<TABLE width=500>/ Y# y# }! ]2 u
<TBODY>& t: E/ p9 O3 p* }7 D8 ~
<TR>+ m. i% z# m. T1 O( g0 H% A
<TD><PRE>Method 01 ) T- j5 K. j& p
=========
2 `8 `/ U: E) C7 G9 V- D4 T2 Q- z. { {# S
This method of detection of SoftICE (as well as the following one) is
V( {; @% ^2 ?5 d' Y& Yused by the majority of packers/encryptors found on Internet.& o1 c/ V9 ~/ d& K
It seeks the signature of BoundsChecker in SoftICE1 ^- i& n- k; ?3 }- e; A- R/ t6 k
" D* H. t( Q. D U( j
mov ebp, 04243484Bh ; 'BCHK'* ~5 m6 X) t: E
mov ax, 04h
: F1 ~- e$ ~( s! M) D2 r int 3 5 P0 O/ G& L: j: S2 X! ?! o% O: o# t
cmp al,48 r- e" M2 R/ n+ e. x8 c
jnz SoftICE_Detected
* { p$ Z/ Y$ E! a: | e; k$ Q: o& b+ K5 f
___________________________________________________________________________
1 y1 c8 n0 A S1 N! h
" { o( O* a1 e$ |( m! JMethod 02
1 J) N5 ?3 C+ z- p=========
. j( l1 x- X. \. l5 d: l/ e; X. `" p; X0 k" Q Z' `& P
Still a method very much used (perhaps the most frequent one). It is used! f3 f4 O2 V' }/ R( N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( @' ~4 ~/ M+ O- D* For execute SoftICE commands...
* ?$ s8 ]. Y% \ U3 s" LIt is also used to crash SoftICE and to force it to execute any commands
4 o8 T3 V6 K) S% Q; y(HBOOT...) :-(( & N& t; n) e9 C( t4 E- r
3 N9 e8 |4 J& w; ?* L' q
Here is a quick description:7 Y" L$ f, X8 I* i% H
-AX = 0910h (Display string in SIce windows)8 Z- V; h; i1 ~ ?+ x3 Y) ?
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 R+ o. |% U7 P2 |- P0 F
-AX = 0912h (Get breakpoint infos)0 Z# ]+ N1 d6 ^ w
-AX = 0913h (Set Sice breakpoints)
6 T1 C: L$ A& @-AX = 0914h (Remove SIce breakoints)' ^3 I& | X1 F& N" x+ c
& x5 i" {; D% o+ S u7 fEach time you'll meet this trick, you'll see:
/ u, D6 p o# N& J# w# m$ D* r-SI = 4647h7 a1 X! C( ]' z4 s; m
-DI = 4A4Dh
- B5 e* i' @' a3 ?Which are the 'magic values' used by SoftIce.
, d$ A8 S* S- A/ T7 f4 [7 L" V1 xFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.. O/ @2 j n- z8 N
2 s" E4 R1 b: P5 w3 z+ n
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 ^. f6 B9 S: K+ JEnvelope utility use to protect DOS applications:1 E+ }1 H+ Q* a7 ?' X; E6 s- c2 _5 _
8 T/ g' {/ ^8 E. l
( w6 Y9 H* }/ s" C: J
4C19:0095 MOV AX,0911 ; execute command./ b+ w5 K( I6 A2 c* R0 m6 P" l* f
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." \7 ]0 Y- D7 w% ~3 T$ G3 S$ n- G
4C19:009A MOV SI,4647 ; 1st magic value.: r/ b* s: r9 A* G( R
4C19:009D MOV DI,4A4D ; 2nd magic value.
* ~$ M; ~; y- B7 i( D8 W' b7 w' ]4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 f) i% J4 h; E3 L
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 m1 l2 {% G, Z9 u6 w, R! z: \) d4C19:00A4 INC CX
8 q l) t; R. T3 ~' p/ ^ r4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 W0 n5 _ G; f! w' i2 O/ h
4C19:00A8 JB 0095 ; 6 different commands.
