<TABLE width=500>; H% p/ t0 W& ~- l8 Q8 i, ]
<TBODY>
. E; Y) L. A+ c( \( h4 t<TR>2 g! G6 H T8 L% s; p, z
<TD><PRE>Method 01
6 V& {. R; ~# q* N=========3 X6 k' ?& [5 X) W* z V) K
: m v7 o( M) J( L* \. i
This method of detection of SoftICE (as well as the following one) is* w4 o8 P6 p6 ~# J
used by the majority of packers/encryptors found on Internet.
# `9 \ i: n; h& y- l7 gIt seeks the signature of BoundsChecker in SoftICE
, K6 l5 o* S+ e0 b- O# ~! `0 h; C6 R3 T) w; N) V6 O$ x) r
mov ebp, 04243484Bh ; 'BCHK'
7 n: {5 p* b" Q0 K4 g mov ax, 04h2 [8 r3 D* Y3 h( ~6 l1 b: J
int 3
. t" l# b6 |" e k cmp al,4
/ |" {9 b, B/ ^& u jnz SoftICE_Detected6 H' { D/ @0 f8 r9 A
* h7 G4 d0 \" y0 i: z6 }___________________________________________________________________________2 @/ Z5 _; {, d6 ~1 R X
' j0 t1 K D* v- l4 k- ]. }
Method 02
. w' B D5 U. b=========
; {# c' V7 E+ D* l' _6 ]5 `9 a& l) z [, `6 Y7 y8 N: }
Still a method very much used (perhaps the most frequent one). It is used
- w9 X7 a( Y8 x" B) J2 nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, t) P; b& ] J* i) t; c) X% por execute SoftICE commands.../ \* E5 n! ]! M* k
It is also used to crash SoftICE and to force it to execute any commands/ p" A0 e( ]5 J; p% w+ l. b9 ?
(HBOOT...) :-((
5 O( Z0 a* }7 G+ s0 {, k
4 G5 c9 O. y% h% ^! e$ GHere is a quick description:# `, e1 R B. `$ D1 O% t% y/ s5 Q
-AX = 0910h (Display string in SIce windows)' U; H. Y- t0 F3 h N% r# v. @
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& e; d' s7 F9 m
-AX = 0912h (Get breakpoint infos)
+ ~" H6 d# H; |( d* J" I2 \! G-AX = 0913h (Set Sice breakpoints)
4 I% T. {* W6 B! r- }1 O* m6 q$ _-AX = 0914h (Remove SIce breakoints)6 L) W6 M$ p' a
9 o* g+ Z% w8 ~
Each time you'll meet this trick, you'll see:. a7 f' F6 k( W& k; P
-SI = 4647h- u8 V! I, b6 }4 l# a
-DI = 4A4Dh
) _6 Q0 P$ y% cWhich are the 'magic values' used by SoftIce.
! e8 ?- K7 b( S, B: i2 Z4 o$ x7 |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; ^# @: S* g+ v! V& R8 l. W8 f, r# b, s7 b6 W8 j. s
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 h8 q/ t; c t9 C4 ~Envelope utility use to protect DOS applications: E5 k9 c" p& J; \- o
" l7 W# ~- U) K4 w+ g2 H' N5 v6 K" o$ w8 R7 J+ c4 |- j* ~
4C19:0095 MOV AX,0911 ; execute command.
, E0 Q& N+ A1 T( O! K4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* r. X- e1 p w; R6 L" Y# Q# v
4C19:009A MOV SI,4647 ; 1st magic value.
8 z2 _2 w( w% }& d f* p4C19:009D MOV DI,4A4D ; 2nd magic value.
2 U. l* T2 U6 Q/ ^- U& R. }4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 y5 s' I" B. f" Q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! P. D0 L) B6 O$ X( d1 q" V4C19:00A4 INC CX7 ?, e" H" E8 S' D1 x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 O& Z1 W5 y+ R( M8 M
4C19:00A8 JB 0095 ; 6 different commands.
