<TABLE width=500>& \+ {5 x2 k, r' k& ]. A. o) P) i
<TBODY>" N/ x8 g5 X M3 A
<TR>
# }0 P1 V' ~( g9 }$ s+ r& O, O<TD><PRE>Method 01
- [1 |4 o. d; W7 e6 B7 C=========/ y! {- l+ ?5 c6 F
9 A0 R4 e5 z3 W" U
This method of detection of SoftICE (as well as the following one) is
- V1 @2 `" J) u5 s5 U' V3 ^" {used by the majority of packers/encryptors found on Internet.$ X) E! G) H% h( U- R0 n# C4 k
It seeks the signature of BoundsChecker in SoftICE- [5 \. c' Z/ v3 p: M: c
! t1 t, E5 @/ W9 J0 j j
mov ebp, 04243484Bh ; 'BCHK'8 A: O4 C% L$ z* ^* h
mov ax, 04h
* c- g( ?" `; k$ i6 y% ~ int 3
. \0 \% v) S- e1 t% f( | cmp al,4
9 b" w. @+ q" \9 O jnz SoftICE_Detected
3 n6 ^2 R$ I. r: X6 Z% B
( d2 Y( t; r% D2 O, i, M___________________________________________________________________________
4 _0 R. q; z! k* j6 k- N) r' c) u0 M/ M7 j' i
Method 02
* Z; I0 K, A$ Z7 U2 A2 ^2 J9 m# B=========1 c& S- c: v# e1 }8 s3 }
8 }; y% G% t) S# S! ^
Still a method very much used (perhaps the most frequent one). It is used
9 B+ X+ L s2 m3 oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* [; E& W6 [, K5 `6 t* Nor execute SoftICE commands...4 m7 K' }2 b' u" T
It is also used to crash SoftICE and to force it to execute any commands5 g, B1 Q# V0 `- G a+ s- W
(HBOOT...) :-(( ) t9 H% Y& X2 L
) Y+ v6 I* ?8 ~ y( ]) PHere is a quick description:
# o: [! j3 R" X( _5 M-AX = 0910h (Display string in SIce windows)
# |4 D8 s: O0 s; t-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( B2 @" K4 q/ |( X1 X4 R! o-AX = 0912h (Get breakpoint infos)0 n3 Q g6 s& f' T* U P
-AX = 0913h (Set Sice breakpoints)! w, I. C7 o8 ~4 E! j6 c W
-AX = 0914h (Remove SIce breakoints)
; C% @' v h) G T) c, g* [! Z5 X1 E @3 e; Z1 l) i
Each time you'll meet this trick, you'll see:
0 o. _1 Z6 j) Q% U) Q-SI = 4647h- \' u- M* R* {6 E# ^
-DI = 4A4Dh
4 d3 W9 C R$ N, ?' MWhich are the 'magic values' used by SoftIce.
& l% Q- i* i4 x# H$ ?For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& }3 O, }+ C0 v3 Y; E& _1 ?, Y( h
_" g! \! i' ?8 J) n) c' y1 ]Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 D. V) l0 H# H0 r4 X- MEnvelope utility use to protect DOS applications:% W+ X0 L: d C" u
9 k4 I* U j q8 K
% w$ d) S( I. p& v$ n3 {, o1 L
4C19:0095 MOV AX,0911 ; execute command.) b9 Z. G4 |; G0 d& T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ ~1 {3 @8 h! B, l- N4 m
4C19:009A MOV SI,4647 ; 1st magic value.: R- K9 W5 }! f$ X
4C19:009D MOV DI,4A4D ; 2nd magic value. b4 D) ^8 n% x0 z6 G- I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 T7 S: `' K0 t) X( x$ T& ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 m! T" x4 p2 F$ R- t5 b6 C
4C19:00A4 INC CX$ P' @+ K ~" y9 C
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 U2 ]5 u. Z$ }8 Q# e4 Z/ }' ]2 Q4C19:00A8 JB 0095 ; 6 different commands.
