<TABLE width=500>
& y. T+ b+ }! z' J+ q, q+ O<TBODY>8 ^/ {$ I7 M( t1 B7 {$ U. W
<TR>+ s r5 D; P, n0 }, ~4 y
<TD><PRE>Method 01
; {4 S" B* o* i7 T" l- R: _=========. G5 |$ A1 u" A; I9 O
, t; c* c5 m$ j' B8 L9 D8 y: Y4 YThis method of detection of SoftICE (as well as the following one) is% E' g& ]8 D# n/ C1 d8 P- M
used by the majority of packers/encryptors found on Internet. @& o5 _6 f0 {* w. j0 C! \( X
It seeks the signature of BoundsChecker in SoftICE7 m5 h, v0 d( Y# X9 @) M
2 B, C+ X! v! j- k) ] mov ebp, 04243484Bh ; 'BCHK'2 e9 ]! m6 r1 q- c5 p, e3 J' o
mov ax, 04h" u2 |" R3 v! S* P; }. |) b. t
int 3 . ~1 _9 o' N' f' U
cmp al,4
: n8 ?9 f6 z3 O5 _ jnz SoftICE_Detected
! _6 z' o; [2 d$ H6 e7 N1 C4 m4 B+ I' j! g2 T9 _) C) \0 U) p
___________________________________________________________________________# z! U- F0 x- o: E7 _( I4 u0 X
! M# d' p! V! P1 h( a
Method 02
) N; |8 L- u/ e2 R+ E3 x! \8 N=========3 Q! Q) j% l; Q' a6 K7 ^
4 B7 H) L. _$ T+ z5 [6 J& V2 e# Q* f6 V
Still a method very much used (perhaps the most frequent one). It is used5 N! k. |, z7 w$ f! l, u6 Z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- t# b2 N- m+ i: w$ d4 I& C
or execute SoftICE commands...: i6 w3 L! ? G/ I; E' J" k) `
It is also used to crash SoftICE and to force it to execute any commands
r! P1 j8 N; }/ [# V(HBOOT...) :-((
, |! J+ `, A! Z9 G" y- e* A$ S9 g- ?4 q$ F
Here is a quick description:
: N5 E8 m/ T' i( ]/ ~" ^$ Q( E& f, q! J-AX = 0910h (Display string in SIce windows)* P' H0 d$ S" q* _3 [! w/ p
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% H$ p/ q6 y* l+ W. ?6 p
-AX = 0912h (Get breakpoint infos)2 o, S% o: }6 j( T' E
-AX = 0913h (Set Sice breakpoints)0 X* t* H+ a G. j
-AX = 0914h (Remove SIce breakoints)
; o. l; l# m1 a1 E" H, ?. k: p5 f+ [! |9 K0 Z* @$ q! s
Each time you'll meet this trick, you'll see:4 }6 W! o( Z+ U5 t. ^+ a. ^
-SI = 4647h
/ j9 x) b1 \; _-DI = 4A4Dh$ n; }$ q6 z+ s" b- v+ p G+ n1 d8 c
Which are the 'magic values' used by SoftIce.
/ `( f; n0 | D9 EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" F/ D E, T- J, J
6 N3 w1 G1 f6 _2 mHere is one example from the file "Haspinst.exe" which is the dongle HASP! y: f& l8 H$ D$ b
Envelope utility use to protect DOS applications:0 X: u" ]) z+ E6 D
8 b8 I# L! [+ m4 h2 a* B; l
8 b1 J. p4 v: j3 X4C19:0095 MOV AX,0911 ; execute command.
" r! {2 ]4 ^2 s+ |! b, j; t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" R( X# A8 l3 X, y4C19:009A MOV SI,4647 ; 1st magic value. A! @9 {# _4 W; s
4C19:009D MOV DI,4A4D ; 2nd magic value.
% Z7 X, ^0 ~5 `/ J. ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" c x; C2 C. i; L$ p4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& m/ S- m* q2 T1 P0 b V( t: L9 L4C19:00A4 INC CX
* e3 S$ O( g7 P) @; [4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) @4 ]$ g- y1 K2 D/ q0 T4C19:00A8 JB 0095 ; 6 different commands.
