1 h O3 B
int41handler2 ENDP
4 i: l2 l, }. E0 _, O
( j! K; |9 Y, X0 L
3 z n" D* ~4 ^3 v; @6 G_________________________________________________________________________+ Y: j Y: v& M, g# F4 [
. Z% `! V) m, H
/ N2 K0 b1 J1 |8 E; g" o$ x
Method 06
- [8 N% I' T$ t! W7 x5 W" v' P=========
" a8 o" E7 G4 `2 ]0 i1 t" _5 l! p
. F5 Q9 H: l. Y: D7 Q
( ~& f8 m: \: |$ d2nd method similar to the preceding one but more difficult to detect:( N( l$ b- v- K$ `( ?
* ^4 z; Y/ ~( t' A8 i$ _
& p2 q( I! V0 Uint41handler PROC( c: R% @0 n5 {* ~
mov cl,al
/ i) `5 n8 a! [3 w9 Z3 P% y iret
! k% Z: e& m/ ^6 a3 y* o3 G$ tint41handler ENDP
9 O: O. }8 g% }4 s& r+ ^3 P
3 ?' y1 x1 \6 q) P8 N1 E5 [; Y3 X- F8 X2 z% Z
xor ax,ax
* R. H) ]5 s4 J7 e4 Y7 y mov es,ax
( Z( ^6 D" I% L& C mov bx, cs
; G, T) g/ w7 j4 j, j6 w0 K1 e8 h( B lea dx, int41handler# A u# {: M8 X' Q3 g
xchg dx, es:[41h*4]
( r8 o/ T- K6 c5 M5 P xchg bx, es:[41h*4+2]( n5 e3 V, ]1 ^' X7 ]# u
in al, 40h5 k9 E/ v) l2 g! C
xor cx,cx. n* k; o8 x1 f0 {5 o- a7 `
int 41h
9 A+ }: P. ?4 @+ ?! ?7 ]# i xchg dx, es:[41h*4]% x( `+ e: s: x- d% s ^
xchg bx, es:[41h*4+2]' I6 L" R- a. f H# E
cmp cl,al
0 s# @# E& _1 \. Q; c jnz SoftICE_detected. W' z8 H) H" v8 X6 ^
4 S0 d7 F# Q( W# U; A# e_________________________________________________________________________
4 k* }. A1 |( O- U
1 k; Z `- k5 v) ?5 q/ M( ^9 ~& LMethod 07+ @! i3 p* s7 i2 L& r
=========
( Y7 }) H& j/ j& A0 Z- a/ L: M& Q
# a8 v+ {/ r- |7 X. cMethod of detection of the WinICE handler in the int68h (V86)
6 G8 V! j, \9 V2 X3 K3 t; y0 g. I$ H* x% x
mov ah,43h1 V0 H$ V5 [7 F/ V+ v' H7 x
int 68h
; @2 f! ?( r# e5 O. B/ ?- |, W cmp ax,0F386h0 _) @6 K3 |( o! N
jz SoftICE_Detected' H% F2 C' G' N1 M4 L
2 M8 i( x# [) W6 o) K2 t! p; S
: ?+ z- H1 D0 V$ K3 y" \8 w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 G5 ^: J1 L# a; O5 _9 t8 W" c# F3 L3 ^
app like this:) O; ^' A* Y3 ^& _8 m
! {/ R. C7 P/ n( L BPX exec_int if ax==68/ w2 Q2 [ L" k3 i
(function called is located at byte ptr [ebp+1Dh] and client eip is1 n: |$ D# k- t; y1 x. K1 L9 D, |4 V
located at [ebp+48h] for 32Bit apps)
- Z* ^) U: `% ?__________________________________________________________________________
! A8 q# M. k: k" l- ]6 E# D2 X
2 w, A4 V' y# A0 l; o$ Z. e+ r2 R8 j
& E, e$ J, H1 M- KMethod 08# e8 {. h% l' d: x6 g, p. A/ v. x: F
=========
5 P( d% g i/ E1 q( d% o9 a/ ]! Y0 f
It is not a method of detection of SoftICE but a possibility to crash the: O) `. ^# ~. J6 b2 L
system by intercepting int 01h and int 03h and redirecting them to another* Q* L4 Q: I9 _- O% m
routine.
, ?8 z+ r/ e S/ F! }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 h$ k4 c, g5 U3 a
to the new routine to execute (hangs computer...)
