<TABLE width=500>
/ D8 a5 W0 N% n5 [. O0 i1 ^3 L! H<TBODY>3 {! w1 _# W, G8 V* i. C+ |" D1 n
<TR>
. _4 x0 o r5 [$ p<TD><PRE>Method 01 # w3 F2 ]& [$ a! v; d, Y, l- `+ l
=========' O. d1 W0 q. x: I( w/ p$ Y
: J# U2 E4 b5 T# v, P1 e1 ]& y1 \This method of detection of SoftICE (as well as the following one) is
$ }. `' B- w) ~& L) S9 \; O3 mused by the majority of packers/encryptors found on Internet.
1 j$ F7 S+ `0 L. w7 b+ Z: aIt seeks the signature of BoundsChecker in SoftICE
9 [, D9 `9 c I# @. v. n
, f$ s1 T: T) X$ s$ `% W$ n mov ebp, 04243484Bh ; 'BCHK'& N; _* U( U' i: n8 s
mov ax, 04h
% M' l% N5 p4 A Z5 B4 p int 3 & }. u9 @+ W% L& y
cmp al,40 a/ }+ i' E3 H0 i; M9 t. p) ~
jnz SoftICE_Detected7 w, w, E' C9 X% p( p' G: O! K
: k, S6 e% w) x; W" m4 [* r
___________________________________________________________________________
5 D3 U2 S5 O* v" r9 u8 a1 B, f, i! @& ]6 x
Method 02
$ q0 X) C1 N* P& N, w2 ~, M=========9 H; A: G6 N1 i
" R% J$ U' _# U6 ]& yStill a method very much used (perhaps the most frequent one). It is used
7 \& t7 i. c; B& M5 dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. D) h: ~" x! F3 _$ S. ^8 `or execute SoftICE commands...: ~3 U K) P# z0 W* c
It is also used to crash SoftICE and to force it to execute any commands5 y$ |2 v+ @9 I' e
(HBOOT...) :-(( 3 m' i. \. S1 ~4 c( C
$ u9 H9 M" Y9 e, I& U* M* A3 m
Here is a quick description:" @0 J$ o2 c0 V0 E
-AX = 0910h (Display string in SIce windows)
1 w6 S/ g8 ~$ l% r-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). o+ n& p7 m# ?; z8 S/ H1 G9 Y
-AX = 0912h (Get breakpoint infos)
+ H$ y( L" k$ F$ E0 {) O. i-AX = 0913h (Set Sice breakpoints)
9 `! y6 _) ~1 t* J2 H. `+ k-AX = 0914h (Remove SIce breakoints)
7 g- P. s' k/ t* H/ g& x. ~6 i- ^( ?4 g8 O$ k' {* Q4 G
Each time you'll meet this trick, you'll see:; e; G% ~/ ?6 o" e- o
-SI = 4647h3 M, p% S. K- M6 P; S( Y$ a: O! m
-DI = 4A4Dh5 N; Q: x. m4 K& p- y
Which are the 'magic values' used by SoftIce.4 }6 y5 s2 f+ x' @
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* _9 n& r5 V6 D. ~
4 k" w; S8 O- @. k& m/ G
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 }3 W& Q0 M; G: I5 P" ~5 LEnvelope utility use to protect DOS applications:
: w; M, e0 F5 x& _4 U1 h3 L1 @
1 @- N1 [2 ^) y( Z8 j/ K# Z
2 C7 m9 O; q5 D4C19:0095 MOV AX,0911 ; execute command.
3 f4 C& J2 q, {8 O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
J% _1 Z1 K4 \! w3 |/ ]* W4C19:009A MOV SI,4647 ; 1st magic value.0 J. V) Q/ w4 b4 e. p/ J6 o1 Q2 h
4C19:009D MOV DI,4A4D ; 2nd magic value.3 j. S) I0 i0 O; K/ `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 z1 M4 L( {2 F4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; y7 Z0 t( Y# U& P* x6 D/ U
4C19:00A4 INC CX
8 I+ X5 a1 n9 L2 E% Q* N4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; `6 K) B. z' f+ t$ H7 @8 s8 ]; ^4C19:00A8 JB 0095 ; 6 different commands.