& O& Y' X8 M# |7 _" P( O- x4C19:00AA JMP 0002 ; Bad_Guy jmp back.; H) g: L$ z' t" n6 ^5 h
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- x/ Q% R4 ^( _5 L" p* c
6 }) L7 I0 ^" u
The program will execute 6 different SIce commands located at ds:dx, which( X x& `6 B1 K1 m# V7 S3 K
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ R" z, I$ O9 _) M
* [+ ?0 _. k; y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) N7 O3 W# M, B0 y+ s8 V9 g
___________________________________________________________________________
9 L0 K$ p6 f$ g8 F6 o
: d6 `0 }: [- M7 ~$ x1 F7 K# e& M. k
Method 03
* Y* |1 Q7 ~" ]2 V1 \% k=========7 Q. z' d( E; I9 r" I0 G' z( A
) ~ |3 O- i: @$ X
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- G! D3 k- `+ I
(API Get entry point): n f2 r! a( h' _+ n# ?% A9 ~
! s, g+ n9 ~2 O( C3 v( I5 L
7 a) `9 i O* z; S/ h xor di,di
. S+ H: B2 s5 b6 w* t mov es,di
! t/ S4 R* R( X( s mov ax, 1684h 2 w D' T8 d5 F/ r7 r2 g
mov bx, 0202h ; VxD ID of winice p+ F0 `2 u+ G/ H
int 2Fh0 p7 L' G6 h# r) K; |/ o& }
mov ax, es ; ES:DI -> VxD API entry point
+ I8 W. B U6 G, K8 l* V add ax, di
, @/ o/ p5 P' K' G! a test ax,ax8 t8 R8 F' y! B& n
jnz SoftICE_Detected2 I7 `2 e0 u! I4 `* `$ d
- W$ i6 t( Q( ?- _. h5 |' Q/ y. ~/ @___________________________________________________________________________) S, `' u. B/ r! ^3 T$ x1 h" D
% E4 ^4 Q1 x: K. g/ _# F
Method 04
Y/ L, I9 C: p7 |, V+ M6 {$ T=========& ~ N5 j: i3 O% ?3 J* @
8 c7 S# G$ o, ^) U0 R8 ^
Method identical to the preceding one except that it seeks the ID of SoftICE
% S+ I$ N2 S2 D0 Q, S h9 qGFX VxD.
8 }! I2 S! O* B: Y. I* i( F! T9 I1 V; E, X/ I! N( d
xor di,di
, |. q2 P* E% p0 b5 g a& F mov es,di
# a; n( U s3 k: [2 e# J2 q mov ax, 1684h
! l7 c7 E* O& b mov bx, 7a5Fh ; VxD ID of SIWVID- P3 t/ e# b7 s/ R6 L! @9 _0 ^9 P
int 2fh
% K% b* W$ x7 ]5 W/ {2 q- q mov ax, es ; ES:DI -> VxD API entry point
) ^, [0 i3 e7 P7 w) d. _9 e add ax, di7 o5 o" o2 b! ]: p' I
test ax,ax- g$ ^3 m2 {- M8 @
jnz SoftICE_Detected
1 d% c: ~4 R- o# f) p- l3 c/ U$ C: V% i7 j; S) [2 |
