<TABLE width=500>
- Q, W: b$ E9 w) b7 I* S! e<TBODY>
/ t7 W% T+ X: v7 K/ i: r<TR>8 B5 }. G% a% _0 N1 k4 C. E# x
<TD><PRE>Method 01
" T- v3 P9 n2 \9 C9 n- ~5 A=========
" s' B9 ?( P2 S4 I, _4 ^, F8 r+ n( d9 Y% r
This method of detection of SoftICE (as well as the following one) is
+ s6 c& L) O$ b2 I; N2 Eused by the majority of packers/encryptors found on Internet.
+ p/ L+ I- F9 o/ WIt seeks the signature of BoundsChecker in SoftICE5 m. L% x4 M. o. H# i; n7 n
% e% n1 ~ F, E# j
mov ebp, 04243484Bh ; 'BCHK'4 z# F# F* F0 i8 T
mov ax, 04h, W- W4 n# O. w$ r3 u) a& ^
int 3
% z8 m5 S; K$ j cmp al,4
& k3 v/ }7 T. I8 b7 y- ^ jnz SoftICE_Detected1 Z) d8 B: w# i
" T$ X: y- \4 q5 L: r& M___________________________________________________________________________+ y& l; T: f9 f7 R6 E2 @+ i
* H/ v& Z7 I6 ^
Method 02" y6 q# b7 m& o) n5 |6 j1 p
=========7 ?5 H9 N$ A! K8 X" B* y }* N+ X
7 v: D% d" O7 v9 M+ n' s" ^% b
Still a method very much used (perhaps the most frequent one). It is used
. u7 m) D, ]% J W6 Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" H# y, i; @+ g7 g' D" Eor execute SoftICE commands...
2 Z; D/ V; q# K7 \7 G" FIt is also used to crash SoftICE and to force it to execute any commands9 V w& ]- o7 u# W% S/ N3 @* V
(HBOOT...) :-(( Q: a5 F8 W% q6 ~9 j, k
+ Z8 ~2 @- x2 M8 k. }Here is a quick description:
- }! `9 G. [% C/ Z-AX = 0910h (Display string in SIce windows)
- f) A& E7 S3 H5 _' m# a: c' V-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 K) b6 |8 r. c( T$ i, }: F8 e
-AX = 0912h (Get breakpoint infos)
. J6 a* P8 a, @ i) Y-AX = 0913h (Set Sice breakpoints); ]. i* B3 \4 H9 y# h0 J8 l9 e
-AX = 0914h (Remove SIce breakoints)
) y' G, |: |% a( d# i8 J6 j- J! ^0 M6 p! f& a
Each time you'll meet this trick, you'll see:" T/ @" H, f, q& ~ ?. x9 L6 z
-SI = 4647h: G) O: X& Q& v
-DI = 4A4Dh& L+ c. N! a# ^3 }; ~
Which are the 'magic values' used by SoftIce.
, U4 i$ {) ? k7 ?8 w; [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& d- ^5 x0 v9 _
6 n. ]1 b" L9 r) s! {Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ P) O& Q2 m, FEnvelope utility use to protect DOS applications:& S8 g2 I" m7 H) f! Y9 r
$ Q/ T2 @$ l# K$ [4 o V
: X4 `8 ^4 }& @" W4C19:0095 MOV AX,0911 ; execute command.
$ K* {! N: r! g j$ f4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 _& P) b0 W8 F! h4C19:009A MOV SI,4647 ; 1st magic value.# {' l! R/ e( u* e' `) }9 h
4C19:009D MOV DI,4A4D ; 2nd magic value.