' D0 e7 {: f8 U5 T) _; U( R4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 p, y: d4 P; T# w" {
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" R* G) }3 B7 z* D. S
0 d5 O1 ?% ^1 ~1 ]The program will execute 6 different SIce commands located at ds:dx, which
0 [8 \2 d) D6 ^8 Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 x9 a) F( v; Z# D$ g0 G5 q2 B' B% v( I; [7 x4 Q2 y* q5 P. k( b
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ P$ h4 t* j- C( h3 V
___________________________________________________________________________
3 w) @5 ^5 ]! p3 s1 Q. h& o8 O
! g6 u7 g. G! c- f/ c% ?
% K% x1 O5 p: ZMethod 032 E% K$ t4 N* R6 r2 N$ F' i& u+ u
=========
# D0 m/ X% |, ~* }/ u# T+ I/ o/ W% l. h/ Z9 f( |& u$ U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( I8 w5 u0 g' Q
(API Get entry point)
+ J( h. T6 e( b7 S. \9 d; z
7 F x3 r; w" \2 Q% i6 V5 u) f; Y( E7 ?9 |/ L! N9 h! l3 J
xor di,di4 n0 S8 e! Z% t) o, ~- g
mov es,di% ~- o% J! ^( K% T& c( t/ l" |
mov ax, 1684h 6 @/ |0 o# N" c/ I1 Y0 L
mov bx, 0202h ; VxD ID of winice( q2 S" Y6 J) C& ]+ y' }( H
int 2Fh
" U: D8 x" D$ O# V8 u mov ax, es ; ES:DI -> VxD API entry point
8 v4 b( a8 R/ Y5 K3 M add ax, di+ T* T& `* Z0 N" v) _ b
test ax,ax% e% s4 n/ R6 s
jnz SoftICE_Detected- p7 y$ |" e2 I9 D: t: M
1 g/ L7 x4 D5 Z
___________________________________________________________________________; O' V! Z; w9 o
; A9 g+ `* Y9 L4 d* r4 ]5 z: [Method 04: X: O$ t, W& Y, x& u" ^
=========
( {; ]3 A) w7 E$ w/ v7 U) m+ X2 Y; M0 x4 `+ o( M) G
Method identical to the preceding one except that it seeks the ID of SoftICE
, S, k: L: S% ]$ u# sGFX VxD.
& {7 c! L E$ f2 g8 T5 v0 x X$ k4 ?# [& c0 Z+ J
xor di,di3 s9 F- v( m+ r% ~* N
mov es,di
8 I L7 F8 Z; l: l6 g1 B6 {; [. ] mov ax, 1684h : A7 S& \& J3 F# G2 @* Z m
mov bx, 7a5Fh ; VxD ID of SIWVID
; [0 Z6 A9 ~6 o- D& Y int 2fh
+ O; ^" x* r% V6 V$ a mov ax, es ; ES:DI -> VxD API entry point
; a7 l I- X8 Q2 f add ax, di& B" Z7 ~6 K8 G4 w% S
test ax,ax5 [( i% i5 R W( q
jnz SoftICE_Detected
* i+ D5 R2 x) ~- S& N6 R: e3 O/ D; c1 K5 V
__________________________________________________________________________6 y- _+ f1 M5 M3 r. d
/ K$ I, D* m, Y* F. r' [" M$ T) c
Method 05* {6 {$ ^& M. M, a. T
=========
" r; ~3 {$ b5 k3 Q
4 i5 P! J; \/ j. [2 U% \Method seeking the 'magic number' 0F386h returned (in ax) by all system
; ^5 Y9 b1 }- y( l( f9 q! t$ S, idebugger. It calls the int 41h, function 4Fh.
" ]) t, e& a' X% DThere are several alternatives.