__________________________________________________________________________
) P Q) @: ~" U2 s) L; U$ y8 g: ^2 I/ f" y/ l* B4 V8 G& O' p$ t! c
& J; H2 ~6 W8 _/ t% o
Method 05
+ k. K1 l8 ^" c, a1 N=========2 L9 {1 ^- _: H. f- y8 D! _
- N( }/ h8 B) K1 E" ?/ m0 j1 }0 Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
{# i/ K2 Z& T2 j, X/ s- Y" edebugger. It calls the int 41h, function 4Fh.) j% k2 S! ]4 j
There are several alternatives. ! q' t: z( V7 G- G- N9 r% O
) }4 {6 p7 H# {) L5 Z+ j* o6 l
The following one is the simplest:
& A6 E9 _2 b% n
) A* v# \6 O+ L+ m$ i# s mov ax,4fh) |% t! V+ y8 s
int 41h! B) j" g6 Q$ V6 g5 z
cmp ax, 0F386
: p2 E5 B$ Z! B& w) b jz SoftICE_detected
7 W- ^6 L7 T8 @4 b" H3 S
z* [4 b3 ?2 t6 T
! z; n" I7 h& S% d0 GNext method as well as the following one are 2 examples from Stone's # @/ g: ^- T0 \7 M/ B% ^/ Q
"stn-wid.zip" (www.cracking.net):# ?: {/ \- J/ z# M
: J1 Y2 W4 H8 m2 H# f6 B
mov bx, cs
0 L4 [# F8 p0 r2 ~5 {9 o lea dx, int41handler2 l' I [1 E/ G& Z
xchg dx, es:[41h*4]$ c! [/ i/ o8 d! d" W: ^5 ~
xchg bx, es:[41h*4+2]! j8 A1 F" o/ ^+ K! \$ g) Z
mov ax,4fh! j" U& ~* k! x) t, f V
int 41h
: G; Y; Z$ ~( _1 {3 R xchg dx, es:[41h*4]
% ]4 q5 M2 x" _# n# e5 h4 P xchg bx, es:[41h*4+2]* @$ o7 Q; W7 g: u9 b D
cmp ax, 0f386h8 G% X6 J4 C6 c3 |
jz SoftICE_detected6 \% f6 @2 C- k7 n- C5 _* F
) O, H: C: ^( Y" Q6 H# K. [* e) Y
int41handler2 PROC
$ _2 @; p* k0 n4 Q iret, E, ^9 M* C* ?: Q
int41handler2 ENDP) r+ p5 i' O3 L8 S4 `
: d$ i; a6 s1 W$ J9 d0 m6 ]; a# G3 f
5 j7 f0 I0 N) j6 ^7 u
_________________________________________________________________________
5 X1 p! S# j0 c% Q) Y H0 p7 F G: j% I, _
6 \* k) y) Z/ L, GMethod 065 g6 K" Q4 |: R
=========. s- \6 z ?* H, `6 x
0 K% M6 @2 X0 q% e7 k7 q5 N
7 W: F# x) S6 k2 q; T/ O2nd method similar to the preceding one but more difficult to detect:7 R. v+ T' W! a; U1 o9 F
+ X1 r1 W4 S/ |$ F. {
% p& q& Z) s9 nint41handler PROC P8 y$ x1 e2 y0 X- B( z
mov cl,al
. M6 x! B1 }3 T iret
3 ^1 f4 t7 v. Q ]% Yint41handler ENDP
: B4 Z. [4 A" e- t1 n( ]. t9 B ?