& |6 B+ m; u6 a8 @5 m! B4 Q7 {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* L7 h8 ]5 }% J, g' T
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( W! q8 C, ^" e5 D- T4 ?. q4C19:00A4 INC CX
& ]) k/ Q& @- N) L% E+ Z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 y7 P% `( E4 {
4C19:00A8 JB 0095 ; 6 different commands.) \, o# v$ {- W
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. o8 x* T7 A% [8 ~2 k' ? v4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 S& H3 k* \ _* m: O1 @+ X# G5 E- R( x
The program will execute 6 different SIce commands located at ds:dx, which
- z+ c2 f& o' m6 ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 y+ @/ k. a9 \6 X2 n5 y* P
' G) w7 P/ c* ]9 \# `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 S D2 `5 Q# K9 a, ]___________________________________________________________________________
: a* r$ p9 r+ V3 L
- e% l2 {( E4 X/ u& W
* I( G7 l3 M, ?$ u8 dMethod 03
. G8 x u+ D% |=========( d2 ]0 R8 q& `
# r: Z/ [& J1 v+ tLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) j7 ~8 y% r- X0 ]$ ?6 u
(API Get entry point)
3 Z7 \8 l. D1 p7 a2 l
9 K$ B: W: R. H% p2 N' t* }4 N! H$ Z6 K, ~$ x: |9 ^
xor di,di
2 `7 Q+ g" g2 J- p4 E' D6 _ mov es,di
3 h) J4 f8 C& V2 k8 q mov ax, 1684h
; n; W+ f" S4 }4 p9 y8 r mov bx, 0202h ; VxD ID of winice
$ X9 L6 N: g1 |1 q9 d int 2Fh
% j# q5 a1 W0 A0 F mov ax, es ; ES:DI -> VxD API entry point( I& G7 x K8 O
add ax, di
f- Z* k3 ~5 u2 X, i9 P test ax,ax9 x) y2 a7 [3 c* K
jnz SoftICE_Detected
' i5 t8 U9 m& j" ^+ a8 g* L: n
' a7 o5 \: n9 F+ b- K/ j c: N- L___________________________________________________________________________( Z( z1 Z. m* k
# |0 j+ Z- ?5 Z) ]. K U9 HMethod 04$ {0 S' q8 f, ]
=========
3 o6 S$ z7 t5 T0 e. f5 I0 y0 ] q4 e8 r0 |
Method identical to the preceding one except that it seeks the ID of SoftICE% S, k/ r) ?8 D. W( S4 o
GFX VxD.0 H" g6 e$ b1 ]: N" @/ t
9 ~3 x+ ~6 t! M/ D9 R xor di,di
" V1 @3 U" s( E+ ~2 Z; U mov es,di j5 Y$ q- g* W, \ I" \. P
mov ax, 1684h 3 k! U+ ^* C1 D4 m3 H6 K) i) W# n6 h
mov bx, 7a5Fh ; VxD ID of SIWVID
( o9 h* [6 J4 o( B7 y; i) o1 D j int 2fh& y7 w$ k0 B) ]# i6 C' ^
mov ax, es ; ES:DI -> VxD API entry point
7 l: R2 ~: o: h add ax, di
1 Y% O$ c! r9 \4 _4 w9 s5 f, K test ax,ax: C, c* [0 f5 M0 B* U# G8 H
jnz SoftICE_Detected& X! D& _' {" D' o: C, S
+ f) F k# i4 ~0 S__________________________________________________________________________5 `2 a( n( {) W. z
8 F: ]( b2 a8 r2 m; C7 l4 ?6 L) F* [2 e% T
Method 05
6 c' _0 c1 u6 X=========% t [1 r: r+ }# i3 y7 h3 E! y0 T
9 B$ S1 t8 h* H. m$ ^. a) @
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) v- ~/ n* `. P c! R4 Sdebugger. It calls the int 41h, function 4Fh.