" O4 [) B! r- A; {9 P a/ R; I6 w' O# u/ K4 t/ \
The following one is the simplest:
' ~9 a7 v4 E2 k! ~3 H9 n" U0 H; m5 B5 z" m1 h
mov ax,4fh6 L4 R$ T6 ^% a( H( Z+ U
int 41h& u; u# u) j! Y3 j
cmp ax, 0F386( O& r9 K& ]* X- m
jz SoftICE_detected
3 @! |7 d& W. P) V* a. n' T3 E: R; m+ P% A0 ]2 t# ~/ y8 ~* _
. v. O4 l. E0 P' o
Next method as well as the following one are 2 examples from Stone's + {. G; l$ U" b2 J! \+ f7 D8 H, Y
"stn-wid.zip" (www.cracking.net):
) q |/ H+ B7 v4 y4 i6 U3 N
, M P# O9 T% R1 x- l! v: E mov bx, cs
) g# ^. A8 u9 N3 X! d+ ?2 u/ @ lea dx, int41handler25 q; s2 t0 y5 k6 j6 u1 j& r9 j
xchg dx, es:[41h*4]
. R. Z. u8 x+ E% v% ^ xchg bx, es:[41h*4+2]
1 O7 J: u" H' {* p$ H+ ~ mov ax,4fh
) R; ]# t8 s' }% F- n" w5 ]. C int 41h0 C# b: N8 I( x
xchg dx, es:[41h*4]+ d) L( t0 c& F7 K- @2 u& {
xchg bx, es:[41h*4+2]
' D9 F' A: ]8 k0 ^8 f& a cmp ax, 0f386h5 L3 }8 A6 v) V& O- E" m- K
jz SoftICE_detected
3 b3 {& K8 P; ?$ K2 |" w0 c" p# Y+ J& ?& b' Y: S, H
int41handler2 PROC
( M. v f; u3 L9 F& g0 w% g iret
2 |- ~* I, X; V2 i" z& o! @ Lint41handler2 ENDP
8 ~1 F6 n" m4 p) F& o, D# Q+ I
& W9 g6 O' G7 f9 b7 O/ [6 v- A2 j4 w! }/ Z% v
_________________________________________________________________________1 ]' Q% v* l3 G% y, i
$ y% c5 G2 ?7 @& I& M
' r1 s$ m1 i# N. P% x) x% z
Method 064 j# }! @" c% b* l; n0 |( B
=========: f% U4 e1 w( L8 t; S, l
/ `+ C& f% T" i8 `' z" j6 [! s6 c
! O2 C( ~: B4 \/ k! T: x/ d2nd method similar to the preceding one but more difficult to detect:6 ~1 b) v/ N' {9 |
- B" e+ K+ X6 a- N" ]. g3 v2 C
3 k. J( l9 X" xint41handler PROC
- K. r( f, M; |: y, N" z" O mov cl,al+ l# p6 l. |9 ^
iret" e" m3 P8 I; o: X
int41handler ENDP
) P' q( H; x5 f+ }7 j1 f1 c" ~% d
5 x; U9 q2 x8 f2 Q5 Y# D3 ^9 S
' ]) s* H1 Y* S$ p xor ax,ax
- o2 X% Y: u/ c, I mov es,ax
5 z; z. D0 w' A% s6 f y! r( {0 m8 P1 e# } mov bx, cs
1 y" e5 z, g7 x" g& L* H lea dx, int41handler/ F: P" L7 j- Q* W& w
xchg dx, es:[41h*4]! F4 j' N+ t4 s Y2 B! p0 u
xchg bx, es:[41h*4+2]
; q: Z: t& m8 d1 ^' S in al, 40h G2 f6 |8 I; b8 G' `, B
xor cx,cx
' \" N4 |/ n7 @- U0 I int 41h2 q& M' P8 m& e4 I- s& Z
xchg dx, es:[41h*4]
* U4 g V% _2 }9 @+ y- e xchg bx, es:[41h*4+2]
4 ?- U; S6 D( ^6 H; b cmp cl,al3 K. H# k& K# P! T6 ^7 o
jnz SoftICE_detected
% J+ I2 U5 d8 Z: y1 T+ [4 ?8 J6 D: ]; r0 _9 i& f6 |