" t9 M7 v! b# V$ A; ^+ _4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 u! U- o/ n/ w! h' b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! P' Y. i4 D/ K1 m3 U. P$ p& a, E4 n1 m* ]8 `' H& D) A, d8 U' E! C. H* U
The program will execute 6 different SIce commands located at ds:dx, which3 o. m7 s7 @! `1 Y* F3 Y& n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) \, V3 R5 h6 N# D5 `) r& I& t
/ q( @# |8 M+ i9 B- q- }; X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) T$ }! j! b6 r* b( I___________________________________________________________________________
8 y9 L6 q' p: e- {
+ f8 J3 @- q. @: }5 [
8 w* _4 Z# X* s4 F+ OMethod 03' B* W& P5 v: ~. B! A
=========
' g. W: g |5 `* l+ F( P* g& V9 S* B0 M
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, G2 ~) t7 @+ i+ v; n+ G7 S(API Get entry point)6 H J9 T" l2 l9 d( {
, S0 R e: S, N( \
( u" B1 G5 Y; ~# W xor di,di
. d$ X# Z1 b" I" x7 Z K mov es,di
! O: J3 \; s) m& g3 t* k mov ax, 1684h * F5 m; X1 c1 [" v7 {
mov bx, 0202h ; VxD ID of winice
6 R2 C& e5 i% u8 F" q5 C int 2Fh
( l1 ~* l4 L0 c( G mov ax, es ; ES:DI -> VxD API entry point
5 r% n: F. K* ?9 U4 J5 ]# o add ax, di* u. y" z0 t: o! d. Y
test ax,ax5 s* P, z6 M5 ~% C/ U! z. z, S6 E
jnz SoftICE_Detected
1 t; h6 l: }: ?# y, F2 \! ~& b% O5 \5 o, e; F
___________________________________________________________________________
1 R: t+ Z" D% W% Z$ h6 v( I8 |
, c( T; O# `; g' eMethod 04, @" C; |! p3 |3 Z$ Y5 z/ h
=========% R) o/ O O* w5 `/ x3 o+ B
, H7 I4 z' G5 f4 I( NMethod identical to the preceding one except that it seeks the ID of SoftICE
6 i& i! v7 p$ TGFX VxD.& |2 \/ }: a( m& m: {
G; R1 V5 s2 Y+ m2 ~
xor di,di
1 N4 m( x& m. x- I# h7 `( A% T mov es,di
( D+ [3 A6 [! F mov ax, 1684h 2 X9 f( q7 u$ k0 x7 h5 [
mov bx, 7a5Fh ; VxD ID of SIWVID
6 D, d1 \: ^. r% J/ ]1 s$ ]4 m- T int 2fh3 a8 O+ n3 z! m
mov ax, es ; ES:DI -> VxD API entry point7 o$ y" r' M; J* @; \
add ax, di. }' z0 b) X. u T3 }
test ax,ax
- z; M1 l+ K9 U$ n- ^ jnz SoftICE_Detected; b; ]7 t" ]% O6 P5 C8 h* k
) \, k# {& _. m# Q__________________________________________________________________________, Y! l3 O3 A: R- b
9 R5 E5 | Q. ~6 n5 J6 q* w
4 [+ ~" H% h2 u1 u" @0 W* h
Method 05* D* K% u5 e, J# k- }; g5 r& R
=========6 R, ]8 ?4 N8 o! E1 D/ m9 R
, s9 n5 d4 K* {- [+ L: @Method seeking the 'magic number' 0F386h returned (in ax) by all system
" \! ]0 Q% K0 Y4 J) Ydebugger. It calls the int 41h, function 4Fh.( b1 _3 ~" T9 n( {
There are several alternatives.
