<TABLE width=500># p+ p" r) `( ^% l
<TBODY>
! s U# x) j( V$ S. Y+ L- x<TR>
$ s+ L& i: m+ @# J' o" k9 X |! c) N<TD><PRE>Method 01 * U5 p! t3 p& h9 Z5 j7 D
=========
# M- p& t7 j/ K& `8 B/ R0 b+ C
+ s1 {" P `1 K3 yThis method of detection of SoftICE (as well as the following one) is: J; s+ e% n S4 A; K) Q3 `
used by the majority of packers/encryptors found on Internet.
- b0 ?: S5 A4 m6 B/ X( ^+ @* kIt seeks the signature of BoundsChecker in SoftICE% M6 @ ?) G0 ]: d4 u
* W, F+ d T/ p; p
mov ebp, 04243484Bh ; 'BCHK' Y5 p0 V ~9 ^0 v9 W. i0 g
mov ax, 04h
9 g( e( o& A0 G- j9 L( @4 z) ]5 ] int 3
$ H' m( L" e! [% b! N( q cmp al,40 Q2 A; |6 n& }( _ i, ~, y3 O% ?
jnz SoftICE_Detected: N/ v* c$ ^& g v+ c7 @2 w
, H7 G! q2 _3 V6 Q+ V___________________________________________________________________________
+ P8 x9 t( W* t4 Y6 }- q8 Z5 J- ^6 A0 i q
Method 02
+ H/ N! u6 m2 c+ {$ A0 v=========2 D( T" \+ W! ]8 n {, x6 j
) ]: R" C7 N, W
Still a method very much used (perhaps the most frequent one). It is used
. r; O- t! \" m8 zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 X, h2 Z. u- N1 |4 X) m8 `6 U M4 Sor execute SoftICE commands...' S9 a$ R& P L& G2 F/ K5 K
It is also used to crash SoftICE and to force it to execute any commands. [. e4 M3 S6 g/ ~% e$ I/ ~- |
(HBOOT...) :-(( $ c2 X. D7 w: W* z9 K: \0 E
' e7 K2 ]# C- H" x j: s! i0 |; B
Here is a quick description:
' u0 o1 f9 n' ?& L y# J-AX = 0910h (Display string in SIce windows)! N- v! P$ Z& t3 G" z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& _! W# \% X( b; e w$ K-AX = 0912h (Get breakpoint infos)! x- [ E! h# a; W- i( `: J' [
-AX = 0913h (Set Sice breakpoints)
) A" l) \3 k) n! R) x, u7 v' }-AX = 0914h (Remove SIce breakoints)4 |+ v7 K: ^7 h/ b/ b, S. b/ K- t
$ o& T8 j% X1 x
Each time you'll meet this trick, you'll see:
* }* e* `* E! n8 p3 W$ `-SI = 4647h
4 w% x0 k8 k9 a; R" B( e8 M-DI = 4A4Dh
, ?" L" @" Z& t5 Q0 n( i& [Which are the 'magic values' used by SoftIce.! K4 B6 z, z4 Y: g) d6 o3 l
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 U4 Z- f' }6 l% m
, c o/ S# E8 c" e- T7 C
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ p3 h6 A0 F, W0 a7 M8 @+ p* |Envelope utility use to protect DOS applications:
) y5 L+ b9 s% K& W
6 m* S3 C o" L( x. }, `# q- V) X9 `, q
4C19:0095 MOV AX,0911 ; execute command.
6 o( m; r) G1 T4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! H/ L$ }# u- ?. H& `- \4C19:009A MOV SI,4647 ; 1st magic value.
- F9 p' Y4 T, _7 z8 q3 F7 V& X4C19:009D MOV DI,4A4D ; 2nd magic value./ u8 K) r* z7 ?( Z6 y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, o9 ~2 B+ R+ k6 J8 I: _: \4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. I6 o3 K0 L @
4C19:00A4 INC CX
) @6 w" F: p* a* ^2 L+ B: l4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ ~% K8 r0 y! O$ v* g5 b' Y! ^2 Y3 X
4C19:00A8 JB 0095 ; 6 different commands.