2 C1 v3 D6 Z1 ]) r3 [: U. |0 K4 T2 x. U# e
xor ax,ax7 t! w) D0 A1 |0 i- c6 F* v1 o( U
mov es,ax
7 \2 P# q9 z0 \4 c: h mov bx, cs5 ^3 |# E, P( Y6 f$ H/ y1 ~
lea dx, int41handler
w- e% [$ F! n: S8 j) W" B xchg dx, es:[41h*4]
! B b* H- R! d' j, C5 z, D xchg bx, es:[41h*4+2]1 g' T( K* c4 j+ W
in al, 40h' S& x3 v! Q. K: N+ a4 O4 _$ b
xor cx,cx1 l2 y+ V, }: I# ?" b
int 41h) c: {; O; U- j: O
xchg dx, es:[41h*4]' R4 p/ L3 f1 ? O: C8 i. d
xchg bx, es:[41h*4+2]7 r9 d @# A% }, X* }, z. A
cmp cl,al
+ F# h% O& s( L% Y jnz SoftICE_detected
" ^7 B5 D: j7 _: ]3 `7 u! b; [3 e, w( U1 `$ e) `3 i$ h9 n: q' r: _/ V
_________________________________________________________________________
- j) m% N ]6 g; C- c2 V9 W5 I9 c5 U* M8 N5 z% x/ C+ ^
Method 07: N' W3 u) Y5 r- C! i0 J( }7 V, e3 K
=========. E$ p [) L* Q: c
3 x0 c- t$ y/ @3 x. M5 R, U/ v
Method of detection of the WinICE handler in the int68h (V86)
2 d4 ?! C" p* @, y* m o& K
$ z& R( K* g0 S" {% P+ p, t mov ah,43h' S# l6 z' u6 r- ]! C" o
int 68h- e0 F4 ?( I( C. }* g4 o# ^9 W
cmp ax,0F386h! |" K" ^& {$ ?9 R Q/ M) O3 h
jz SoftICE_Detected
3 k- n/ o/ j8 ]! m/ q. c* _
/ {0 i. [3 w; u6 ?0 z
C7 m! D" U; k7 b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 ~! K0 K+ s$ [1 U# Q9 I app like this:
: j% r. K- H; \$ r
" W2 m7 u5 |( a3 Z6 w BPX exec_int if ax==68
6 O; ~- p. S8 M l (function called is located at byte ptr [ebp+1Dh] and client eip is
" Z( I$ @6 j0 B1 t. X' A0 x. l located at [ebp+48h] for 32Bit apps)
6 R; o/ q* c6 d3 J, D$ ?__________________________________________________________________________, x8 F# d1 e- M3 s
* A" g% B- i7 [1 `; |
# o7 b/ }& E1 |/ `. u7 IMethod 08
1 v$ a" k& `- I: R' g=========
* { }, D8 n! J# s2 W- |: Q% [9 ?
) d* I3 ~& |4 ^: tIt is not a method of detection of SoftICE but a possibility to crash the0 D* X$ L# N; L+ e3 B
system by intercepting int 01h and int 03h and redirecting them to another, I& m l9 E1 x T- P0 N1 W8 O1 T
routine.6 _/ }4 Y' O4 S4 l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# k7 u; b0 t( n) T
to the new routine to execute (hangs computer...)4 A+ E M$ q& N* g
2 w3 H' F2 Q6 U2 m( G
mov ah, 25h
+ N1 ^! q' l# b) v& Z/ r8 O# t6 ^2 F mov al, Int_Number (01h or 03h). k4 r- y5 k/ l1 c
mov dx, offset New_Int_Routine7 D, S, k1 E) k( D" \2 d
int 21h3 y/ D% {( z! B8 u" n4 s( {
n- ~- V! c% x* v__________________________________________________________________________' W; q/ f8 F9 F5 w& s5 _
% B* `% Z) r/ G5 a# c9 h0 W4 k
Method 09- Y# }2 w& l" c/ M- p$ G
=========
- c9 g( O4 J+ j: U# m5 e* w# Q4 N; u6 w% V* n1 J$ _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ F7 r( p# q8 H* n: Z7 X
performed in ring0 (VxD or a ring3 app using the VxdCall).
) p. Y* g; d: ], l7 X7 [2 @+ bThe Get_DDB service is used to determine whether or not a VxD is installed
, F( Q3 }' N) Z" K# \% Ifor the specified device and returns a Device Description Block (in ecx) for; e a1 R& l2 z- x5 M
that device if it is installed.