7 z0 q0 s0 D3 m& @
3 A: A2 _8 R( B/ i1 `, qThe following one is the simplest:
, ]7 C8 p# {7 ^ a) S; w' B5 _! n5 y5 H) ]
mov ax,4fh
N4 E5 x1 }8 t! l- g int 41h* B' F8 z2 W7 c7 B4 M
cmp ax, 0F386
+ W4 N& f, U; W& Q" w. w" T! S jz SoftICE_detected9 W# ~8 E3 g! f) U$ i) F
, `% \) j5 f+ L2 n' x
' v/ A. x: ` H8 HNext method as well as the following one are 2 examples from Stone's . M5 y$ o/ L% n1 {
"stn-wid.zip" (www.cracking.net):7 s& n6 h1 }1 d- h( k
. L1 @5 \/ m. o/ J& @
mov bx, cs- T4 W" { L& U/ _+ F) e# M
lea dx, int41handler2; w" h b. p* D5 H
xchg dx, es:[41h*4]
# b0 O" g% v! X: u xchg bx, es:[41h*4+2]6 y2 u; v7 o5 \1 i) ^ J
mov ax,4fh
/ ]* ^$ `5 @; _; y* F int 41h
& A; t7 Q" [% o" Y7 k6 \ xchg dx, es:[41h*4]
- r& `8 d3 ]; ?9 o/ N9 {% V xchg bx, es:[41h*4+2]2 F, V8 ]3 F4 E! M% P& X1 f
cmp ax, 0f386h7 ~! t7 V V. r! [" Y8 Z
jz SoftICE_detected
3 N3 S9 Q2 f% e+ I
3 m9 c1 p0 ]9 S: Zint41handler2 PROC' O+ q% k7 j, ]
iret
. l4 H h" q0 K. A; ?1 Fint41handler2 ENDP
0 F1 r% ^9 I. G* d/ P
% s1 V9 w$ ^- n3 l6 ]
. i$ t9 [& [+ ?: d) u$ T& c_________________________________________________________________________# z( X/ V! C7 E3 o. D+ f) x
9 N) W1 Y0 d6 K
- |& ^( p, q3 L3 }$ ^- h. L, [Method 06
6 s; f1 C5 r+ Y4 R0 y- g; G: Y2 b=========% e" f$ y2 o: t4 x) u0 o
6 A1 {- h& k% G# p$ W% ?: |
U3 y6 f1 t/ o0 S2nd method similar to the preceding one but more difficult to detect: p3 u3 D& i* s9 b/ p1 p3 K! C
( `* M6 R6 l- l
" Q \, [9 V3 x+ z8 F; pint41handler PROC
! T) T+ w" ]( [4 i! e m mov cl,al/ T& @& w- m; b. h6 t; w
iret
( W$ P7 z) W; o. x! g. Sint41handler ENDP
* K3 T5 V: B) H5 k G! }
, h. A) m E7 O; t4 P* O5 _, Q. O
0 \2 R8 m# s( g1 C xor ax,ax( _5 A9 L, w9 A; u% p+ S0 s" [! |& z
mov es,ax
% F7 E/ S) {' [# o mov bx, cs: _: L" R/ h# V
lea dx, int41handler/ S; H5 o" r# R( Z3 z$ g: U
xchg dx, es:[41h*4]' }6 n. L3 s( i
xchg bx, es:[41h*4+2]: M/ w2 i4 d1 h$ q' d3 ^9 N
in al, 40h7 Q$ A( T4 _+ e M
xor cx,cx+ y8 c3 o9 ^6 V) P8 T
int 41h1 B: L& E" e) w/ R' Q
xchg dx, es:[41h*4]
. h& \2 t) P/ ]) R xchg bx, es:[41h*4+2]5 B5 x% y, S- a; }+ k
cmp cl,al
) f% h" i. E% y4 A jnz SoftICE_detected
& E! r+ ~& B3 Q5 H+ |
" V! t( ~1 D- l_________________________________________________________________________
% O% k4 y. i" l( \
7 B- ]3 G: [8 j. v; ~1 tMethod 07
( [/ q4 {: S- u0 A3 ?8 j2 c=========
7 S! K4 }% F8 i9 d. H# z5 {. k( }9 }& b' ~2 f8 x
Method of detection of the WinICE handler in the int68h (V86)5 Q/ o v- c$ A( H+ W
( Z2 i" u x! N1 v2 e/ T; y: j4 M
mov ah,43h* q9 ~* h$ h3 _+ k8 z, Z( |/ @
int 68h/ [% K; s* Y; t1 y
cmp ax,0F386h
U8 m: e( ?& ?$ W8 q8 u, g jz SoftICE_Detected6 r, z2 b4 V% e3 x
. K/ v" O6 d1 f" w9 }( [ s