$ u1 `" l- h3 v+ C4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 w9 F: \4 r4 ?0 Q) U: _- {; f/ {
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; ]* a% ~2 c1 s+ s& q0 { m
; h) \( Q* s6 U2 M# U6 AThe program will execute 6 different SIce commands located at ds:dx, which1 x, e1 V" p& ~& z4 Y5 u
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. O3 _5 I' V; X
1 S+ T" f/ n3 h! D6 S. Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( ~2 `& s6 H3 a8 I( K___________________________________________________________________________
4 A# n2 J& R( j) {/ `
' D' U4 u1 Q8 G( V" V5 J" b
/ d# D. D/ C2 Y" H1 r* h3 c' ]- m1 k6 KMethod 03/ m- T5 C1 t5 M
=========: D/ k% B* i9 r, C. K; u' \2 N1 i6 I$ b0 C
) i9 y$ g$ [$ v f& v, u
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 B1 C* z( d/ h1 o5 Q! y' r0 e
(API Get entry point)
% S5 o* P1 z$ i5 A0 N : O6 R! H7 E, i9 P
4 @6 M' |' I% g# w
xor di,di8 g2 n! L. Z+ V; u1 N
mov es,di8 z% N+ ?- e% [2 Y
mov ax, 1684h + q, V2 q' z6 A$ A
mov bx, 0202h ; VxD ID of winice
y% p: f) Z4 z" ^: c2 O int 2Fh
* V! }4 `8 q/ ~' R8 K mov ax, es ; ES:DI -> VxD API entry point i ]5 O M0 k& R
add ax, di3 [! Q- F! m6 P2 q* v7 I" o
test ax,ax+ x" N! D" a+ k* s2 R4 J
jnz SoftICE_Detected3 i& H) z% d; J6 Y" \2 L3 {
! a8 ^+ Y t8 a; y4 H5 Q7 H___________________________________________________________________________
+ k5 r; q6 \, P- `+ f9 C8 w, Z% z7 s! ^
Method 04
/ x* K6 D% s2 x: J=========. m# u( Z! s# W+ x& _
h) ^' p: [3 w/ ^
Method identical to the preceding one except that it seeks the ID of SoftICE" h7 ]4 j3 Q7 d N6 i3 r3 k: `
GFX VxD.
1 ^ R, d' @, Y1 L
' E2 Q0 H4 ]! N! H xor di,di5 O, G$ N2 Z/ K; O8 y
mov es,di I J1 T4 A$ B# n6 h, P/ E2 M9 K
mov ax, 1684h
* t$ w+ O* G0 r1 A2 A- \# {) O mov bx, 7a5Fh ; VxD ID of SIWVID7 u& B% R: M: S
int 2fh
9 O2 z% ]: O6 l N) }; Z9 A mov ax, es ; ES:DI -> VxD API entry point
$ d* t- _9 T, ~0 @! \& W add ax, di3 B% F3 ?) A U1 ?" D4 V0 ^, j; l1 Z
test ax,ax1 q, j6 p7 o% ?0 k7 r
jnz SoftICE_Detected$ O \( [' r$ y! _ ~' J
1 {/ W6 c9 i$ ]% V1 }, K
__________________________________________________________________________
* b* |, j' K M
+ b5 v9 L1 {: f" I& `& N* c
/ A6 M- ]7 A7 v9 ]" _- OMethod 051 Z& E; F7 B# K% b
=========4 m/ u& |9 F1 v3 K" L
7 |# B2 i4 `: c( T. P, s8 B, x6 iMethod seeking the 'magic number' 0F386h returned (in ax) by all system
6 }& R0 o: T+ L1 a1 Bdebugger. It calls the int 41h, function 4Fh.+ _8 u+ [. I: h4 S
There are several alternatives. " F8 D5 ^) T" P4 v8 o) t# E) d
4 H* H- U2 m x/ [. h5 f& ?) T0 TThe following one is the simplest:
K, u% |2 m* y0 @! Q! K* F- `' v- @6 k+ M2 w) _7 ?" P5 ~
mov ax,4fh
% r; E7 J6 M3 |( p* F- J/ o int 41h