4 ~1 \- A5 l* q/ `! G# ]; ~4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# j" S0 @) w0 K' U. N+ S4C19:00AD MOV BX,SP ; Good_Guy go ahead :), i( u F3 W, P. @/ w T
! {4 G0 D0 K( g; a: K0 C1 [5 VThe program will execute 6 different SIce commands located at ds:dx, which; h& [, M! s1 K0 a3 @8 u4 z1 [
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ S! C [/ M. Z- c
2 d6 p" w. [0 S/ W$ a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( y" G* @( V! K$ g
___________________________________________________________________________: z+ k/ e( c X3 h: n% o
$ P d$ J. R3 \; O; C% ` X. C# n$ m
' V, g2 M& u5 iMethod 032 K1 w- U4 x6 s7 K
=========7 d8 |$ w4 E& E! s2 J
5 E# s2 v) Q3 F0 t
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; w# t) R3 X x: m9 M. B( ]
(API Get entry point)
7 b" r* z: k% Z" K2 M7 G M7 Q9 v+ W 3 Z, O. M! ?$ e$ K: V( |- P
' q9 b- U6 Q9 d. Y xor di,di3 g( ~$ o- S/ U- B4 @
mov es,di
+ S: r4 N& G# w a% C, h: Z mov ax, 1684h
, T6 P4 ?/ \" [" ], v mov bx, 0202h ; VxD ID of winice1 y( T/ a- L8 x% e2 I5 B0 y
int 2Fh
$ J/ R( `5 c, h0 t( r mov ax, es ; ES:DI -> VxD API entry point1 i# H- E8 X# y \* \
add ax, di& ~( d `' H! d. x; R& b* \- ~/ H
test ax,ax
( V" |: X' c5 H% ?/ _ jnz SoftICE_Detected/ Y! v2 h: A, D8 c6 M0 n2 I6 b
+ T3 Y6 w" _# e( P
___________________________________________________________________________3 o! y; R* X6 ^, c A. ?" x; B
) J1 ]* R, N3 q9 R9 m; E) \( m& p d
Method 04
* ^6 ?& m1 U& e& ^1 E6 W3 _; `=========
* }' p$ D5 L, J: z( Q" Q# T7 F* X( g$ m4 ?
Method identical to the preceding one except that it seeks the ID of SoftICE
, r! J2 [6 [* n2 pGFX VxD.9 |5 k5 @" Q) K2 j6 j5 E
' l! _$ {8 ^1 x1 D5 e! u xor di,di
* t9 S, J/ Y. Y9 z% |; b mov es,di
" ~5 u, J4 E5 u, }" x b: `$ D mov ax, 1684h 8 y0 Y0 U: u- K7 e% G) j4 o* m7 G3 \ l
mov bx, 7a5Fh ; VxD ID of SIWVID
9 B1 Q. O7 j* G9 w7 K int 2fh
% ~+ e ]7 ?' U mov ax, es ; ES:DI -> VxD API entry point/ G- |" d3 L/ Y! w* o9 c
add ax, di
- I# b( V4 B, h; _0 j) y test ax,ax" \' E1 ^( {* I5 v T5 g) k) c
jnz SoftICE_Detected( q/ W$ r" A5 a- b9 [
; Y7 H( ], J# }" ]6 T__________________________________________________________________________
& u- P1 O: U8 S# {* L! A! a5 ?) m$ O2 f/ m0 l! y2 Y8 U3 u* d
9 U$ M( p) X& |: i+ R
Method 05
( a! t; n4 L; Z=========
. g: R( y/ U- A8 R: g
" r, q% ]8 h- R% @# QMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 l& V& Q0 @; ^( }debugger. It calls the int 41h, function 4Fh.1 N# b$ u$ Y" {0 d9 k* \0 d& Z& _
There are several alternatives.