8 O; ?6 p+ C: m; w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* z6 p- s& W" p; X, N9 \+ K
app like this:
9 p$ Q. p# u2 A* N; K5 J6 q& s `1 j& M8 V
BPX exec_int if ax==68
5 k* E# o6 g" h (function called is located at byte ptr [ebp+1Dh] and client eip is7 s! x% i8 Q. Y4 @8 Y+ o
located at [ebp+48h] for 32Bit apps)
3 b7 a& b0 q) Y" Q5 j__________________________________________________________________________
9 l+ j( f, x! M6 r& {& l9 q# q5 i- t
: K( c3 s+ G9 T* y0 L5 t* b- z
Method 08, S9 l9 ?4 j: ?+ T
=========
" l+ ]6 h1 _( |4 h& B/ P/ z, |6 m2 ]6 f) e+ Z1 h* z6 W5 p
It is not a method of detection of SoftICE but a possibility to crash the1 ~# o. V9 \/ h6 G3 e
system by intercepting int 01h and int 03h and redirecting them to another
$ X- B8 N3 f% V5 h8 s. ^routine.
, V( V2 Z6 |5 m8 G0 p( S( d1 ZIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( G8 t* z( z- d9 P4 q. P7 @
to the new routine to execute (hangs computer...)0 p) }8 X1 }% H J6 E7 m1 D
) J8 y" z B4 a! U
mov ah, 25h( g1 R! D! l. }. d: \; A
mov al, Int_Number (01h or 03h)' K: s9 E0 c, Y" v5 ?: I
mov dx, offset New_Int_Routine
8 Y/ _& A8 q; R& P! V4 E- i: ?+ ?/ m int 21h
! w' w9 u# s9 g+ a2 w4 ~- K
7 ] g- n) D8 g# B0 b! b9 W; m__________________________________________________________________________
n7 i+ t4 x/ e2 ~7 Z4 ^9 b- p1 c" |% ^5 _. [, D5 L
Method 09
. M) C+ {5 v' b4 n3 h0 [! W=========
: A; K$ p8 g' l. A& ~! E" b- @
7 G, q/ C+ L5 t" e0 y) y+ NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 Y! |8 W7 L' J) d+ C v+ b. lperformed in ring0 (VxD or a ring3 app using the VxdCall).% g! H# X: @ S% [
The Get_DDB service is used to determine whether or not a VxD is installed) g0 q" v' C( f; H2 q+ N1 I7 y
for the specified device and returns a Device Description Block (in ecx) for
3 K# | v: o- Y- Y+ g5 k C, N! n: W. ?( dthat device if it is installed.( J0 R8 j* ~% B: y/ {
1 o- \: i+ m; Y9 O3 l! ~0 P mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# q" e. R o1 w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. {+ g5 F6 Y, g VMMCall Get_DDB
% i: s: x* E0 X) S F2 I' E mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 r7 p2 ^- Z( ^6 e& G6 l% b
- \3 C0 a# J- K% B- ]0 [Note as well that you can easily detect this method with SoftICE:( d6 \0 p/ ]9 x6 h) E& r
bpx Get_DDB if ax==0202 || ax==7a5fh
( v0 F% X; L2 x9 q
2 }5 }( d% c" B__________________________________________________________________________( {0 Y+ c1 `/ r" j/ p+ D
1 @, j* `1 D* X: AMethod 10
; }5 M; {4 }- ]+ h4 r2 y. A=========
4 {) a2 s* u5 l" C; D) E0 t/ J# `& ]) `6 x# n: \& o; g4 p
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" z) m) ~5 K# N SoftICE while the option is enable!!