9 Y0 @1 ]4 Q6 d6 n8 M& V& |# f cmp ax, 0F386' [) u' J7 }% M! m4 N
jz SoftICE_detected/ H# |* F, u1 a2 p/ c) f
7 M5 L4 |6 y2 s2 ^" `
" p8 m% R( H: R6 BNext method as well as the following one are 2 examples from Stone's
8 Z) @$ C9 c. v* ]0 B"stn-wid.zip" (www.cracking.net):
% P; t, U8 p- G* s, O/ r( o4 j
+ C; [7 N1 k3 M mov bx, cs
9 H9 G/ _. ?1 i6 E4 E- j: o5 r9 \- z% v lea dx, int41handler2
+ [4 `$ {* M7 u- g xchg dx, es:[41h*4]# I" d* F5 J* s0 Q8 s8 E
xchg bx, es:[41h*4+2]
; Q6 Y! w# ]! o4 ?! A# Y mov ax,4fh
9 X4 o' g" M! W# G( G A int 41h8 p# \/ p C- l! _ m, K" o
xchg dx, es:[41h*4]
! c1 H9 O+ _$ L5 O2 V! j xchg bx, es:[41h*4+2]/ v9 n, X7 ], S0 \- i/ {: \6 r4 A
cmp ax, 0f386h
& P7 z/ n6 J& W% H! W+ P# k! l jz SoftICE_detected" {" x. e7 D2 ~6 o
8 n h1 k9 T4 |: ~' F' M9 ]
int41handler2 PROC5 C6 Z- H9 u: G1 o- t j/ h
iret2 S c ]$ z' U$ l% @
int41handler2 ENDP
9 E3 @# S2 |8 N0 U9 |( q# Z- h( p% T% E6 y5 L+ P( A: ?
( f( g* b4 F4 g) V/ [2 R: M& M
_________________________________________________________________________$ ^1 d3 c& ^7 i R) U: X) M; z! |
; e" {+ y% `8 ]5 E1 J* } N1 f
" w2 {1 B$ P2 C/ A3 FMethod 06
( d7 c Y& j# ^3 `' s6 o- n8 e=========% W2 E& l$ s* Z0 r+ ~! y5 A
, g+ J2 c; y. A2 @% U
7 B; x) X; t0 h3 d, g2nd method similar to the preceding one but more difficult to detect:
' }" B( S! O8 K3 r9 n! A
. ~- a7 E9 a! ~/ k7 L0 u" @. L: ^! X. l/ x7 {4 U
int41handler PROC
) ~: B3 a" e- K9 d; T4 E mov cl,al) Y1 g6 a8 a. S1 R
iret) d' t) b# |9 U( y% \
int41handler ENDP2 G: Y: i* p! K8 _5 t" i* S- ^
% V W* D v8 c" j$ u0 X2 j5 w4 {' B$ V8 s5 {6 C
xor ax,ax
8 |/ ]3 Q" `& v0 m+ U mov es,ax6 Q4 V2 ^+ F. ?' Z. Q
mov bx, cs
w; O0 i8 W3 n. y8 S I lea dx, int41handler
% Y: O- B. V C2 P& | xchg dx, es:[41h*4]. p, W# C! s. ]6 f5 O+ f+ ~
xchg bx, es:[41h*4+2]
* ^# o8 R- T" O* w6 `; L2 \ in al, 40h
8 S- c' D6 Z+ j xor cx,cx! e) l, t0 s1 k$ \1 C. I
int 41h
v! P( s9 a$ G. B; d" \6 j' ? xchg dx, es:[41h*4]
W4 ?; T" I4 f4 M6 s- B xchg bx, es:[41h*4+2]
9 G' X0 Y% u1 O cmp cl,al
- X2 y2 k8 y- L! ^ jnz SoftICE_detected
: R+ a; f; T- {$ {. Q7 R! D& W; b% {7 j% ]: s8 B: L* @! Q3 o
_________________________________________________________________________
3 b' E2 e5 M4 \6 C% I# a4 W
$ D. }/ y1 ]5 ?8 PMethod 07" v3 C3 _! n5 I/ z
=========
% t! u W# M2 H6 c1 ~' m& A5 x2 w3 K; j6 V0 H) H+ w' U& l- Q, d4 _
Method of detection of the WinICE handler in the int68h (V86)1 I' a5 \6 r2 t, V* Y
% Z1 e% ?* K& K0 a7 N3 Q5 Z( }4 X
mov ah,43h3 s" T6 P3 U# V/ q
int 68h
R) N! s# O( \; b0 |( ~1 b1 I% a cmp ax,0F386h" n" O' {! H2 ^7 l7 w
jz SoftICE_Detected
6 d; b% ^) t: y$ J! {
/ x+ I" ] e6 }3 w- D, x( n% I) L" v. a8 i) x, |0 t