_________________________________________________________________________0 g* s7 V: n) f2 f& J
5 k7 t I4 |5 `1 X/ P' G& x+ \% R
Method 07- I4 V$ s0 I) N" y3 b
=========
3 R7 s8 ~0 z7 j# t; o3 ^. E' B6 ^( x) Z8 O0 k3 y5 O1 x
Method of detection of the WinICE handler in the int68h (V86)0 @2 B2 ~* N h# r& i6 I" ]# e# a
7 L. C( U1 U, u C mov ah,43h/ p2 V9 L* Z$ }6 ?; c1 X. c
int 68h9 Q% `5 {! C. B( |. U
cmp ax,0F386h
( U8 W4 W; o( u( ]2 X jz SoftICE_Detected
# @& J$ l, Y ^( \; l" i3 k4 }# i# Q5 Y2 ]; F5 q* u
) ]0 N% f- O# l' n) y* p
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: L/ }8 b2 L4 [5 y7 c" _ app like this:
8 E4 g: j4 p( I" O& E M# l& n
/ o: U7 ~1 q! m3 ^- ? BPX exec_int if ax==68$ s7 O/ L# G4 n( K- r
(function called is located at byte ptr [ebp+1Dh] and client eip is
' v9 d5 B, E% J. F% J2 e- I located at [ebp+48h] for 32Bit apps)) a& j9 I# I( \, r. W' j0 w/ s
__________________________________________________________________________
3 Z1 q% w7 T& P7 J1 I# s6 p, j: O7 Z5 n' I5 B7 D, ^
* F, M4 B: _7 L! }, x* h) e% Y3 P* _Method 08 d& L2 O* I' E
=========
' D2 `- B5 T. I1 u* I; `0 F7 _. g& \& z
It is not a method of detection of SoftICE but a possibility to crash the, `: b6 A0 Y8 G% |" x$ Q) S+ `" r
system by intercepting int 01h and int 03h and redirecting them to another1 u6 t% F; k) @( x
routine.
+ \ Z5 G' A8 u0 ?4 c& _It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# V1 B+ W) m$ Z$ l
to the new routine to execute (hangs computer...)
: Z* f) ?* W% F
0 i( N8 @3 I4 T# c! P mov ah, 25h6 ?! W( g0 b) }$ K1 D i9 s4 r
mov al, Int_Number (01h or 03h)
( i+ f! I8 ~2 Z* P+ j% n. d2 J mov dx, offset New_Int_Routine
1 _6 [% }! N6 \1 ?; d) I3 ]/ R% y int 21h
* } s, Y7 Z9 y, I5 f; V1 d
# v8 L1 g! ^9 O- W4 C__________________________________________________________________________
, {- n% [1 o L$ q! \
0 _7 {! O- ~( O& z9 G2 B* pMethod 093 L4 v1 q+ H, w2 e* [* L
=========# G5 m; N f, P0 m+ M- x& z
; W/ V2 O/ G" n h! {& }6 n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) r. r0 f5 k; v' b
performed in ring0 (VxD or a ring3 app using the VxdCall).
1 ?6 s( G7 v$ t- zThe Get_DDB service is used to determine whether or not a VxD is installed. q4 J- r2 x8 Q! F
for the specified device and returns a Device Description Block (in ecx) for
, J3 c9 l( r5 \+ @. M/ Sthat device if it is installed.