# P; S2 _9 H0 J) \, L0 }
: v+ j5 i7 X: e3 K# J5 R' ]' g* Q. fThe following one is the simplest:
+ V3 _9 i1 r1 n, n0 `. W( o7 n" q) M d3 g9 N
mov ax,4fh
9 t8 G8 s }, {$ [2 x @: R int 41h
! o; S1 Y G. a4 h2 V cmp ax, 0F3863 V: n6 Q2 r, U# @/ E: p6 U+ r
jz SoftICE_detected) W3 ~. U7 e' p7 \7 |
+ j+ d- C* N; E: C8 B" D
2 I) n$ b6 Q& `* B$ D6 XNext method as well as the following one are 2 examples from Stone's
) h# }" g. t3 @; J" D% ?: e8 @"stn-wid.zip" (www.cracking.net):
5 n+ d6 e2 Y7 N/ R' _" P# I& v; ?& u9 ?7 E( ?) M
mov bx, cs7 X: a0 ?" L& V1 t& Z
lea dx, int41handler24 G& b9 o L* v; q! D- n7 ^5 I
xchg dx, es:[41h*4]$ F; X9 @: s* E$ y
xchg bx, es:[41h*4+2]' b3 X3 \* H# ^& c# Q' y
mov ax,4fh" S# X& k# F: _/ Z
int 41h0 T6 I% ?0 ]4 l2 b2 \! a2 B
xchg dx, es:[41h*4]3 U |% u% q' F' l
xchg bx, es:[41h*4+2] Q y# j: D. S) }$ m
cmp ax, 0f386h
& K4 m1 m% K' h( q7 U6 L! L jz SoftICE_detected# r' m U/ Y K: v
: {6 b( M' A" |1 Q0 m
int41handler2 PROC
( Y8 D5 S, u; _3 M# k7 c$ ? iret
8 q1 F# e0 l+ i' O$ w2 ^- ^int41handler2 ENDP2 j" f7 L9 |4 X4 \2 E. p. C6 s
: t/ g5 }# t; h" ^. Y0 x, ]3 n; X) |0 K' Q- q* ^3 P0 s) v
_________________________________________________________________________1 n. P k- |3 C7 G; r2 C8 `
: I+ W9 @3 i8 x0 ~& z
4 d- H i, N+ Q! x3 h. ?# ?Method 06 h) {3 I- i6 l" w( ^+ ^" {
=========( w: A- a4 V( R! A
# h1 x9 j0 ?3 w
. Q2 e& X% p2 Y3 ~" f f- D4 ]2nd method similar to the preceding one but more difficult to detect:
6 _9 [6 G) a) t- q( Q A( O5 P% Y3 U* Y2 D+ Q$ N# @0 i* w' u
- M d9 @5 p. uint41handler PROC
- W) I1 i9 G- r) K mov cl,al
* t5 v& w% |8 H* ?2 l3 R' t8 X iret
# K5 W9 r7 Q9 jint41handler ENDP9 u3 n. Z7 `( L- Z# B1 y
4 F0 k9 ~8 @& N' s( B
( e; B3 Y5 ]8 S4 o+ f1 p7 `' O xor ax,ax
6 K4 K( |% |6 a) I mov es,ax8 ^5 Y) D4 N: c$ e7 ^6 F \
mov bx, cs
1 A0 h+ w4 |& x% W- k: k lea dx, int41handler
8 B# C4 P9 g" m4 B+ V, D& o4 ~ xchg dx, es:[41h*4]
0 b- g6 `% ^- c6 n' d xchg bx, es:[41h*4+2]8 x/ M' |0 j& N8 m* z, C9 {
in al, 40h: S$ \1 j$ x) }6 u, Y
xor cx,cx
& K U4 n1 \5 n! @5 F' m int 41h
6 ~# o$ [) J8 I( A% @- F6 t) d xchg dx, es:[41h*4]% s: m2 e9 O3 h$ b8 G$ B3 `
xchg bx, es:[41h*4+2]
; i i* V* j$ ]" {0 G cmp cl,al. v9 C$ i( ]0 J' {
jnz SoftICE_detected
, Y- P; Y! @" \' `2 N& j% S+ @! {
_________________________________________________________________________2 c" R/ a' x5 N, Q2 _1 F+ T+ m
" P! Z4 {5 V7 A& I1 ?# _Method 07
& w% C( m6 p! r# v; W. |=========5 _6 l: L( j0 k7 I
% U+ r* }4 ~1 @& h) Q3 ?' b/ F2 f! i! G% n
Method of detection of the WinICE handler in the int68h (V86)) Z$ ?" S& f# |! I \
# E) K, A; y( e9 e. i. S: S
mov ah,43h( k8 c. @1 e. C/ P) F) R7 g
int 68h9 s+ z5 k& s8 y) i9 }$ Z
cmp ax,0F386h
4 N s6 `3 ~( ? jz SoftICE_Detected
- f$ K. s+ X' J6 h+ ?. ?- C' d4 {9 o