; O4 r( Y& R' P4 c, R
% C& H; w% }9 ^ mov ah, 25h
. s+ K1 x d- ?7 G3 V mov al, Int_Number (01h or 03h)
6 F3 A! [8 u. W. x/ P# G1 K mov dx, offset New_Int_Routine" H% S- B1 \3 h
int 21h
+ J7 H/ `* w; a3 T( p$ A+ M/ {- _6 _2 s% Y* A' M/ }
__________________________________________________________________________
3 \- n$ b+ [3 c" }0 d9 Y; o8 S5 L* ?3 e" A C
Method 09
5 f: W/ }. x6 d: _=========
5 Z7 [" o4 G1 e" g7 x1 H
( a9 t8 y+ x# x( V# }4 ]This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, I8 s8 R5 [" J6 L1 w0 g3 R+ Uperformed in ring0 (VxD or a ring3 app using the VxdCall).; q% f' H. Y( X3 U# ~; W% q
The Get_DDB service is used to determine whether or not a VxD is installed2 \ r! I- ?" t* x& i3 _! v! j
for the specified device and returns a Device Description Block (in ecx) for
7 \1 `0 M. P: s) a7 xthat device if it is installed.2 G. j% Z( x0 n
! `- j# b; w# K( s9 X0 ?6 W
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
K! T3 _% w7 Z1 Z7 j9 k( | mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! J( w& u3 g% p6 g& W
VMMCall Get_DDB! C5 i1 Y6 ?$ K- C+ A) [5 [
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 v5 l! C) S9 [9 A! H2 ^# n
' g6 |; j$ S& O* J& ^5 ?: j& u
Note as well that you can easily detect this method with SoftICE:7 k1 X* b0 ^; S; Y6 d* q
bpx Get_DDB if ax==0202 || ax==7a5fh$ o9 {" Y, G6 e* W, y9 {7 x; h
- d: o& V" S) @0 ^ Y6 A5 f5 `__________________________________________________________________________
! P8 ?- _- y! D; }) }; |+ X9 E9 ~/ a* F* a @" H
Method 10
. y# B0 x5 G9 ^ M1 b: V$ K=========
7 e6 f4 ]( [7 t" t8 Q2 o! J' n. S# { S. L) e7 `% M
=>Disable or clear breakpoints before using this feature. DO NOT trace with0 C) R- o' l8 V
SoftICE while the option is enable!!, D! q( S$ _/ r5 V, x
$ l# b1 [" C- ?6 D, IThis trick is very efficient:' ~9 o; q0 y+ U1 r2 ^: _5 x. _
by checking the Debug Registers, you can detect if SoftICE is loaded
) A0 i6 S8 B% p, m& J(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 k, K( V X2 |$ Y: j2 _+ ythere are some memory breakpoints set (dr0 to dr3) simply by reading their$ b/ f Z' E3 V( J
value (in ring0 only). Values can be manipulated and or changed as well
/ w, g3 } U8 r, Z8 N(clearing BPMs for instance)
: G' C5 E, R- t8 E6 V: x* e7 Y6 N8 I( m8 z
__________________________________________________________________________
! |0 t0 q, p8 Z6 f' _ l7 m! N6 a, O- R9 n. [8 e$ A) S0 L6 }& L
Method 11
. z6 x; M6 j* N6 ^! B& T6 K=========5 T! r. {+ a- [) _/ q
! R' G+ J! G, S9 ]3 Q1 n' {This method is most known as 'MeltICE' because it has been freely distributed
' g0 A1 c7 ?& z% Wvia www.winfiles.com. However it was first used by NuMega people to allow
' c' {1 E3 O! e9 ]6 Q! j ^Symbol Loader to check if SoftICE was active or not (the code is located1 Q0 S" r1 n3 e; X
inside nmtrans.dll).* u" E& Z N, L* t4 p' C9 U
3 B5 x% R K) LThe way it works is very simple:
9 \6 j- q' Q) {2 G4 e! pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" Y" A+ ^0 ]( U% N/ y) @* S& d" ]: @* o
WinNT) with the CreateFileA API.