2 y4 m- Y) p; [5 [4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 w$ |9 @. f/ n$ L( Q( n
4C19:00AD MOV BX,SP ; Good_Guy go ahead :): Q3 [9 ^4 H1 ^) ?9 l. {; N
7 A, L. |9 Y2 [* NThe program will execute 6 different SIce commands located at ds:dx, which7 q4 P$ k7 Z8 h; b. m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& s4 y0 i x* P1 B1 N8 L2 I) l- G( o, `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 Z) x: |: L* q___________________________________________________________________________* d. F" u. [/ `3 x$ E C
* C7 V4 z& j7 ?: t' i" B l* D
% b5 s. Q8 c" s, OMethod 03
& d* m2 S/ w$ ]- U4 F# D=========2 N7 e t% L, e" i. Q0 x0 J
. U7 j4 A9 C5 h& Z5 I# p
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 s) {' c6 q1 S* K, a* H6 ?3 U3 w$ ~
(API Get entry point)
3 v& f5 j( n7 O: N1 }* n . L& I, b& Z* q- x
* z6 h* J P+ k9 M D xor di,di
" E4 L6 j$ ~; ^: ~& \* n" \0 w. t mov es,di
9 Y T7 x5 V8 p2 W g! T mov ax, 1684h
& o( S9 h- ?" W3 X a. a mov bx, 0202h ; VxD ID of winice
, Y$ c* G# i+ I$ p, z, g; [ y int 2Fh
2 _8 j! `$ @% s$ H1 k mov ax, es ; ES:DI -> VxD API entry point: t2 c% q- ]3 t: A1 r7 B
add ax, di/ S% w; t) x* B# {5 m) t
test ax,ax7 A4 J8 R0 N% p# d" B# h- C( ~
jnz SoftICE_Detected# P P/ ]2 _. [# t0 F9 b Q1 P" o
# [! a' D+ ?! e. B. A, {* k( @___________________________________________________________________________4 W C, R* G r5 [ K/ F/ @
5 `( C8 p/ ]/ L* {# }, ? c$ [3 j9 g
Method 04' g |( z; v+ S$ ^- @+ Z g" t
=========
* T% U( f5 y5 u+ [: y0 N
2 G) z- \& P" D6 b4 lMethod identical to the preceding one except that it seeks the ID of SoftICE* I7 R) ~: k: B6 O7 p# S
GFX VxD.
0 K+ e: |) i+ k1 l6 q
; \2 X1 u$ i1 ]& @% W xor di,di& I2 X5 w1 C5 A' Q3 V7 C
mov es,di
- X' ~" Z1 l$ H! C mov ax, 1684h
* N q4 t& D1 W1 Z2 R: E6 E- w mov bx, 7a5Fh ; VxD ID of SIWVID
( J8 M. ?; y7 L: N' m0 C, H int 2fh
; R3 J) G8 t+ e7 J& r7 C mov ax, es ; ES:DI -> VxD API entry point
8 f* F) N5 u$ j; I add ax, di
- X8 f* V1 G7 A3 }) u- N1 x test ax,ax; y& l4 ~ F6 s* S, a
jnz SoftICE_Detected8 `2 N o$ N$ U
/ }9 P: c! b$ q9 t) }7 V
__________________________________________________________________________
5 F! S/ R+ t8 p7 c, ^ r9 o4 B3 e- x( C4 e$ k' K* [1 Q" R9 i- e* P
. b; I, g9 P6 y* w- @1 M1 A( l. O) L
Method 05+ ?2 A* l3 C9 g, Y7 P; F1 F
=========
* B/ O) b. `: R0 h' ~: M0 v" f- [) }( R4 ^* u3 H& d5 n
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 d; B) q1 G7 y: n, D% p4 r
debugger. It calls the int 41h, function 4Fh.