( r& K" b6 o& }1 P( [7 Y. H2 s+ b, XThere are several alternatives. ! `) z' q; L$ c7 m5 ]* a: I: A n5 N0 d
8 f' b( `% I9 k6 eThe following one is the simplest:
/ k6 }9 |9 G8 f
9 ?' V9 j8 q& D, g& ` mov ax,4fh
3 g# j y6 T5 A1 K2 Y int 41h
J% ~+ e4 f3 o cmp ax, 0F3864 ^3 i& _# t4 c
jz SoftICE_detected) t3 G! x& }/ O
# }: q% P0 e2 |
. y; x* k) U: V$ [" y8 y+ TNext method as well as the following one are 2 examples from Stone's
6 R# I+ Y! x l% I5 K3 d$ t"stn-wid.zip" (www.cracking.net):. Q/ P/ ^4 k2 j2 I
, J- K+ Q1 P( {7 U" k8 k4 ~7 k( j
mov bx, cs
3 s$ @8 q: l |( p4 y( @ lea dx, int41handler2
0 m+ [" _4 Z( l) A' t G xchg dx, es:[41h*4]
5 m1 v! w+ `) ~" v6 t9 {/ b xchg bx, es:[41h*4+2]) {1 m( @ ?. e
mov ax,4fh
+ n; p) a i( Q4 r int 41h
) x3 h. e+ s. _# N7 J xchg dx, es:[41h*4]; x5 e) h, j# p8 d; g, Q
xchg bx, es:[41h*4+2]
( F5 {+ g" Z0 E# X W cmp ax, 0f386h& F! T( w9 ^! P$ e! t
jz SoftICE_detected, Y! a! C; Z5 I* z4 p# Q$ g" m: y
; p% I8 p/ n% w+ b5 {int41handler2 PROC. c' t/ h# c C# j' Y$ V
iret2 R- X6 o: _2 e2 V3 q0 h
int41handler2 ENDP
( M3 l3 q. S& @2 `" P
. R/ g1 t3 P0 @% o' b
/ p/ D! Y! N9 L( n/ A' Y/ X' x) u$ u_________________________________________________________________________
' G0 d4 R- A. e, n; i* {2 q
9 _; o3 ] t0 s' B
8 T, h/ u$ T' ?: B2 ~* j- \Method 06
4 n$ G' K0 s* s7 z. i=========% v1 N& w, P+ I& k* L
8 {: l; n- ]) I+ q
& i- }4 t" b2 b7 m9 N6 f/ F/ i2nd method similar to the preceding one but more difficult to detect:: |1 k; k) n9 d- T6 _/ e0 s: ?# L
, `2 ~- L7 E: {) s3 |1 y/ Q, p' i9 v2 z7 }6 _
int41handler PROC
* |# h c: T4 B4 J, b mov cl,al) F9 o% E# a# Y$ {
iret
' O5 P) j" a, `7 a; J7 k: Mint41handler ENDP
6 A* ?( h+ \; ^2 T7 V' }, l1 X8 y; A& L3 h" k& x% ?4 F
$ g& F, y! R9 B7 _( u xor ax,ax
2 k3 N, C6 S) y. K0 L. ~( h1 ` mov es,ax* b! S1 }' ]0 b, x; O" x: k
mov bx, cs0 J8 I* t9 Q6 \) ~2 S
lea dx, int41handler5 C6 x9 U7 {( y9 N$ v u
xchg dx, es:[41h*4]
4 t- v! x0 k* N- h xchg bx, es:[41h*4+2]0 @. o2 h( y4 @8 ` s
in al, 40h- h( D8 V: g7 R, u+ y
xor cx,cx
( Z/ v0 y% B6 j3 I int 41h5 @6 K/ H; A+ M+ c
xchg dx, es:[41h*4]% ]: p! r8 p! i* W( F$ T2 Y
xchg bx, es:[41h*4+2]
0 |8 u" ? s9 ~ [" r9 K/ G9 J cmp cl,al- _, j' D6 i' O8 {1 e" c
jnz SoftICE_detected
" `2 j+ v1 w# Q! M8 M; a
9 U+ @7 `$ E+ j% c' Q9 y_________________________________________________________________________9 T: y+ t& R# e: y
8 h) P4 V- c4 a0 }, x# EMethod 07. e( P* a/ a( y/ P
=========
; j; y$ b) W* Y/ @+ x! W/ h# }
1 Y$ Y3 l$ j6 D4 y1 @4 v- G2 dMethod of detection of the WinICE handler in the int68h (V86)( t; Y8 w6 W8 m# J
0 X' j$ R2 R0 S$ P/ J* v% V' ] mov ah,43h
4 S ` B6 ^4 m9 E int 68h
3 R% M4 D: F! l' o2 e cmp ax,0F386h
# v0 j4 o( T7 F* z jz SoftICE_Detected
+ C+ _8 [/ C/ K2 e8 s% D
+ b. E/ a% l, S) P4 t4 a; f, ^0 k$ ]# ^/ |9 z, {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 c$ G' V$ C/ h5 v7 x; Z
app like this:
$ {+ ]. l: ]) j4 t9 c) ~# E2 @/ h4 f7 X2 ]
BPX exec_int if ax==688 P* y0 Z$ o- n$ n3 _
(function called is located at byte ptr [ebp+1Dh] and client eip is
% I- O# K8 a" c( _: Y located at [ebp+48h] for 32Bit apps)% G* I9 s# E5 w5 ?