+ Q" X Q0 Y/ ~
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ V/ q1 @. l' C; _2 h4 r' G
app like this:
8 p) s2 S4 M; o* l) z
3 J, I6 g( [; v: ? BPX exec_int if ax==682 z0 t# ^5 I$ y! z
(function called is located at byte ptr [ebp+1Dh] and client eip is
# C& H3 O& s* |) [0 F7 R0 b' ~ located at [ebp+48h] for 32Bit apps)# ?5 O6 A! ?3 {. h
__________________________________________________________________________
. S/ y `9 r! R( h, G) q
: K+ d# a. Q4 m% S
2 k2 M5 n Y5 `: z, m+ Y6 Q0 eMethod 08
7 F% G1 J) f; ?. H& x" R; G. U. a5 ]=========
6 Z Y- P. h) _, H
* s; o" l: k( l6 m4 G, Z+ |; Y* q mIt is not a method of detection of SoftICE but a possibility to crash the
4 y: c$ x, O# s: u& R' Tsystem by intercepting int 01h and int 03h and redirecting them to another
" T" E& |& x, Iroutine.8 | j# ~9 A: j6 y+ D2 {
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, ]0 P4 `- S) q! s7 Jto the new routine to execute (hangs computer...)
8 d& h# S7 X1 |- I7 [6 c+ ~/ E, B/ o3 |% m$ l9 i2 e4 B! T+ G1 m
mov ah, 25h
. m: L/ N. n& P$ R mov al, Int_Number (01h or 03h)% y2 |" `6 B; W; h
mov dx, offset New_Int_Routine
( v3 J) H$ h8 q& A( U4 `2 Q int 21h% d j9 p* N0 T: [0 O- M
' d7 t" _2 \$ a9 F5 Y* `3 C
__________________________________________________________________________ w9 a; ~ U2 r% M" N; f4 e- s
- ]9 I! `0 r' M" m: ^- e9 u* ^
Method 09
0 P# A# e" r7 @8 Q/ o' n2 Q=========$ X6 h$ v3 C; F! m b9 @6 b/ s
5 B F" l, \% U9 n, _! I* G F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 ~# \* ^. f; L* `
performed in ring0 (VxD or a ring3 app using the VxdCall).; c8 e, N# ]' ]+ w1 j
The Get_DDB service is used to determine whether or not a VxD is installed
+ [* w5 ? p0 [& A ]2 {5 [for the specified device and returns a Device Description Block (in ecx) for
) \! r3 L5 I& {' u- Jthat device if it is installed., I- r8 m+ N' `8 P
; x* \0 W+ `8 _! r
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 w; C/ m: Q4 t5 K3 m7 E [' k1 k mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# B- ?* F- U/ p4 ~8 _2 F g! Q, g VMMCall Get_DDB6 a: d. f8 x u* c
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 U% E4 O- k' V, I
& b; M% B& I7 B3 V3 [1 qNote as well that you can easily detect this method with SoftICE:6 o% y4 W% B* X; A1 S/ Q; S
bpx Get_DDB if ax==0202 || ax==7a5fh
; [) n9 R- C* O1 r% a2 M1 m$ M' {4 F" B4 \# I& R6 _+ }" X
__________________________________________________________________________
H0 W( U' i9 d$ B9 n: d' B
R- j' I) _ |Method 10& |: s0 r$ Y9 y6 i) ~" s$ Y
=========
1 K8 e% Q/ H: n' J
7 e% [& C, L& a- e. d; u0 j) H8 B=>Disable or clear breakpoints before using this feature. DO NOT trace with4 f8 Z* u9 R5 t3 W: C# W! f
SoftICE while the option is enable!!