( W' C3 t w7 a1 {3 t9 v* t$ LThere are several alternatives. ; M. Y4 j0 b p! M& T4 O
6 R5 E1 P ]' n0 C% \& G: sThe following one is the simplest:. ]: m2 R" f3 H1 b) j+ c
2 w9 ^ G6 i6 T( T P3 Q
mov ax,4fh5 K4 _1 b/ Y9 I) f# O. ]
int 41h
) i9 R: V/ b% v5 _/ D( F cmp ax, 0F386. c& O; B G' y# T4 n. B' M
jz SoftICE_detected
# b7 I6 h1 j' W+ r/ N3 s6 V, P; x
) Q! t5 Y0 F' t; [3 A8 zNext method as well as the following one are 2 examples from Stone's
1 P3 ~1 R" U, J"stn-wid.zip" (www.cracking.net):. w3 S5 S. C' V- v# T: T
3 ^. x, G* Q' m0 H: z1 @0 a' \ mov bx, cs
! S! Q5 i) ~8 K; Q+ e1 A# n lea dx, int41handler2
8 X% F& h- N2 u0 c7 H. o' ] xchg dx, es:[41h*4]
y0 M# q0 |" A/ W0 o- t- F8 Z Z; \ xchg bx, es:[41h*4+2]6 I F. Y9 E; i* o
mov ax,4fh0 ?3 M* k* y- e* s2 g1 m5 L
int 41h
- Y2 `- q& G5 j6 Z( t xchg dx, es:[41h*4]
. g8 m3 R- d- u& d- u r5 m% p xchg bx, es:[41h*4+2]$ z% F8 C; z m" P; l5 d1 Z2 d
cmp ax, 0f386h
8 D. l8 L) I( f7 @3 O, X, C+ d jz SoftICE_detected
0 I0 J+ W0 G& o4 ?8 j+ T
+ s `8 h" ]* V9 M) U+ O9 cint41handler2 PROC
, v% @& c0 m+ m7 ?* _4 f( z v iret
6 m5 @* v; c/ J; g: n/ s9 Dint41handler2 ENDP
4 C! P& o. s& c l0 E/ W0 g- _7 b) o* l# A
) x( O; o0 ?' |) S9 y8 p6 D
_________________________________________________________________________) J0 O9 n0 h" S. y0 w6 A, e
( O: X, M& l0 e9 M6 ^ D* K1 a
/ f! Y- ]' k9 X. H1 c0 ]6 F
Method 06
- w- E6 B0 [1 |6 e" P=========
q& U' z) `, D) M9 L- S* Z9 R9 E2 {) Z! @/ J/ o9 ~$ @
0 S* c8 L/ Z5 p. E* X2 |) `2nd method similar to the preceding one but more difficult to detect:
: A) e# [. v7 H% {6 i( i3 w. e: f a E4 Z" t- m9 [# k
. d5 w! W. R% N1 j: V. S+ g8 \
int41handler PROC7 D0 e; e: u$ W3 O5 U. ^3 c
mov cl,al
$ w, Y- l! N/ J. v/ x iret, U) ^1 ]9 B: U) s4 W: \$ U5 Q
int41handler ENDP
* t" ?2 d- F8 o# @1 d# t6 c$ {4 f5 K Q9 B/ f( b/ |: a
* {1 ^) Q8 F# l: @) Q' b
xor ax,ax
4 l7 W1 w0 A& e' l0 @' C1 r1 ] mov es,ax
% G" G2 a% U& r$ b mov bx, cs
$ u. q) |3 H. h r' d lea dx, int41handler
8 a- |* s, L" z6 ? xchg dx, es:[41h*4]
) ]; \1 b; ~2 L xchg bx, es:[41h*4+2]
$ K7 G* L6 \- ]0 i# U in al, 40h
m" W0 w5 M# v+ i, H xor cx,cx# ]1 a; W/ w/ v- z) O! [
int 41h, q- p3 z5 }( X& S
xchg dx, es:[41h*4]
8 v0 M n& Z/ q& f8 Z xchg bx, es:[41h*4+2]