1 D, B/ ^3 X; L0 t1 g& g C# c+ x9 }/ W# Z9 k- d. y2 @+ t; B
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! Y, o$ C* o* ^% E mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), X5 z( {4 ?% |
VMMCall Get_DDB
; {) a8 f) d8 D( U. J' [' X+ c$ `8 v7 Y! M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. o; ~* r$ U" s. |& R- d/ d( @. J, U# h6 b
Note as well that you can easily detect this method with SoftICE:1 q% Z1 V5 |1 F+ c5 ~* l, S
bpx Get_DDB if ax==0202 || ax==7a5fh% Q; G! K C/ k1 T
! ~( q* T- ?9 ~5 z$ b! L/ p. K__________________________________________________________________________8 D( E8 T; K. i8 C2 U
; F7 f. F7 a1 x: S+ C) WMethod 10 V( J( x& k# I# K
=========
! H% B9 L# e2 z" H2 U9 ], G6 g: l& T. g/ y- X6 D
=>Disable or clear breakpoints before using this feature. DO NOT trace with# i8 ^5 n I: `% ]
SoftICE while the option is enable!!. _5 o' r: K* _* z# u
4 v% W* ]* h& \7 x) I' iThis trick is very efficient:
3 ?& E8 M6 A Cby checking the Debug Registers, you can detect if SoftICE is loaded
! z6 Q( X) R3 W3 C* ?: W7 [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% J& u3 a. L' B" Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
}( X1 F$ y5 D& n, i4 o$ n' C* lvalue (in ring0 only). Values can be manipulated and or changed as well! a1 _. l$ c$ M
(clearing BPMs for instance)+ I% _9 }5 c+ Z' U, R
" _. o! [, R# n1 M; V. D" M+ |
__________________________________________________________________________
4 G' B9 n4 g. r U E) \- U7 K* T7 Y& |: L5 c' N q6 M8 Z
Method 11
$ G; c% n1 c( `# ~+ l2 P=========
8 ~0 Z6 F9 T! T5 b9 U
- G9 g! |- D$ M1 L" Y8 eThis method is most known as 'MeltICE' because it has been freely distributed6 X% w! L3 Y/ {* o w
via www.winfiles.com. However it was first used by NuMega people to allow
! q/ x- u9 _! E; `! M, bSymbol Loader to check if SoftICE was active or not (the code is located
2 O9 F& o6 C+ X# x) g0 O& D; _; C+ sinside nmtrans.dll).5 [, l) B& c5 c4 u$ ~( E/ h z
8 U9 @6 |3 Y8 _) }* l( w* M3 G7 GThe way it works is very simple:
# E% r1 y: Z3 w h( @1 P3 ?: Q8 vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* U O2 z. Y6 ~* T% c# iWinNT) with the CreateFileA API./ r" A" G7 }: Q/ `" x
( O: v4 h0 X( y4 _; o
Here is a sample (checking for 'SICE'):( C; M: q, p# Q" K& O
; D% s/ x3 k2 D6 KBOOL IsSoftIce95Loaded()4 N0 `$ S* }! C: l1 c
{
/ N2 m3 F" P1 K9 K, Z4 V HANDLE hFile; 2 l- z# j* c7 R1 a! ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' }1 ~4 r* E6 X7 o5 n R8 { FILE_SHARE_READ | FILE_SHARE_WRITE,
( J, D; T0 J \- T& U3 _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: \0 P; I/ W, r% m if( hFile != INVALID_HANDLE_VALUE )
$ d. x$ l$ u2 L; y* r {
) o/ s: X p# ? e/ ^ A8 g CloseHandle(hFile);
) l7 ^# T4 c, J! `6 p return TRUE;( j$ z: }4 n A) h
}; e! j @, q6 ?' e. s* ]- C3 ]
return FALSE;
# I/ m% h* b% Y+ v}
3 W$ Z+ Z' u9 H1 \' f7 ^0 D: |. v0 K( U9 f9 @
Although this trick calls the CreateFileA function, don't even expect to be' [. `, W# Z) Q; b7 h2 k
able to intercept it by installing a IFS hook: it will not work, no way!
7 M, I8 L, a# M5 C" x3 @- QIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 m; |2 [* v3 Z; ]. Gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 F+ w2 b! \- Z5 C
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' Z& U' O) J: N+ Y! V$ I
field.