3 K0 K, m6 _' `' a K1 g2 |8 j* U7 G- m y, x8 [
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 u1 C' U7 t% J
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 E8 ?# G% k: J
VMMCall Get_DDB
8 c) m6 h- P' w! P: ~) b; j mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; C/ \6 x5 e; G' s% w G' }6 U2 i; j1 F" T' v. K1 M5 W5 y3 k
Note as well that you can easily detect this method with SoftICE:
* G k: n: o4 u i/ {1 Z bpx Get_DDB if ax==0202 || ax==7a5fh
+ C7 o! I: B; U' L: R& E/ n9 x& m1 {: E! A+ Y
__________________________________________________________________________
, z' A; F4 F0 r k8 B' Q% `( ~9 I
. E" Y6 M9 Z" D" H! |8 ?Method 10! T& o3 v) [ S/ {: L# i" `0 X# _9 A
=========0 n" `2 H: k' C. M, E& _$ h5 o
# h+ v$ u) |0 b# n' h3 G
=>Disable or clear breakpoints before using this feature. DO NOT trace with
( c \( E: `5 ]8 d0 d SoftICE while the option is enable!!. Y: u3 O7 ]0 P5 W$ q- ]
$ p, Q1 } ~9 v* u' Z# eThis trick is very efficient:) x8 j! r/ c; u* | s& u4 r" n6 f
by checking the Debug Registers, you can detect if SoftICE is loaded; D$ F4 m' _& b, e- Z4 ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- v' ]5 G" L6 o# |5 [there are some memory breakpoints set (dr0 to dr3) simply by reading their
" C% E& E4 j, }% c. ^9 S8 gvalue (in ring0 only). Values can be manipulated and or changed as well; k) T$ K; ]5 D: G' D
(clearing BPMs for instance)
5 L( M5 h9 J' X
& I. L i) x& W__________________________________________________________________________
- Q0 B, O$ |, h4 b/ G& i" [% ^, l. Q" l0 I& y/ M9 A
Method 113 S$ [# _$ z# [. a) J
=========
- g- A- f& P" }( P
' V4 u3 {- d1 Q- e( s. JThis method is most known as 'MeltICE' because it has been freely distributed( F8 d) h' _# K( E+ c. y+ |" |: W
via www.winfiles.com. However it was first used by NuMega people to allow
# V+ @7 f" L1 O. ^Symbol Loader to check if SoftICE was active or not (the code is located
! W2 ^' ]' q! ]4 M% [inside nmtrans.dll).# d# q4 u4 u! c1 P+ A3 B. S
9 j) ?2 q/ Z* ^9 G
The way it works is very simple:" T% H, Q {# [6 p: A# H' y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 V% w- l( S) ]5 |% M: XWinNT) with the CreateFileA API.
+ n! I$ A) ]2 s1 D1 G
6 {$ ^% k% l7 u7 ZHere is a sample (checking for 'SICE'):+ n |6 L# e% b$ O6 R8 H
' J5 g* R c1 y
BOOL IsSoftIce95Loaded()
3 N( U( M9 Z8 H6 D6 X/ h$ \{8 }; `& Z8 q: y: m* C+ b! C
HANDLE hFile; ! y/ [& E1 `# h5 O# y5 u" ~
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 U7 T2 K+ ~% l9 o$ D FILE_SHARE_READ | FILE_SHARE_WRITE,) ?! y5 E$ T1 Q0 i& U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. C( P0 y; w) S: {; y/ F8 v1 w. F0 u if( hFile != INVALID_HANDLE_VALUE )& f4 F5 |6 C7 J2 R. p
{7 r1 @, C+ ^# y H/ z) |
CloseHandle(hFile);$ V4 w5 d" S7 \$ J- F
return TRUE;
5 N) r! k" H J- |2 v4 i }; K$ ?# P3 f+ \, u& K% N) ]
return FALSE;
( y9 Y# \- O% N `}
& \& \3 s% L: G) R1 Z* e" V
" L" f( r6 j. E2 W6 r4 A6 H' D. BAlthough this trick calls the CreateFileA function, don't even expect to be
/ P+ ]$ r# d2 `$ c/ Aable to intercept it by installing a IFS hook: it will not work, no way!
6 g% r9 Y; ]+ P9 J. V) D' ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F" R2 M, e" u' k8 e$ `
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 j- E! ^- t2 G! I* C' p" u) ]% dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! j! z' |( P# Y1 |- Rfield.