$ \' ]5 _' h$ R% I. i+ q4 }" P cmp cl,al
/ Y8 H8 V$ a W- _& |2 Q) v6 R jnz SoftICE_detected8 H8 }% b6 ^/ W" V& g, n8 B5 `9 v
3 [; C' Y9 u6 z$ b G_________________________________________________________________________: N7 l. @8 l% j6 r( |: T' ~% f3 [
9 E" o3 T' T* N# I; h+ M- Q; j3 k
Method 073 G* M6 n! N5 O# R
=========' q. J4 X, W' j% i2 ~( B8 N
6 X0 m; @" T. a2 B( H' h
Method of detection of the WinICE handler in the int68h (V86)
3 B1 J* ]- Y# `6 w6 W
/ h K* [* s5 h$ e/ C mov ah,43h% n7 Y. M( a! O7 w" C5 a
int 68h
$ @+ Q, f4 Q9 V3 m- F3 x% e cmp ax,0F386h. G6 m1 E/ S0 H4 X
jz SoftICE_Detected1 T+ U' s/ r* {; }
6 ]% ]" @- `9 F6 E7 f0 e7 G
E5 t1 S% H0 A; w, |=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
O F4 g, ]) Q) A: M app like this:; S$ b: G& N- p4 j6 `4 k* a
% P% x+ O) o, ]; _0 c) J BPX exec_int if ax==68
7 m* Y+ H3 H3 w3 P# @; }1 A' R, {3 ^ (function called is located at byte ptr [ebp+1Dh] and client eip is
* s- I, _ S: _" y7 I located at [ebp+48h] for 32Bit apps)
0 {6 s6 S4 y0 Q+ O8 m3 l__________________________________________________________________________
0 ]# ]* C/ @2 W" p7 }7 u5 F
0 c+ B! K- s6 j: f9 Q7 B' D9 b" D' w- o- M1 r$ p0 ]! G7 q
Method 086 e0 H" I2 k' z! D7 u; M @7 K x4 ~
=========
6 E; _5 D' a2 K
6 z4 d! b5 g. x, ]) `+ QIt is not a method of detection of SoftICE but a possibility to crash the
: M/ V" G) g) u7 S, Ssystem by intercepting int 01h and int 03h and redirecting them to another
* g$ f. H, ^' C l+ s7 Croutine.
/ ^3 g5 r, p6 `- IIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# N% M1 o8 D2 n4 U% W7 |3 C. ~
to the new routine to execute (hangs computer...)7 b" n1 w& ?* O! S$ o
- E4 o5 X7 D" z: I- K6 n
mov ah, 25h
, G& k% W1 l- x! ^, c mov al, Int_Number (01h or 03h)' l# \2 \7 U+ J7 }2 w7 ^% n& J" v
mov dx, offset New_Int_Routine
0 f) n7 u G3 q7 a0 w, C int 21h0 g, I$ J6 e1 D, ]. V" T0 {5 a
6 j/ ]1 z ~$ x- G2 @* l. @__________________________________________________________________________
: }8 P4 P2 F. t3 g2 d; v( s
; A% W& p: j+ m- g d; S7 |$ NMethod 09
- A% p' ]. j" B% T" [=========
$ [+ l1 F* s- ~: ]" U9 f& ~
B$ g U( v! e0 Y9 nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% Y# E4 x" } E; \3 S, |performed in ring0 (VxD or a ring3 app using the VxdCall).