- g% q( C0 y4 |2 c" A. Z, T% CIn fact, its purpose is not to load/unload VxDs but only to send a
5 U( L L. k1 |9 kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) L9 Y" `3 p# E0 u/ W) Y8 |$ Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 a8 }; t/ k1 I
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 }# k+ k: u6 P, x9 B; z! A0 Z
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& }) | {5 U" A& Pits handle to be opened and then, will be detected.$ p: X. x9 [# H4 C2 A2 y7 V* U: X
You can check that simply by hooking Winice.exe control proc entry point* m& P7 Z# D) s& `# {
while running MeltICE.
3 w. t2 I# S" r7 {: `" G
1 E ?: }/ F2 o9 J' V0 P! \& Z0 O7 K2 q( h$ ]
00401067: push 00402025 ; \\.\SICE( z" U, y, A( o/ }. s+ _
0040106C: call CreateFileA0 f+ U! g. l8 N4 ]6 }/ m( L; |
00401071: cmp eax,-001
9 v: S3 V; U( M& g 00401074: je 00401091
, O6 w9 K* S+ C) f
: g0 W6 i9 x1 W8 g% p# |) Q. W) a8 o+ k8 t
There could be hundreds of BPX you could use to detect this trick.
2 @( d _, s6 H4 g! @0 m-The most classical one is:
# H% A V9 W+ r) _ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 M- o; u7 t# y4 b *(esp->4+4)=='NTIC'
. u& l+ S' i7 b1 C& m- E, U& ~& B% J( u7 h
-The most exotic ones (could be very slooooow :-(+ P' N; D! R" R% d& T7 U
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ U: A+ Q' X- N& u, W ;will break 3 times :-(+ @3 a% z! X, j/ q/ j# D
, G' e9 s5 ~! B2 K
-or (a bit) faster: " f0 d& z" A R; R! a/ o% @, n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 \6 M7 v" X: J9 {, C
7 i$ x9 o( B( w; H BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 g L* a4 i9 D; I( o
;will break 3 times :-(
; c4 T# Z& q; U' R0 ^0 Q0 Q. u% Q; F& B$ y# o$ F x
-Much faster:, H" ~( ^" J7 }7 O0 K' ]
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! F3 U- U, ^ {: B# H3 v% L3 I7 G7 U1 u; O
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ y0 I: Q! E4 Hfunction to do the same job:
8 A5 T7 L# R. N' O/ Y9 n g, }3 U6 h) K& a0 N- r$ V& F3 r
push 00 ; OF_READ1 `4 @( ~6 n3 R3 k. S, _% m$ U
mov eax,[00656634] ; '\\.\SICE',0( i) x) V/ j4 b& e, a7 H4 K6 H$ Q
push eax7 q) J6 {- D C- x
call KERNEL32!_lopen7 l% _0 K! i! @+ C \* P! L
inc eax7 h' I( V( X1 r$ I
jnz 00650589 ; detected0 u% Y3 U& M/ ?
push 00 ; OF_READ2 ^1 x) P/ }% w
mov eax,[00656638] ; '\\.\SICE' ?6 i. N2 J- b5 }# P4 w
push eax
+ T3 J2 B" i4 U, L call KERNEL32!_lopen
, {1 R' D A6 ^5 | inc eax6 A6 g0 P ]* E
jz 006505ae ; not detected
, H' H2 z/ }6 n& c
& L0 a6 Q0 R8 _6 [) u5 ~% t% P1 K; H5 n$ K: r6 R* L- C
__________________________________________________________________________
1 {+ u0 f- C; b6 e+ y) w! L& U5 q6 O$ Y; e$ D% H
Method 12, G G2 D w$ X5 a/ J* f
=========
9 ]. s0 j/ ^7 k
6 F* H3 Q% H' c2 H4 z4 lThis trick is similar to int41h/4fh Debugger installation check (code 05/ v3 ^* C# X7 W% y4 Z; \
& 06) but very limited because it's only available for Win95/98 (not NT)
: S9 }+ A+ s7 Z8 ?as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: f! [* G" e, d7 D z. j8 f A% L" o# b
push 0000004fh ; function 4fh5 _( ~/ o( _' v* r; u% ?& z+ ?