1 X- I. d( k" e4 G e$ k+ l
2 y3 v; E. ^1 f# }' l$ [$ I! KHere is a sample (checking for 'SICE'):9 t! B! C: h4 q+ T$ e m" C7 ]
/ N. p% o9 H' B6 n' M. I
BOOL IsSoftIce95Loaded()) v% \' ^3 j7 c1 x
{. H0 P7 ^/ E% R6 d" ^
HANDLE hFile;
: Y9 x( H. N2 } Z- { hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! o& m9 _ |: i4 J5 Z6 P. _6 M/ E
FILE_SHARE_READ | FILE_SHARE_WRITE,
# |, _, e9 d+ H" m" h! e NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 j- B$ \$ G2 P- S. {* o
if( hFile != INVALID_HANDLE_VALUE )7 T: U; c+ Q, p# z8 Q4 K2 |
{
% }& g) b6 l% u CloseHandle(hFile);
$ A! z$ r# g ^ t4 t1 T2 g! O5 y' b( } return TRUE;: z; F* b" \3 `( W8 V8 y
}0 c4 H. `$ v* u' T5 B/ _
return FALSE;
. n$ |, ]# m$ a7 R1 L1 j$ r% W}. W6 c' h/ }& ~, k9 D$ I
0 \0 u( V3 V9 k1 J( y( {, HAlthough this trick calls the CreateFileA function, don't even expect to be
: W) e& Q; k9 U4 Y( T0 rable to intercept it by installing a IFS hook: it will not work, no way!
: p3 U8 D% {4 g! I; }( dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 Z- }& V9 Z# _8 e
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* G3 `+ n" N2 l. \+ x
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- y) c1 K: ?+ ?$ Ufield.
: T( |8 ], t+ E6 K. ^In fact, its purpose is not to load/unload VxDs but only to send a
; p( I& h" h J' _4 r+ Y0 D" C6 [W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). H8 k$ y* s! I/ l' c: r$ |9 A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 ^0 Y a3 x; t1 g0 Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ U1 h# ~1 j; K$ F9 ]3 ?If the VxD is loaded, it will always clear eax and the Carry flag to allow
( F2 ^7 I+ ~2 `5 a, @. }# M9 ^& s& Aits handle to be opened and then, will be detected.
: Q8 I$ s0 A/ m! D$ hYou can check that simply by hooking Winice.exe control proc entry point
; g0 u4 x5 q5 m8 }) |3 D3 S5 I; ~while running MeltICE.' a& J! R' b1 b
' r9 P- H$ h+ U- ~3 [$ e! |5 {% |) Z% o0 E* A( E# C
00401067: push 00402025 ; \\.\SICE
2 i, `6 k6 K9 x( e/ v 0040106C: call CreateFileA
: K4 V+ x5 R( b0 n# v# G 00401071: cmp eax,-001
9 X8 e0 U7 Y: s B8 o 00401074: je 004010912 M4 E/ G4 g& a8 r: J
: |- Z) K/ d2 q0 Y" G. G9 \( t) ]8 z3 U+ V4 l! U* Q! S5 X# l
There could be hundreds of BPX you could use to detect this trick.
\, M r1 i9 C+ K# j5 Z" \-The most classical one is:* a5 s: S2 Y! w7 @& n) d; w
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 N j0 Y5 }6 {- E- t$ A *(esp->4+4)=='NTIC' }: G2 T+ ~6 s! z' u0 B
( j* E9 e, W: b$ `-The most exotic ones (could be very slooooow :-(% i- W2 e( I1 R7 U9 g. Q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 M; h: f* m2 Q/ |( L' W' f {! `8 ]
;will break 3 times :-(
1 f8 M. i, o, |' [8 P- A* v/ `- l. p
, A' p+ p- x) d0 k: d1 S-or (a bit) faster:
1 M" c/ W5 ?) ~, v9 p9 a BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# t, u8 y7 v3 T3 O8 }: j; i6 ?& y; X d' Q6 p/ { ~" J
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 b" I) a6 S- G h
;will break 3 times :-(/ m. m) H/ e$ l) ?3 l' G) N) w
8 G9 D- F. t1 G- L8 Y
-Much faster:+ `$ T; V D# Q( C! o# y1 r
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# S) e: z6 A/ u+ g3 E4 a
* M' ?0 i- ~6 U, x Z! S6 @7 TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 t; N- m3 a+ K9 l% x
function to do the same job:
& i/ B# q' t% |
1 n" w! M8 |+ W$ z1 v$ e& O" ~6 m push 00 ; OF_READ
: W% ]1 x; r% G( ?& G) o mov eax,[00656634] ; '\\.\SICE',0" P4 K; x w% y. M
push eax
; L4 M4 X- p* ?! H9 Q call KERNEL32!_lopen' _6 l( h3 a) _# S6 G
inc eax3 d- d8 ]9 P7 X* p, t5 m
jnz 00650589 ; detected9 e& \ {* Z( d8 |0 w7 n1 d