& l4 B% B1 I3 m" L- Q% l" ^% D
7 K' f+ R7 f" H( FThis trick is very efficient:
: u7 h* b+ J/ v, {by checking the Debug Registers, you can detect if SoftICE is loaded7 C. T8 [5 _1 t( m$ \! ?
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ l: [0 H/ F% ?+ G# }- Lthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) @8 v/ q, X$ }value (in ring0 only). Values can be manipulated and or changed as well
, v9 }- M7 F* e( M(clearing BPMs for instance)# k, e( j: Q' f1 M: j' k; ~
% }4 V1 Z' ~. Y; U3 P; c0 Y% n* q
__________________________________________________________________________0 K- O0 u7 N/ m1 G
4 z8 m4 i* G) U. r
Method 11" J! f& A$ g* k2 J
=========
# j0 T' o* q, R% x: {4 ^5 ]
3 W6 I) p1 f$ ?This method is most known as 'MeltICE' because it has been freely distributed, o2 @% ?- |. t6 s- H2 I
via www.winfiles.com. However it was first used by NuMega people to allow& @0 r4 W- u' L# _# Y
Symbol Loader to check if SoftICE was active or not (the code is located
9 X2 `9 G, n4 A+ O4 p# Vinside nmtrans.dll).9 L/ _* [- k9 r0 e
( d# `4 T) c7 L- p5 U8 N
The way it works is very simple:) ]3 \1 |! y3 W! S& m* A+ Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 T/ G6 ^2 ?) _5 X
WinNT) with the CreateFileA API.2 i, \1 F. w e" j2 g
! t( \+ t* _" H
Here is a sample (checking for 'SICE'):) n. H$ `+ _0 F( |) X+ B {( ^1 W
+ Z* Z$ {. p; g5 x0 [1 iBOOL IsSoftIce95Loaded()& d* B; e% d, ]+ R" i# d/ o
{
+ m" x' O) a8 S- T5 {+ p HANDLE hFile; , l/ o: L" T3 z9 z& ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 n. F- h$ g) B, `) M FILE_SHARE_READ | FILE_SHARE_WRITE,
: v; ^, u0 T7 ?( A NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 Q, g+ S* `8 f4 r
if( hFile != INVALID_HANDLE_VALUE )' |! H% f( |- f" B
{: U# k) y1 G1 X* k4 v
CloseHandle(hFile);8 q0 j% r9 Q9 {3 v& {9 }7 ^
return TRUE;
r9 h6 d! C. k% ]% M' ] }
2 T; o7 E# b$ V! p4 c& ^4 g5 D- S return FALSE;
/ @8 U7 x* j. l3 p Q7 P}* @- O, Y1 |4 D3 M
* s6 F: e0 S/ ]5 q6 B( ^( D! \- I4 PAlthough this trick calls the CreateFileA function, don't even expect to be
4 x. n. b! W- U+ t2 H, c+ wable to intercept it by installing a IFS hook: it will not work, no way!& n5 B y& S4 z+ y4 C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 y0 o0 Y! T4 M" ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) y2 n, \; w4 r) u: J
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# ^8 {$ u' Z$ T
field.$ U/ I/ z! \ ], A( R
In fact, its purpose is not to load/unload VxDs but only to send a 7 e% F& h$ [) w% u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 Q( ~0 I4 a- f9 \2 @- i; @
to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 |3 ^/ d1 m/ N3 p7 |2 y+ ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 `0 A1 T/ C, f* g% s% u: D
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ Q% K. u( Q8 J+ {# g4 i; _its handle to be opened and then, will be detected.