- L8 N e2 z' j ~$ c- N0 J. R& A" @) B& U, B7 ?2 l
This trick is very efficient:5 O& p) V+ O4 n+ E6 [4 c+ p* e5 j7 W3 f
by checking the Debug Registers, you can detect if SoftICE is loaded E5 e* j7 U& F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 z% ^6 t6 s( K( c, A+ K& y, W
there are some memory breakpoints set (dr0 to dr3) simply by reading their8 i( M, L- H$ `
value (in ring0 only). Values can be manipulated and or changed as well: {0 P. ?" F( \- [- c
(clearing BPMs for instance)
+ v* S4 R4 O) j3 z; u q$ J0 U/ w1 W x3 Z
__________________________________________________________________________
/ A& n2 [6 |. _
; B' H* L: u- m, h+ g, HMethod 11
3 l! K) j. _6 @: F% L1 F' C' O=========3 k6 L- _; W) _: V7 F0 m0 B
; ^2 L2 K% b( F1 i. E
This method is most known as 'MeltICE' because it has been freely distributed9 K+ w$ Z+ ?3 z* q% s5 v3 Y
via www.winfiles.com. However it was first used by NuMega people to allow) E o I) S0 p: ?! {3 U% c" f( w7 I1 X
Symbol Loader to check if SoftICE was active or not (the code is located
]6 {* t$ Y0 a+ p9 U: E9 Tinside nmtrans.dll).7 d# r# o* B+ m7 Q% G
0 Z" x. p8 h) |The way it works is very simple:
; t8 `: c6 s- B# i4 ?# hIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( G9 p* t4 n2 X1 i1 o
WinNT) with the CreateFileA API., B' t: F$ p5 G9 T7 n7 J
& E5 E" `5 u) j* m+ F9 @3 u) Y
Here is a sample (checking for 'SICE'):, S! y. B8 S7 V4 b$ Y! N; A( F
- B2 c5 ~* n7 \; d& `+ `- d3 z. i
BOOL IsSoftIce95Loaded()
! U5 H D" S2 ?: u* a+ Z{
" Z0 ~! n! v1 F! p HANDLE hFile;
/ X; n% m& F) K/ Q: O hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
[3 [5 B# p8 S FILE_SHARE_READ | FILE_SHARE_WRITE,
; ]- M8 A+ f) o( Y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" U$ @1 ?/ m X5 e6 S
if( hFile != INVALID_HANDLE_VALUE )- m6 `1 Y; m$ h1 Q8 r: g3 J% y
{4 o! v; M0 e0 d2 n
CloseHandle(hFile);
; \+ T! B6 k3 }2 X' Z6 [/ a& c return TRUE;
4 d1 l/ N. ]; z" \+ y }
6 O1 n7 R1 u2 V" ]9 V* V/ E return FALSE; R( \& E% \/ @' }; r) V* [/ J7 p
}7 u& z8 B7 W9 l6 j, I# @: `& l# w
: H8 [! n/ t6 A$ l' o. s7 }7 J! g. E
Although this trick calls the CreateFileA function, don't even expect to be
. z2 G5 n3 @ u) N6 M! Oable to intercept it by installing a IFS hook: it will not work, no way!