% H1 C; y% T6 r8 UIn fact, its purpose is not to load/unload VxDs but only to send a }; Q2 [2 P8 R% t! z7 B( h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! X0 C6 Q' q" L% nto the VxD Control_Dispatch proc (how the hell a shareware soft could try2 j+ H1 g! Z; ]& F, V
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 @* }8 M/ u2 X& L' M: J9 AIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 M& a+ p, z3 w; ~2 w1 V
its handle to be opened and then, will be detected.
6 n% Y- ^5 V8 W( y/ EYou can check that simply by hooking Winice.exe control proc entry point% |8 {4 V5 l. d. a
while running MeltICE.' |# r- n2 U# [+ J/ I$ k+ Q
/ n; ?7 f1 ^* G% e! x/ [3 \+ g( w1 \4 J. H
00401067: push 00402025 ; \\.\SICE+ n' r7 ^9 t4 i
0040106C: call CreateFileA i3 M* M/ Q; K6 w' b+ M
00401071: cmp eax,-0013 ~1 b6 e" k$ z* Y6 ?2 P- {9 e% E
00401074: je 00401091
{5 e: K6 @- G1 W
: E& c* F; l6 ]* b% D! j% `
' ~2 W I: z& r5 IThere could be hundreds of BPX you could use to detect this trick.
- V" d: E& y- S-The most classical one is:
9 F3 d* A/ c: e( O% N, E* M/ } w BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' i) I' @( o8 D; S *(esp->4+4)=='NTIC'- |5 N; ~3 Z( c' W2 n ]& y5 t9 b
# n' J7 o3 P* G5 d# X) ?* J7 b2 r-The most exotic ones (could be very slooooow :-(
% N6 F4 {3 z& `7 |4 b; e BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') v1 k0 B P# _+ K4 b
;will break 3 times :-(
7 A& e h8 t" r# x1 a& V* U2 t+ y0 O
-or (a bit) faster: 4 T& ^! |8 J' t2 x
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ V9 Q( h2 K7 z+ x' {
0 q3 K- n' ~% |; e; a) l0 A7 m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 ^( o- S: L3 a6 o& M
;will break 3 times :-(
- B% o5 x, e. X7 M2 d2 i" {1 ~0 c% w
-Much faster:
/ x* i6 t+ w9 ?5 m; z* ~3 N BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 G6 N$ Q' C+ g. i$ H4 C7 y! }9 _
7 _3 D+ Y# d6 ]: GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% q2 s) T/ E" Vfunction to do the same job:5 U1 s% @# @' X9 W9 H: Y
2 Q3 i# G' U: L5 B
push 00 ; OF_READ7 z8 `- f" u4 S7 n8 |* l4 R+ S% k1 Y0 I
mov eax,[00656634] ; '\\.\SICE',0
" \# c i+ x8 E* O push eax+ @( o) j; g2 |/ a
call KERNEL32!_lopen
4 z- c O# u+ ~( }1 Y inc eax1 _# ^6 O2 n8 C7 |7 w* Q0 `) [
jnz 00650589 ; detected
1 G# @, u- d" }* [7 V- \1 Q push 00 ; OF_READ
% @$ I# p! P) u* m mov eax,[00656638] ; '\\.\SICE'4 \/ y* B! K/ q# R* o! z4 q
push eax) J3 P. L. C% W2 R" I& h! q- \
call KERNEL32!_lopen
U( e6 V# p6 [3 y" E inc eax" x Z1 L: @" F% x0 Y, L0 f/ N
jz 006505ae ; not detected
, c' c2 M: q1 f* `$ M
0 q6 f) \4 H$ H; n- a, F- W) j( w4 h9 a
__________________________________________________________________________
8 b4 S% N/ v8 c" y; g! n- q7 o( s; L# W7 x) a
Method 12
% c/ W, p% t: F0 p0 H=========
5 m; M3 f! q1 ^: m, j, r7 u& T' g; _. p- e
This trick is similar to int41h/4fh Debugger installation check (code 05
+ M" D1 x! S z: m$ D& 06) but very limited because it's only available for Win95/98 (not NT)