7 h& |/ e- S2 y3 e2 z* P7 G+ e7 xYou can check that simply by hooking Winice.exe control proc entry point
1 s. h" ~# W) { K4 jwhile running MeltICE.
; p& Y- A. }6 d, z
g9 ~0 y, X {- h# @ I6 w! S4 C0 B6 i2 M9 ^6 o
00401067: push 00402025 ; \\.\SICE! k# l! C- Z& X) y, d/ U
0040106C: call CreateFileA
b! ?+ ^0 L- w$ T7 ]1 j 00401071: cmp eax,-001
" }, L2 L+ K3 ^" Q. Z! v 00401074: je 00401091
( J2 W$ {) @8 J! J! T7 h; p6 L
! R7 ]' X& t$ e
. y( c0 B- o. S4 BThere could be hundreds of BPX you could use to detect this trick.* g* t3 k7 P# T" r' H J' J
-The most classical one is:: h/ }! v0 k4 M$ b! T- c1 w
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: k2 v1 H* M5 g) u+ P5 ^ H, w
*(esp->4+4)=='NTIC'
' g- w& B: v( x( j! @2 t, ~" v, q. K F$ D) o! z
-The most exotic ones (could be very slooooow :-(
' M8 |5 w4 R1 R/ v$ f. b: l. H BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . E$ p0 X# O3 f7 V* ?8 r& X
;will break 3 times :-(& w- n! k2 ?0 H
0 d, }, V+ m) H-or (a bit) faster:
, s, Z3 p! A; j& _ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ P8 E s3 T, ?% H- B: [: m5 `0 ~7 B
3 w8 r, I0 D8 E8 a, {+ X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! }9 m% Q$ D6 @7 P7 `$ G/ a2 i ;will break 3 times :-(
* N' b9 w9 _" S' W: h6 l9 W9 c! x F n/ @# N8 Y5 R/ ?( M
-Much faster:
3 @- Q, T/ d# F! s& Y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; N2 y% D5 T% x# A
/ x# b0 P- J" w& k7 }, _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) Z7 Q J, o/ Q7 [function to do the same job:
/ d* M8 d8 n) _- V. @3 [9 L4 t" D
8 B I# N/ L5 H2 x& \$ o7 Y push 00 ; OF_READ
6 J0 f4 W5 @ D+ H1 l; }6 O mov eax,[00656634] ; '\\.\SICE',0, p" ?+ g+ q& @5 A
push eax6 l- J7 E, t# K+ V# G
call KERNEL32!_lopen& {1 L) _) V8 Q5 V3 M5 i! k
inc eax2 c1 A. Z4 H) a* S6 P6 ^$ ]
jnz 00650589 ; detected
+ o! o/ N4 G2 q( Y6 P4 L* f* V* s push 00 ; OF_READ! Q; U5 x* r9 c: c% V5 U. R
mov eax,[00656638] ; '\\.\SICE'- e c) I: }, u6 ]: P8 ]6 z
push eax% F0 S% |" U! Y' t# E
call KERNEL32!_lopen
, w$ ^4 N( \$ z" [. o- f inc eax8 n& }& p" C0 d6 x( c1 @# |; I7 p
jz 006505ae ; not detected6 T* ?1 {) [0 i0 Q; h. Y
; I2 D5 D: I- V
/ F3 G& K, t ]/ h. y9 U4 b) c8 v* U__________________________________________________________________________
6 e. \$ k+ j% R0 l8 c0 s4 k( R2 h y0 W/ J; P) s* g3 H- S
Method 12
# ]2 ^; p/ [' D |6 ~" \=========
+ b, d; C% ^/ \ V7 ~0 ?' |5 E- j& D/ a; u
This trick is similar to int41h/4fh Debugger installation check (code 050 L7 m+ s$ P9 h+ \, K' U( g
& 06) but very limited because it's only available for Win95/98 (not NT)
; u( H4 k# O- A6 d# {as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" {( C0 F7 Z) K" L' z0 n$ i! L& z+ s/ { A( n/ r. X, U9 q8 Y7 R; s% K. f
push 0000004fh ; function 4fh
: i, {) i: S- ^ push 002a002ah ; high word specifies which VxD (VWIN32)- L: j- V4 X2 u7 F) B$ N8 ]
; low word specifies which service
2 J% x1 F9 M0 P* U (VWIN32_Int41Dispatch)" J$ f2 z) _) V- p& t
call Kernel32!ORD_001 ; VxdCall
5 B" d/ J4 H- R+ v3 N* ] ] cmp ax, 0f386h ; magic number returned by system debuggers& U3 o; R, m6 u7 n
jz SoftICE_detected) A4 d0 V3 L1 X( L% p$ ?