+ L% s5 Y. B0 |/ ]! K0 }- p9 NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
( U7 c; F5 ` [% v9 t8 ^) }0 aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& w U5 J9 {" d5 a( g- Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 w5 O" {, W2 t2 d- a
field.- _5 P! C" z# b$ Q- w9 e9 @# O; I7 I
In fact, its purpose is not to load/unload VxDs but only to send a
7 f3 y/ W* l- H+ `8 q9 |- P0 ?* m SW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ E6 f6 Q' |+ z, l1 o
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 [% b; l& S, \ h0 _( _, k* Nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; d' {. ]" r- A9 T* _% m0 G& CIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 I+ D% c+ D+ {! k5 P
its handle to be opened and then, will be detected.' ^- G$ O7 q5 {6 i% c3 f7 a
You can check that simply by hooking Winice.exe control proc entry point
! j Y* S/ U& o8 N$ s# y% `5 Owhile running MeltICE.3 R& C1 R" y( O! o: A- v, _4 m
' v/ C [0 \) ]4 ^4 L
" s% O# T7 X3 Q6 w# |" K8 } 00401067: push 00402025 ; \\.\SICE' c8 Y5 e2 k( E, o: p7 b# S+ u- {
0040106C: call CreateFileA* M2 l8 q% K8 m9 I" h& Y3 \! V
00401071: cmp eax,-001
5 W# ?5 c d$ } 00401074: je 00401091- t) D4 m9 V, [3 s2 D
. a) i) ^& v. Z6 r+ ?, E8 p& Z
0 O2 Z; x. b% O6 oThere could be hundreds of BPX you could use to detect this trick.
8 U/ N8 ]9 X, ]& ~- c-The most classical one is:
4 Y' m- b' ~+ \$ e3 Z* F' K$ L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( v6 B1 [! j* N0 w- d* V4 K" i" T" I
*(esp->4+4)=='NTIC'
4 ]! t. n+ C) J0 H3 U, y7 y% G
) C2 i: T5 N4 w1 b- O4 J-The most exotic ones (could be very slooooow :-(; V6 c5 u8 o9 d! b
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! M) _- S6 v$ {" }8 F; \8 h ;will break 3 times :-(
' Z" h. L) r# W9 t* |2 C2 H' l' B$ ~ h6 J+ W1 w c
-or (a bit) faster: # D9 g( B* `+ d+ T& H9 {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ b$ L, R/ f- E/ l
" q8 ~9 ~. Y) m8 L' F& m/ C/ s- \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 {7 L8 k, \) p& e5 W. U3 j3 f ;will break 3 times :-(
; [, X6 `* t# G7 X+ r
# e1 a( L. P4 V% U0 d& }-Much faster:( z3 I; Y; o- U6 i8 R2 K6 X
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' |2 _9 f( |) E
6 x, J2 h( \- g- Q) s1 ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 Y6 l/ {- F. w' tfunction to do the same job:
8 ^$ S! P4 _% S) `0 t7 V) t8 Y& M- n2 D" _8 u* b. n
push 00 ; OF_READ4 y1 s3 x0 s5 h; ~9 ?7 E: H
mov eax,[00656634] ; '\\.\SICE',0
- {, C! h6 S& n push eax" k1 g( z3 [6 N4 r. s/ c; K3 C- N
call KERNEL32!_lopen
9 y4 W8 R! m2 j5 I5 i inc eax' I) R+ y; F' Z: J: P
jnz 00650589 ; detected( U# b" O8 i! x/ T: P1 r+ y
push 00 ; OF_READ
+ l- S9 K! k Z0 J7 O- b* Z$ Q mov eax,[00656638] ; '\\.\SICE'
' _* V- C5 Z( H9 J! i push eax( s$ |3 o m) N0 r3 i1 m
call KERNEL32!_lopen- ?: r& Y1 ^: R% I
inc eax( W+ o4 @" j" R: R# c$ ^3 E, _
jz 006505ae ; not detected7 H, z- `0 [% r9 ^
7 ^) l$ x$ }" _; u( j
9 m& D4 }- @& C ^' X__________________________________________________________________________
$ Y+ R% a" Q/ ?9 {2 ^% `- s, n+ E/ ?: Q
Method 12
" h* O( I2 I- q( r( ]========= M- F8 N! [" X$ q- z% `1 i/ S- }
/ H6 B# z0 D: g4 @# x8 q' Y4 ?# gThis trick is similar to int41h/4fh Debugger installation check (code 05( U/ m" k( O5 r8 Y6 m! m( W
& 06) but very limited because it's only available for Win95/98 (not NT)4 l1 N& p( C. a1 E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) h8 o+ M/ s$ g+ R# E
" x, a, o4 x* g: V: n push 0000004fh ; function 4fh, w; G5 p/ N0 Q" A( `" p( b9 z
push 002a002ah ; high word specifies which VxD (VWIN32)
7 ] o6 \! R6 n# O ; low word specifies which service
" t0 p- o# v- s/ t1 i" z Z. j (VWIN32_Int41Dispatch)7 n4 h$ ^2 v% r! b g4 h0 t' Y
call Kernel32!ORD_001 ; VxdCall
* k0 H% _) b5 Q5 v& O- | cmp ax, 0f386h ; magic number returned by system debuggers
/ O" u& C0 I# A jz SoftICE_detected
- v+ i. r) ]9 p3 |, V2 S
1 X7 n9 t; L; c) CHere again, several ways to detect it:
! x+ G8 e1 B6 @8 u$ |3 M9 J; f0 ~ |# ?