push 00 ; OF_READ I# q. }+ s! F, T9 y
mov eax,[00656638] ; '\\.\SICE'
' w& Q6 n4 o) h7 h" B2 j push eax
6 m3 W! b, ?+ x call KERNEL32!_lopen2 J/ g3 C) C$ H$ W
inc eax& ~3 e- X+ O7 e% A x1 S" L
jz 006505ae ; not detected( U& D8 @( C7 j, V; _% ~
4 v' s! o# m! {+ Y( U0 |) t" A
( _5 H* R, q3 {) |. {$ e" u( y__________________________________________________________________________
1 I6 J3 A: M" o. N3 Y+ r
0 i0 K$ u: m+ FMethod 12
1 _$ Q: ?4 @% G4 \* B) h: y=========
8 J! @! t. `7 O4 V0 {& |' Z K z. r. O+ @ v2 j' {
This trick is similar to int41h/4fh Debugger installation check (code 05$ i- b, j9 f! D A4 e1 j% I) T7 W
& 06) but very limited because it's only available for Win95/98 (not NT)
1 t+ Z" E# a2 F9 y5 Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 I- }" _1 p; ~" U8 F
4 U; M4 m. y e) i4 l( Q0 o) H5 n
push 0000004fh ; function 4fh2 C/ q* k2 R r, S. q4 E' q7 B
push 002a002ah ; high word specifies which VxD (VWIN32)0 q- C& Q1 `& G) j7 X. W9 n7 y
; low word specifies which service/ r- [! z, g/ ?2 ~
(VWIN32_Int41Dispatch)
a$ M6 ^5 J9 B. j v' _ call Kernel32!ORD_001 ; VxdCall5 I D5 } V1 n8 ?* B
cmp ax, 0f386h ; magic number returned by system debuggers" z3 m' u3 n) I. X
jz SoftICE_detected1 Z! c; |$ s! [- _+ n* s' H
" d5 `5 t7 x2 q. A# L7 Y5 c1 B2 U
Here again, several ways to detect it:
/ y3 J5 ^" Y2 c0 X) V7 A3 W0 O3 Q. X H* S
BPINT 41 if ax==4f2 v7 z9 G' p' e4 v# b) Z6 O
6 j& H/ j; l7 e& U BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 P: ]' k6 Q, j6 n/ ^
" g6 M( P, l- @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: Y2 j) Q5 y' s- e9 r4 O
! N! X6 s D& A) i BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, c) f; g( N+ b( L6 G2 V& W, u# ^3 o0 S- h* H( {
__________________________________________________________________________
" R" [3 [5 C! s; e' @# P. W) G: `; B! X# j: ?' S9 s
Method 13
* u- S- E0 D; c. b: S=========
7 s; R1 j2 [/ C9 z1 w
( G+ C% B' \( }6 PNot a real method of detection, but a good way to know if SoftICE is
R$ \& \3 K( q( n+ }$ K9 Kinstalled on a computer and to locate its installation directory. H5 w) H, U a4 k; M7 M
It is used by few softs which access the following registry keys (usually #2) :0 j K+ y8 j- Y+ v, N0 ?
D1 i7 ~1 @# \4 R2 G7 K* z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 _# X0 ]9 M& d& C- M; r
\Uninstall\SoftICE% f7 k0 a8 E0 H* }
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! U2 c* ~/ m6 t$ p' a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! \! ?( O. b1 V6 C. p
\App Paths\Loader32.Exe1 a% F- u0 b. V
% w$ c. d# q* F# e
& t; G7 h7 f8 W+ q0 i4 x. l# ? _Note that some nasty apps could then erase all files from SoftICE directory
: P* B( \1 O; Z+ ~+ t1 K. F(I faced that once :-(
5 `" x. B* r+ X7 Q0 o; b ] G$ L
/ [6 n2 J3 ]) O$ n8 ]% ]' r* VUseful breakpoint to detect it:
/ `; t3 G( v4 O \) I! h
0 v; n: J- ]% F- U+ |0 v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 w( c% Q- S" N
8 \! ^# W6 \. }0 l" J! e__________________________________________________________________________
6 }6 B, _9 g' M1 d0 s& d& x
+ o0 A' e9 a) @/ g; A" `1 B& R4 t0 M
Method 14
Q9 F! o; F8 k+ a4 J) q=========' U q- [4 f9 |
H1 W% u% a4 UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" p& g, k0 i) i1 r
is to determines whether a debugger is running on your system (ring0 only).
- p+ l, X7 U5 h* _9 U3 I5 }3 m* g J* W' y# w1 I
VMMCall Test_Debug_Installed( @8 z$ `0 X$ |2 O6 |6 a2 H* u
je not_installed1 a1 J5 U' B" I5 v8 q6 Q
; @( P6 `5 ?4 g* i0 yThis service just checks a flag.
/ |/ i! c3 p# v5 ]</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