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' K Y( \+ e7 C Y: Q) [, U app like this:
9 q/ ]4 ~; K2 J8 ^/ f7 h4 d
$ \8 W: V# U6 ] BPX exec_int if ax==68
: d$ x1 V; A3 P8 W. o: c. g4 v. b (function called is located at byte ptr [ebp+1Dh] and client eip is
$ x8 l" C# Z0 k5 d5 S; @ located at [ebp+48h] for 32Bit apps)
& n" @9 d; ~- Y. I__________________________________________________________________________
# `3 y2 U( u2 v/ O2 M# \! D' ~
& t( a0 R, g9 H" B4 C0 p- ~6 l
# _* z( D6 w/ ], @" G5 ?Method 08
$ I& \9 c$ N8 D8 Z=========5 E: d" I; b' x, b' v6 T
" k' }& E/ u, G- S* X8 N- Z8 K; FIt is not a method of detection of SoftICE but a possibility to crash the6 C3 a* `8 ~$ T: Z# B
system by intercepting int 01h and int 03h and redirecting them to another5 V% y3 O' s! |. X3 X1 o7 g% i9 s
routine.
3 h( r! }6 H- f' rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 A' C+ c8 ^/ g5 y- d$ ]to the new routine to execute (hangs computer...)$ o% M) G; [! Z( L" k) a" C
% x$ [8 p" L8 x3 w; _' p5 h
mov ah, 25h$ G" @; y* ]6 x% X4 f4 u g
mov al, Int_Number (01h or 03h)
& @' m6 J* p. g7 @; f mov dx, offset New_Int_Routine; L+ X: a' K: [! J; f$ R _
int 21h
3 t6 ]5 o% n6 @% F- ]% [; ], F% m5 j/ A/ _! h7 @& v
__________________________________________________________________________4 i+ Y/ @' Y4 z, @9 }. s% J+ d" H. D
. c4 X& R8 }& ?, \* H5 sMethod 09) b) ]% X! o% C+ V/ `1 `) ?! w3 K
=========
1 \. `( |- t/ @/ n0 ?0 R, p* F0 N u0 A9 d4 m
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- O @; e1 D/ O; P4 jperformed in ring0 (VxD or a ring3 app using the VxdCall).- `5 B8 V7 m. w. Y1 G
The Get_DDB service is used to determine whether or not a VxD is installed
$ G% Q" P5 h% ?for the specified device and returns a Device Description Block (in ecx) for
5 ~* l7 t( ~0 Z& L' Lthat device if it is installed.; b! a6 Q/ c& n7 @9 ?
, M( o) C/ l' Z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 {) S) r$ r# j% u, N mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( y! _# e; l$ o7 y9 o) r VMMCall Get_DDB
5 u$ \* I, v' ^+ F% G& J mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. G7 H$ M3 h2 I8 X
; `) v+ N: o3 I* K+ E
Note as well that you can easily detect this method with SoftICE:
& X+ P0 z1 R6 G/ g+ { bpx Get_DDB if ax==0202 || ax==7a5fh) o6 u/ `* z- W3 r8 g
' y2 c1 X) z1 {) E( Q
__________________________________________________________________________: w Z" O- B; z5 T4 P$ B2 G
0 @8 o$ m% e/ [+ |
Method 10- X0 a5 u9 U0 {' y9 [( f- g
=========
, y. s1 {7 x5 R; {# ]& V% t9 J* p& D4 d8 x
=>Disable or clear breakpoints before using this feature. DO NOT trace with
. M) e9 q* T8 A& x SoftICE while the option is enable!!