BPINT 41 if ax==4f
0 y: b+ u4 ]+ c; V' T. ^ Q" z, y+ R! D; t
! I" E2 z+ X$ {* b G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% ~$ U, K4 A8 L3 e/ }$ T# U
5 _) \! X7 H$ @4 w# O3 n BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( ^: s" z* W, D& U* B
7 t# X6 e6 B6 o1 V1 `4 L$ w1 V BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 f! @1 d; N2 }/ S; `( K/ r3 n$ x3 z1 C3 e/ `, J
__________________________________________________________________________
2 W' J$ f" f, l$ p" |# M, K2 s! c' o! h5 E* ?- n1 f
Method 13
7 n$ F; w" m" |4 g4 s' x=========, y- i% O9 W* v
/ U5 ^5 p+ a' {9 ~Not a real method of detection, but a good way to know if SoftICE is( o; h6 H6 A9 y2 b
installed on a computer and to locate its installation directory.9 A9 A& E7 y$ S6 Z' g2 M
It is used by few softs which access the following registry keys (usually #2) :
* c0 Q! D% N0 [0 Z) J/ m( C+ V0 R9 E1 o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 m9 O* S& k7 s$ X+ L
\Uninstall\SoftICE( _. \9 w. v( O. Z1 W# k* ^
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: i @# L2 b. v* |( P6 B-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' j# p3 m. y3 z3 I3 M- o+ \\App Paths\Loader32.Exe
1 Y5 F$ a% w7 I# W. Z% e5 H; h4 t5 t P n9 I
, I, t' f' {, z% jNote that some nasty apps could then erase all files from SoftICE directory+ I2 O2 ~& E& [! J8 q3 U y' D
(I faced that once :-(; Y3 J* V0 e4 s
) e9 f1 Y; K/ q7 p2 h
Useful breakpoint to detect it:+ l: ^9 |3 ]3 q8 ?: Z
7 I9 M6 v7 I: N: c' s n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- Q' `. R: V. F6 `6 q G
! D9 T' o% Q$ B) Y% { `__________________________________________________________________________
- z; ^) A2 I' m! Z" P# l: N+ y) p& _, \2 ^/ g2 |7 q" ^& V
2 {, R% x$ s) z! K2 E7 u
Method 14 2 F9 Q* l4 Y, p
=========
0 Z( `! J8 R6 ^2 I- f' X' w, z0 \/ b0 R! d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 f* p* S8 ?7 u( s' J, Fis to determines whether a debugger is running on your system (ring0 only)." F+ d" ~ G+ h+ z6 |) ^' g" u
( t5 j2 }; ?( F' u2 F. ^ h VMMCall Test_Debug_Installed
- Z/ a8 M! J8 I# ^$ ^$ H1 g je not_installed
! C2 F2 e; m% Q3 s: M' A# x! z9 ?( ]1 O
This service just checks a flag.. ^# m4 q" R$ {; R7 `2 D3 a* A. P
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