! d1 K8 J3 j" t1 {2 GHere again, several ways to detect it:8 a& L% D# Z/ O: p4 D
; n" }8 {+ U% @' a i
BPINT 41 if ax==4f; F6 Y. r6 i! x( ]; @
" ?# }) D% u$ h; H& z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' Q$ C- `: V$ u. f0 l
; |% v( ]5 e/ i0 H: _& s
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 E* w* w) i' n9 O0 s- j8 [
( O% G! y. s6 D4 X% T$ L: @# ? BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 J X! I6 S, H. g
. `. J0 ?' a8 g__________________________________________________________________________
+ O4 Z' [ m) t: s& R3 N2 b# L) V9 W* \1 e; L( U r
Method 13+ F. M* O0 B* Z% Y
=========6 N& @! v9 M# u
0 L7 u) |8 z6 A3 w ^& ANot a real method of detection, but a good way to know if SoftICE is
- K8 f& E4 {+ m& qinstalled on a computer and to locate its installation directory.
. w. q* V3 U N" YIt is used by few softs which access the following registry keys (usually #2) :
" H; s6 V/ L) V1 q' i0 q8 Z4 y3 @* h/ O/ x( G
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, T3 F- h; Z# o- M# Q3 v/ [9 {( l0 a
\Uninstall\SoftICE- D O d8 a8 I) O5 v$ i
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" L- l- V8 j& l! d8 M+ k* _2 {7 A4 \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* O% ? a7 v) V8 h2 B- y
\App Paths\Loader32.Exe2 K4 W& m0 T, z% N9 l, q# h+ W
" U+ T. R. c3 d+ C
8 D8 F4 k. [% Z- M$ }6 w2 iNote that some nasty apps could then erase all files from SoftICE directory
$ b8 V7 e8 d1 t' j3 p$ G+ K(I faced that once :-(( W. q$ v( [' [2 W
" w+ e& D! j1 `, L) L4 ?/ H) aUseful breakpoint to detect it:$ j) V( W' t* m( c+ `( r
% a+ M" Z, C0 ?: W
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 I+ |/ D4 C! _5 Z( S) c
7 N, S/ w, A, V" T* u1 R& e$ Y
__________________________________________________________________________
& v1 u( r' q3 Q% ~* B# G% u" ~
! R0 i- `! e( r" |- K
$ L" I& p1 w* A0 LMethod 14 4 \ ^3 X+ L& a& ?8 I- d! t: {
=========
+ E) P c. g2 l
( K& p* d$ C" y$ @4 sA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 p5 W, t& h" R) V& C3 u4 W7 K
is to determines whether a debugger is running on your system (ring0 only).
2 B! H1 Y7 L$ c, S
- k$ E) m# P% Q3 s2 z7 D VMMCall Test_Debug_Installed
/ C# {) \- [0 u& t0 _. D: z9 x je not_installed4 D' h' V- W2 h: x" k
5 X. ?& i8 g9 ?7 h* O# AThis service just checks a flag.3 K- \/ v' E2 _& W& Y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