4 @/ K2 ?+ v1 Z: [- Q- j% `/ B, R A5 t4 a/ ?$ P4 G7 v0 X' ?
This trick is very efficient:" F5 P; N3 [, r0 c+ q0 X
by checking the Debug Registers, you can detect if SoftICE is loaded7 d; \9 S0 l/ e& u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 t/ d+ j9 g& m1 g
there are some memory breakpoints set (dr0 to dr3) simply by reading their
- i7 V; k/ E4 x; p. [+ |1 j; ^value (in ring0 only). Values can be manipulated and or changed as well; N3 |' ?/ S6 y
(clearing BPMs for instance); i5 e8 i$ `. |# U! w# r( f
6 }% v5 T( V( s U- d3 f+ X/ I* Y__________________________________________________________________________
/ `2 U- p' p- |& b! ~0 b1 x T
Method 11$ u+ D4 w" Q) `4 \3 m- s
=========- Q- n6 ? p! L& B) ^
6 s q4 J( o, p1 }% z: XThis method is most known as 'MeltICE' because it has been freely distributed8 i# Q4 `% f7 V5 ^! c
via www.winfiles.com. However it was first used by NuMega people to allow/ u9 i; Q- x, G
Symbol Loader to check if SoftICE was active or not (the code is located
7 h8 w# k4 h* ?& einside nmtrans.dll).
0 @ R M# T' e" b2 C: F7 h/ u' g5 G5 P( u
The way it works is very simple:
1 d1 d7 [$ W3 ?3 L5 A rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 p1 O9 D, B1 E) N
WinNT) with the CreateFileA API.
5 \: y* Y7 n; Z6 _" P4 X. N- L
- h3 L. v4 h6 |- Y7 `0 UHere is a sample (checking for 'SICE'):; a i1 d! g$ u* S' \' _
+ e) o8 @: E, u2 s/ Y( Z7 XBOOL IsSoftIce95Loaded()
; B2 T( Q" ~; I! y) e5 ]) p$ ?3 u{
' n9 J W0 R! A+ k6 F3 A HANDLE hFile;
- C3 p& p* X6 U5 N; H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 h( C' C2 z- i+ t# }1 ~2 m# `& Y
FILE_SHARE_READ | FILE_SHARE_WRITE,) N5 @- ~, R3 v2 a- D
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 n9 O8 I: c( u$ \5 O7 U6 k b if( hFile != INVALID_HANDLE_VALUE ). {/ e+ z+ j, V. b5 E- O- [
{! u7 h" e9 H& K+ v! [. @
CloseHandle(hFile);: u4 A, \$ D! {- n* {0 W8 x9 T# t
return TRUE;( n0 h: B/ c- a0 W. _, E
}: X8 K5 ^9 T, \& Y. z( I% i" h
return FALSE;
" t+ H7 z% r7 y8 @9 j# Z) O. Z}0 _! Z) O/ S: @) P
1 D* F% G5 i \/ j
Although this trick calls the CreateFileA function, don't even expect to be: i/ V' K$ C0 F" _" A
able to intercept it by installing a IFS hook: it will not work, no way!" T Q- G K9 _1 I* ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: S8 w) M. D6 P1 r* o" Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ ~( C' X6 c/ g, a# cand then browse the DDB list until it find the VxD and its DDB_Control_Proc: a# Q6 Z: d/ {; Y5 G" o/ z
field.
s8 \6 {; F; t# @; {2 S$ K9 H; F( @In fact, its purpose is not to load/unload VxDs but only to send a * S2 ], E* f7 L1 J$ j8 F
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' q( c; N S, H4 `to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 f I. J0 B+ f4 T% Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- S: ]3 @5 J9 }+ w' h. ` JIf the VxD is loaded, it will always clear eax and the Carry flag to allow) z" ^9 y4 k$ W8 m# D! K9 Z
its handle to be opened and then, will be detected.