push 002a002ah ; high word specifies which VxD (VWIN32) N: o1 J2 e3 W- B: n8 Z
; low word specifies which service* y/ {2 _) s* z/ D+ b
(VWIN32_Int41Dispatch)* [" z' i! t" K; V
call Kernel32!ORD_001 ; VxdCall
+ d/ ~2 ^# Y( H, H8 ~& o cmp ax, 0f386h ; magic number returned by system debuggers# Q) w. `7 T: J1 `# Z/ k
jz SoftICE_detected
: s8 o8 }1 k" K z8 V- e, A/ U% a% ^, g: | D% V" ?4 d( a
Here again, several ways to detect it:
1 Y2 B, O# n* N: Q. P8 i/ H+ C7 V6 i! `# h( x% ]7 h# X
BPINT 41 if ax==4f. B" c7 h. t+ B" X2 z: R
8 S" k$ m$ b9 f* g6 |) N BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 E; t$ a( q2 K3 Z- [% l$ y: j2 C2 M* p9 D% U# e
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, C& j' ?/ u6 c* l' t6 C1 P2 b4 O7 U; }+ ^, T! b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) r' S8 Z7 `2 {+ @/ H
9 w% x! m- {0 z5 H5 }0 l- N__________________________________________________________________________
; H& t- N% A1 A Q6 {; R& S: j1 t# _; e. I$ `. L/ q V
Method 13
# q+ k# e! d# L+ d& J# \1 x. \=========
* y/ N: p; Z4 m% m V0 m
, r, y: D! N- B( U2 a4 |8 w" VNot a real method of detection, but a good way to know if SoftICE is
4 j4 W4 U9 V5 o) Z& Oinstalled on a computer and to locate its installation directory.7 t) m6 m8 R6 x# l* e7 n
It is used by few softs which access the following registry keys (usually #2) :: [1 l4 U* A$ G5 l. P
! r3 c. `" U5 l. D0 s* }4 y- O-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' c7 N/ U2 O/ y* m% {" A
\Uninstall\SoftICE7 A% ^/ |5 }' J5 X
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- T( |& m% P2 U/ @; F( ] o- V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) ]- M0 I, `) V( J) s/ E\App Paths\Loader32.Exe, d( p% T; ~ W* M
6 i X* |' O! T# ^% p
" G2 D0 j* ~. @8 D5 n) l) VNote that some nasty apps could then erase all files from SoftICE directory
9 f+ `/ C) Q! ?( Z7 ?1 ^(I faced that once :-(7 S: y1 q; C4 R- B5 j
- w3 ?$ E& u5 ?6 L+ P$ G+ bUseful breakpoint to detect it:' I* o0 Z5 }3 S6 b0 [$ _# a8 V9 y0 W) s
. U+ P! s; y: x% [ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 {9 Y7 H, k4 h3 A' K
5 v ?4 ?5 b/ |
__________________________________________________________________________5 m5 z- c0 W- s3 p5 z
9 R5 |+ m X+ F& i; ?7 A1 {6 c
: ?8 N. t* W: B- R" J
Method 14 ! r: b0 b. j$ z& x* h) [
=========
* \& |) X3 P- ~5 s; o* K
% h- y& t0 L4 u& h5 s. n' EA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& u3 G2 S- Y, M0 t% v7 @* s4 b
is to determines whether a debugger is running on your system (ring0 only).
7 C3 | L7 u- H4 Y, X+ I9 J2 E K" t: y; O/ n7 C8 y4 G# ^
VMMCall Test_Debug_Installed
. y3 O6 X' I: O: v- \" W: S je not_installed
; g' _) N. l: p4 a7 R8 E; K" g" J6 K4 S' {+ w; v
This service just checks a flag.8 d% P# H4 s$ M; ` p
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