2 g( S+ j L! |8 BThe Get_DDB service is used to determine whether or not a VxD is installed
% A* _2 ^- i, h7 G4 Zfor the specified device and returns a Device Description Block (in ecx) for
' s4 j+ f. x1 Z! D: r+ }* H! cthat device if it is installed.) q4 E2 c3 F: h5 ^+ M- M
& C9 e' `" }7 Y( H- Y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" ^% K$ w' V5 m! ~6 \7 [1 q. Y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* y& [. M0 ?0 @3 q
VMMCall Get_DDB6 X s- s1 P. I. U- b; U- V
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 j% b h% q& O4 _( S+ B, X
0 i; v& z8 ~1 ]8 g: }Note as well that you can easily detect this method with SoftICE:0 p& h0 T( a$ k- y6 J+ X
bpx Get_DDB if ax==0202 || ax==7a5fh
7 z9 D! K, F3 t# I6 P1 d( D! P8 }2 l( q9 q" C R! E# M
__________________________________________________________________________# b5 W y( M0 |- }" N: p
$ q" f+ M9 _1 ~# {0 }
Method 10
7 G$ {0 D% E# e; L) M' f3 n=========+ q T! Y% D! [8 I4 _5 Y7 o
5 Q& F" e" x, G4 {' [# Q
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ v) i- f" k; v/ ], c
SoftICE while the option is enable!!3 d$ Q5 ?+ W2 c, J% D% P
# J" y: W1 {9 X' G7 v& B
This trick is very efficient:7 m. O0 g$ P$ P5 v) K; k$ a
by checking the Debug Registers, you can detect if SoftICE is loaded
* N) _' w. g& d) F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ B7 r5 U: |9 O B+ v7 n! D
there are some memory breakpoints set (dr0 to dr3) simply by reading their p# R+ [& C5 z. ~6 D- b- }
value (in ring0 only). Values can be manipulated and or changed as well9 `0 S5 k) o( _! G: @, ]
(clearing BPMs for instance)! h/ k2 B& r. V1 [2 e& h
& O( ]7 T% j- \4 P1 j
__________________________________________________________________________5 l- e4 f9 S6 A/ k) D
' {) [) I, L0 x; o
Method 11
. J( D# N8 N, J7 G/ T=========4 A O" N- m& ^) C
5 P2 ?# X+ m' X5 c5 ]; z3 v* \
This method is most known as 'MeltICE' because it has been freely distributed+ b+ Q L `( f! ^* H
via www.winfiles.com. However it was first used by NuMega people to allow
( b' X6 w# C3 H0 y: \: c! USymbol Loader to check if SoftICE was active or not (the code is located2 g4 o' T [+ F6 L, _
inside nmtrans.dll).
( H/ V4 ^; u) c7 k+ u/ i1 l& i
4 ]! D* Z% h/ H J. Z; V- L# ]3 fThe way it works is very simple:
; ]" Z( B1 s9 F( {6 o GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 {; D; D/ X/ ^1 [WinNT) with the CreateFileA API.
' w) M; g) f! M/ ?" k$ r% o N6 i) e; O" ]
Here is a sample (checking for 'SICE'):
& h7 D4 I. J9 x- h! ?3 C9 \9 X- h- o r" [/ `3 o' D
BOOL IsSoftIce95Loaded()6 {0 o4 E" ^0 e5 m u( k
{
& ^7 H p5 x$ C3 v' C& l w HANDLE hFile; 4 x+ I8 `" ?& ~
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( T" Z; }% c5 | FILE_SHARE_READ | FILE_SHARE_WRITE,
, g* m A% I1 m) K! K* h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* ?' ~( R) l; j8 w) }! C3 N if( hFile != INVALID_HANDLE_VALUE )
% q2 z2 v( Y3 w3 G) g2 l& b( s {
/ Z3 F4 G! G5 [' P: f* x& ?* s6 a CloseHandle(hFile);
( f R0 S' K5 ?. Y, L, H return TRUE;/ P9 @6 r7 k2 C/ j. A* Q- u+ v% @
}
& b3 t: ^' C8 j- Y# L1 ? return FALSE;4 N0 c+ O0 @" Y+ l! d
}
* ^2 r7 N3 E4 \+ c" h
3 R9 k q: t2 M a6 r$ x6 TAlthough this trick calls the CreateFileA function, don't even expect to be
8 U9 b/ q- v, U6 iable to intercept it by installing a IFS hook: it will not work, no way!" u, u$ O; L8 O6 Q J
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* k0 q7 G% s g) d( Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). ` o4 j+ b& \% ?