3 [# R3 v$ ^# R4 X- V) g( b. sYou can check that simply by hooking Winice.exe control proc entry point
$ ~, Y/ m4 }$ I7 x& E( s4 W+ _while running MeltICE.
- M# v. h* X5 _, {/ Z" f
# {- }; g, d* v% m5 ^
$ |( z. [, B' i5 W 00401067: push 00402025 ; \\.\SICE
% j' y7 K9 k) f& c$ Y( s5 Q/ q- o 0040106C: call CreateFileA
( U8 q3 w6 ~( S- S* D3 U( p 00401071: cmp eax,-001
7 R4 H8 D& [, r9 v 00401074: je 00401091% G; W& R2 e- O/ z
6 m, s' E0 J* j; B1 f2 a7 I2 r0 u4 C- ~( ^( B# \% v0 I
There could be hundreds of BPX you could use to detect this trick.
' A( r( t9 V% T8 q/ s' N/ h-The most classical one is:0 x$ m# t# j4 E# W# i& z; ]( d, @5 \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# C4 _( s0 y% v- _ V' j
*(esp->4+4)=='NTIC'
2 I" x1 t$ ~% ]/ h) @' f3 s* j5 B5 I4 U* X* L& Z
-The most exotic ones (could be very slooooow :-(5 B; @ }5 ~1 t, X! L. q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 O( g7 Q# g( a2 h: J: y! l$ R1 ^0 k
;will break 3 times :-(
6 K. C9 H/ v) Z1 G* X) W/ `
3 a( u' s0 H8 S$ a-or (a bit) faster: ! Z0 F- \8 Q1 h2 z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 G& N2 Q& A4 A1 \
@+ v# P4 ]& c2 A% E4 i& c+ k% j
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 i$ S4 D) v! o- a; g2 f; ]- p ;will break 3 times :-(
8 } R( a4 D- d* b7 t! g3 n5 a9 L: [6 J
-Much faster:2 q7 T" o+ q X' m/ X6 |3 j
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 X& Y" f! {$ g& {
+ G5 g7 }' p+ t; C) {Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; x: B3 y% F& lfunction to do the same job:
* n5 [& W1 G5 J" _' N+ m/ U# k
2 ?% H7 G0 A& E push 00 ; OF_READ" ~3 o: t- t" ~) r/ k8 S& v
mov eax,[00656634] ; '\\.\SICE',0
; O/ {. A6 A4 ` push eax
9 G! g7 m- F' e" d7 j, f3 m call KERNEL32!_lopen
: n0 | }9 _4 ~/ W/ G inc eax3 \% u. Q; X( M; P
jnz 00650589 ; detected' N/ C1 r( b, ^5 x& u' d
push 00 ; OF_READ* P6 ~( I, f. C2 ?' j" h
mov eax,[00656638] ; '\\.\SICE'
- T% H& Y6 C/ T& f3 U' v push eax
$ f C+ ` v% K call KERNEL32!_lopen! ?7 @+ z9 l1 ?4 G
inc eax
3 ?$ ~& G& o$ o$ I R" P. g jz 006505ae ; not detected$ M2 W3 l/ W% P. r
4 H" I+ T D% n' l4 `9 @, M
% f/ t A! D8 Z, N9 S3 \( q__________________________________________________________________________
% H7 J) _3 a! M
% O9 I' `, a2 r0 _: A0 MMethod 12' ]' a; D! i/ ^* L* Z9 E/ X5 s
=========; O- K5 o5 d* N% ^
& B: v0 o# E! _+ e4 h/ C# ]This trick is similar to int41h/4fh Debugger installation check (code 05
% v; v. _ D" z8 Q( V; C& 06) but very limited because it's only available for Win95/98 (not NT)
% i9 ^' E, `) O: a& v4 M6 c6 L* ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 `% l8 Z! z" o+ g- q, s3 x/ N7 L4 X) A5 y$ T4 n4 S
push 0000004fh ; function 4fh
- ] |: @! C4 y0 K- \ push 002a002ah ; high word specifies which VxD (VWIN32)