2 Y* Q o- a! ?9 Z {% c3 m, {as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) h% ?. Q2 c9 K, W+ j9 \
: y' K2 P2 ?7 q+ p/ X- ^
push 0000004fh ; function 4fh
1 B% s( e" a- g push 002a002ah ; high word specifies which VxD (VWIN32)
! I* ]7 ` ^9 S ; low word specifies which service
1 C1 x# x A w2 ]4 ] (VWIN32_Int41Dispatch)
; k& a( v" ? m( D1 `0 r8 ^ call Kernel32!ORD_001 ; VxdCall
7 `* ^0 V& v4 \8 d, W- Q6 \% y cmp ax, 0f386h ; magic number returned by system debuggers( j; l: t4 A0 J, D% Y
jz SoftICE_detected4 K3 j- u( {) ]$ W2 ~9 X4 S6 Z8 M9 Z
. M2 J7 \. F9 B6 r3 _/ G7 G
Here again, several ways to detect it:
& f7 c/ {& a% i9 H" f1 @
6 }0 |9 l1 l( {# G# y BPINT 41 if ax==4f
2 Q: R9 M8 L& d' {8 B j$ o" b$ a$ {5 z1 Q( I, y1 b
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ r- I7 s1 ^4 V, h$ V9 {3 a* i: A5 l0 V
4 u: ~7 E" _$ G* r) q* J8 s5 j( L" X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 M$ A" B2 y# o' W/ Z1 \1 Q/ n1 P2 x4 a" D
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 N B$ @; z0 Z
* r |, b/ i9 m. Z* @__________________________________________________________________________
8 U) \5 B+ n. ~, [9 ?
3 }; f0 y" Z# jMethod 13
1 o0 z$ y$ |+ N7 l=========
@6 f* A, M. O; B- V% b) B% e7 r' ], P b% B1 j# h( \8 L
Not a real method of detection, but a good way to know if SoftICE is
% b5 D- G0 l" F+ Ninstalled on a computer and to locate its installation directory." f/ E0 ]+ i* K$ z
It is used by few softs which access the following registry keys (usually #2) :
2 p& D H& ?0 j% G
! Q7 G0 f( g" U2 L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: J# B! W; K' U* h+ I) ^\Uninstall\SoftICE
, V' `/ S+ G2 `7 t _. b-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 Y( \ [( d+ a5 M+ L0 u0 p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 i0 V2 d- n9 @9 g2 O6 P& Y
\App Paths\Loader32.Exe7 s' Q0 t g. v1 t
7 w0 E. o6 X7 ~; k
! R( T8 ]/ `0 ?% y6 M1 l: u# W! _) d7 zNote that some nasty apps could then erase all files from SoftICE directory3 ~6 Z" _0 i% C3 r1 q+ }
(I faced that once :-(6 e. \% I7 a C9 u
) ^1 f2 y- v) ~6 E. ]3 |5 ?2 g8 ]Useful breakpoint to detect it:
) J2 O. e- g" |& y6 Y/ L9 V; P0 X- B$ l1 ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 e; G' E% P. Y+ F! r1 O
, l6 b2 M4 b7 \) P/ T# Y4 A__________________________________________________________________________/ Z% [9 y9 q6 k% l) l$ @
$ n% l C4 f4 W, G! b/ \& B8 ?5 ?" \
Method 14 $ U1 O% f0 J: I, ^1 t. i# @
=========/ r4 T! u' d& D1 Z" [
/ @3 O8 m1 N7 C9 B5 a. J) qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 L7 H/ R8 T* ^( Q) Q
is to determines whether a debugger is running on your system (ring0 only).
* D, p- a4 |. E! f: d. [: b
S7 ^8 [ T- H VMMCall Test_Debug_Installed' a/ b7 u- G& o; \" w% h
je not_installed0 X$ Z5 ^+ b8 ?) |: O U Z
8 a3 B- M4 O2 D/ N' a' X6 k. A
This service just checks a flag.7 P# h) h: l: H3 c; N5 k* q# W
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