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 P/ `, a5 J7 B/ v3 b$ ^& j2 efield.
! t. r8 m: q, ^+ I4 x; o! J7 RIn fact, its purpose is not to load/unload VxDs but only to send a
; D) N {2 Q. q/ YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). R) `+ }3 P; _+ q" l) {
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: _: r, C6 v& f: P* y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 _) c: L w" g0 W
If the VxD is loaded, it will always clear eax and the Carry flag to allow) }7 s% {+ d3 h/ t" d' `
its handle to be opened and then, will be detected.
- M% h$ Z& f; f$ \7 y' dYou can check that simply by hooking Winice.exe control proc entry point, @0 ^9 j4 h( j- o
while running MeltICE. n; k9 l3 {8 `
- |3 T- H& }/ J9 r+ N' r9 J# F6 _
0 X b. J; T1 j- ^1 O" [ 00401067: push 00402025 ; \\.\SICE; {" f) t& x8 [7 |' ?0 I& U
0040106C: call CreateFileA
( v; _) p. K( D l9 M6 { 00401071: cmp eax,-001
. y) e0 h! G W) [. x7 A- z 00401074: je 00401091
2 a% a( q: U: d* w. L* S
. p5 \& [, o/ c
. R' a) z4 z9 i8 a. A1 Q* N7 qThere could be hundreds of BPX you could use to detect this trick.' p2 M# S2 \ K: ?3 H
-The most classical one is:' [% G5 y4 X. K6 ~$ G
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 N/ t% A$ b3 _7 `3 @ f
*(esp->4+4)=='NTIC'
; n: E+ p% c8 j4 a2 j8 c$ N: G5 S. q( c: h- u3 c; O, d
-The most exotic ones (could be very slooooow :-(
, K W; v+ B0 S5 S7 l BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 \- s4 w& O' O
;will break 3 times :-(
0 K& w% H( R: C$ G: @3 U `" Y. r
4 \1 G! @3 u+ R. b8 S6 h-or (a bit) faster:
4 m t. f% a8 _3 {. H( `7 }! x1 l BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* q/ ~! @9 W7 ~
. l1 M0 @" Z& h4 m
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 h" D- V5 w! Q( w' G7 O# a
;will break 3 times :-(
: y# a$ Z0 w, z4 E2 k& G1 o
* ?# j+ x' Y* h" Q y-Much faster:
. p1 ]. |. ]5 h1 c. ]% R BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: r* [. `3 L7 m4 _0 W& T: A" `# n- g0 T7 k- t1 \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 H) Z. r5 e3 j; h5 O
function to do the same job:5 r) d! n7 `9 L/ T
; f$ i, c% A4 x& M( w, ~/ ~ push 00 ; OF_READ
+ H0 ]0 j+ z# o# p5 |8 C" q mov eax,[00656634] ; '\\.\SICE',0
' C; K9 Z2 n3 J$ e4 Q) o8 \ push eax
% O, e" e5 X) w/ F# C* U call KERNEL32!_lopen
* D z: Z5 y) K1 R! W3 u inc eax
$ `# k9 H% S/ o; r, w c2 c jnz 00650589 ; detected' b# F; M7 T" d U' r. o N; |
push 00 ; OF_READ
2 n9 b! S) v3 B/ e mov eax,[00656638] ; '\\.\SICE'
2 n0 r1 R4 U8 J. c7 j push eax
: v9 a- M8 v% |$ \8 E) F call KERNEL32!_lopen# l; ^6 h3 U3 g$ x" P( r
inc eax) l6 Z- G4 w" t
jz 006505ae ; not detected
& P; H$ r5 c$ Z3 z2 m& v( W% F6 Q. Y& b; X i: f! n5 y
6 j# B( g# J. V* Y__________________________________________________________________________
! u. i8 x# w" w5 D6 h# { }) B2 {! d- _# A- S' z0 N
Method 12
& S5 }! n" t8 C% f& N=========
1 h; a, Z9 s' N. x, B
. I+ J( b( I9 d* y7 Q7 H8 GThis trick is similar to int41h/4fh Debugger installation check (code 05' M- `* B9 d8 m