: h% ?$ \' M5 P& ?, M ; low word specifies which service
# L% d! X$ V' ? (VWIN32_Int41Dispatch)' K# `" K/ z& X/ G! c
call Kernel32!ORD_001 ; VxdCall* e" ?6 q i! a: z7 i. G2 h
cmp ax, 0f386h ; magic number returned by system debuggers
' w, y. N( M; U9 V. `( O jz SoftICE_detected1 E) C8 H" K/ T( H- j, k+ f
: F7 E/ f z. a, N# ?. r
Here again, several ways to detect it:# k* d6 T/ C/ J8 U
( _- ~) c# u% m! p" l' b
BPINT 41 if ax==4f
0 g- g/ d) c* R$ K
8 T0 |# I/ L0 U& G3 I: N, t. H1 K0 p BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& f! a2 m) d" i% d0 s
. I# {2 _6 u6 h# y6 W* Y# j- b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ q' V) C9 n$ [, L) b# p& e; b4 I9 H7 T8 g( w* v5 x1 [5 u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: ?4 L' E0 L" w) y8 E+ x" U* s: n' R5 |- S1 q" |
__________________________________________________________________________
& z' _# n8 f9 ~9 x/ c, L) s; l F) [9 U7 k) a' M* w2 H8 n5 S9 A5 [2 F; k
Method 13
; L/ C4 h3 v+ ?% g=========
8 S* l# M$ x6 @ a, y% P; S2 ^" L
1 F* B" D+ m7 q$ B: ^) U* ^ O( xNot a real method of detection, but a good way to know if SoftICE is5 d2 K& k, D m% j& S( A, e7 x3 Q
installed on a computer and to locate its installation directory.
0 K6 f6 @1 u4 c% B! x8 GIt is used by few softs which access the following registry keys (usually #2) :
* v8 y! s" O. }3 o" v
. ^8 M' v4 x3 h+ p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- X+ \% g+ T. S/ k
\Uninstall\SoftICE3 u6 y2 C, W4 c/ _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 j1 H4 o$ q; d# B-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 C) j4 q4 |7 w8 x0 d: F2 o7 O
\App Paths\Loader32.Exe
$ j8 i8 s9 n, W" _, G% `) I
2 D- x k- n. V/ ~7 h7 s+ \; A1 v& l' a: }2 l9 c! i& d& @' U
Note that some nasty apps could then erase all files from SoftICE directory
& z; i# U* V: Q9 C! V! ](I faced that once :-(
" l2 A2 Q% C# ]& b/ N4 `" u* m1 E6 }
5 O5 c: ]) T m9 r: |Useful breakpoint to detect it:
4 z6 V; v* V0 Q7 p( r. Q& y- \
! J6 a; I& @ V2 `2 `+ D) [1 i7 B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* A- G3 O& W! C1 f: ~: S
; T+ t4 E I7 @# W3 E3 {1 O__________________________________________________________________________
; ?! D. n, k% |8 F. e9 a, D6 V. K, [& C/ v
i' Q6 |( X+ H' Z. t0 v* H; bMethod 14
# N- K/ P7 m1 `=========
& ]- R' Z5 ?6 y# R) }7 O5 h, O( ~3 M1 [' W. ?4 w4 l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 A! v* H. q# T- ]5 D2 W$ y1 Iis to determines whether a debugger is running on your system (ring0 only).
6 U% U6 c, b: E" N7 y+ u0 B
* V; ?$ Z- X" l# U: C2 i7 T: b VMMCall Test_Debug_Installed
- M; x2 I$ ^5 l% s+ E6 [ je not_installed
k/ W: m- f$ u6 T
3 x1 k) \ K6 u+ \This service just checks a flag., Q3 x8 X; r( G' ^
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