& 06) but very limited because it's only available for Win95/98 (not NT)
# a' P/ b4 I6 {9 _4 ^4 eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 D. y: a& e" v3 Z* C
' b3 o0 d) h+ o0 X2 h# l4 J/ E push 0000004fh ; function 4fh- ^6 Y4 [* m* e4 c
push 002a002ah ; high word specifies which VxD (VWIN32)2 w/ g' V, A$ h1 Q: G7 |- J# l% _
; low word specifies which service" ]5 }- y% _3 [7 M* ~
(VWIN32_Int41Dispatch)$ \5 W; y0 ~9 }9 M( {1 g( r
call Kernel32!ORD_001 ; VxdCall. Z5 e( a) D! }+ I9 `- ]4 Z- @
cmp ax, 0f386h ; magic number returned by system debuggers
# s( L9 c; d. M' @8 _ jz SoftICE_detected) c2 i6 P6 K6 l) n% c
1 W) f9 Q6 G1 x) R
Here again, several ways to detect it:+ I9 _; ?8 R, b- R3 |
! G9 r9 n! T( m2 X9 P+ R BPINT 41 if ax==4f* \9 [9 h: s$ q; ], z- F; R) l
$ B1 m. p; O5 H( ^' v( d/ p2 d/ ~
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, G0 p5 }8 ]/ M$ i
6 u. V+ |+ |4 {; s4 J1 b/ u* `: X% W
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: r( i- p/ }2 \9 ~% c: G8 g! C: D: }; H' D; m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* M5 D) l2 N; j1 r9 X+ v9 }3 R i# G
5 K$ Q% e9 q2 k6 X+ _$ {# b4 e__________________________________________________________________________/ B5 I" q+ A, U% s
/ {6 L( a! G5 l8 p
Method 132 q0 s9 T6 {% q+ c4 ~
=========1 D, z5 D* l& j! Z
! B8 j' G' v" @
Not a real method of detection, but a good way to know if SoftICE is* ^+ [+ {) H! ^/ x
installed on a computer and to locate its installation directory., \# s: j. y& O/ [ }8 B
It is used by few softs which access the following registry keys (usually #2) :
: o+ w5 h/ m. D0 Z! X; }# J6 @9 i8 E7 ?; v! B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 v9 J. F# l* x A6 P2 }\Uninstall\SoftICE
7 n/ ~4 c6 U5 e H-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 S3 _/ s2 d8 K w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 y/ T- O2 ~& R: y: Y& t1 Y4 }& P\App Paths\Loader32.Exe
4 U; K% y( L$ @
; G, H8 E4 d6 H. K0 |
( Q+ }- A4 D4 xNote that some nasty apps could then erase all files from SoftICE directory2 W4 n6 N2 X4 x- p% M* x0 y4 C
(I faced that once :-(% y/ i! W. H4 `' g
+ J/ }4 m( e) N# nUseful breakpoint to detect it:
! b% `' j4 E# I* f& }) T1 ]8 k0 g9 X: e; l! k$ `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( g8 S1 g% x* h8 L
0 R; ~2 ?5 Y: h% I& U' \" B3 t__________________________________________________________________________1 r" F {& H- u( @: d9 e
8 T, F" `2 J1 _' C
8 p/ {0 Z/ \! w1 RMethod 14
' g' @# _" O$ Z7 F$ z=========
2 d# } U: I' C) ]7 O
% ~" A, E4 V f$ l- WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( P" q7 g: d4 h/ |$ g o
is to determines whether a debugger is running on your system (ring0 only).( D' _3 R! T1 G n4 {1 v
( _2 n7 r5 D$ r7 A( S VMMCall Test_Debug_Installed
. G' \, _! Q) t/ K+ C3 R' ?, w: F je not_installed
O) D# a7 F4 R( c( G0 P
+ q- Y* S* q4 p$ n4 Q2 [This service just checks a flag.+ `* y0 {& x) l+ \, f# s
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