__________________________________________________________________________
- T' R' Y" }3 J! Y, a f
7 d( o( L; u7 ^( w S6 _) A: z) y+ `9 w \- v2 F( f
Method 088 B$ g4 Y7 M8 X, D; p' e( F+ K
=========
2 n8 M4 _8 o' c) S% b& x" O0 a3 O) {" A$ Z) h, M
It is not a method of detection of SoftICE but a possibility to crash the% U( C9 h& s0 Z: I- D5 l
system by intercepting int 01h and int 03h and redirecting them to another) \6 ]+ g5 S( k o; F
routine.8 t9 M; T' M) }- p( \2 S$ ^
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 |$ v; I; O4 p- R4 Q: R# ~9 Dto the new routine to execute (hangs computer...)( z, N) l" r- o4 Q! z1 C3 @
g, G/ o- S" U' B3 n% E mov ah, 25h
+ L6 b# Y- Z- |) [" v- ] mov al, Int_Number (01h or 03h)
3 d' ]" j/ ]3 P+ t' a8 D mov dx, offset New_Int_Routine
( C4 \5 P: e( J2 A' e1 X \- ~ int 21h! L0 Q1 G) ]4 D) m5 I' a" [! u! U
4 S( @* L A; [, Z9 s! T' S; ?__________________________________________________________________________9 q' y4 k" H3 Q
8 F8 O; M( U6 K9 m4 L( |) A t1 F
Method 09
5 S5 p( ~0 W$ H' D& P3 C=========
: b- ^1 J0 A$ K! S# Y
& @0 D* ^' y: z. o/ b+ y/ W0 _) aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ h2 U) v1 d1 D1 G- [( @; Z
performed in ring0 (VxD or a ring3 app using the VxdCall).
% f0 T. S2 @3 F! ~" l2 }: gThe Get_DDB service is used to determine whether or not a VxD is installed
! I- V/ T/ ~* q( u% bfor the specified device and returns a Device Description Block (in ecx) for
+ C% F# Y, _! @* ^6 G p+ D9 Y4 Lthat device if it is installed.2 H q; T1 O2 \' W/ x8 M
! ?: Q9 D, h: l0 @$ D+ d mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 |( s* `3 S% V4 i! _6 X! E
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ x* v3 |# c+ S1 w
VMMCall Get_DDB! u4 q! t7 w! w& H- k$ m! D7 v
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 i: F% E/ a3 O4 Z
$ F, d' _" m$ B, V, N4 W: INote as well that you can easily detect this method with SoftICE:9 g" F/ l- f% T5 `9 M
bpx Get_DDB if ax==0202 || ax==7a5fh
# J, F, @7 ?$ J) X. q
$ v5 n8 ^3 u, X7 E' z# G% T# c( L__________________________________________________________________________( t4 Q0 N3 D' h2 m$ Z2 @5 h
a) y5 W- x! EMethod 10
9 W5 N ^8 }% E4 r+ ?) B- m5 O=========
* r' F4 x* V+ r5 Y) R7 e2 Z* E- ]
: ?3 R* g6 a. _/ D2 W( J9 c. F=>Disable or clear breakpoints before using this feature. DO NOT trace with( e6 ^- L2 t8 `9 C! |9 H$ c" O6 K- J
SoftICE while the option is enable!!
% o& ]) p) k" K0 ~7 a& y$ h5 [( A( H* J
This trick is very efficient:, v: M5 h' K, S, U6 R
by checking the Debug Registers, you can detect if SoftICE is loaded# {( @3 m1 N4 K
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ L4 l: j$ y) W9 p. t1 Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their; v ?* L. v) H- n4 }
value (in ring0 only). Values can be manipulated and or changed as well
) ^: S0 d* z& u# x6 c4 g(clearing BPMs for instance)0 |. e2 v0 q' B$ l
4 R% H, s* A ?) R8 B' Z4 @' r__________________________________________________________________________2 ^& ~+ g% V$ K9 A
, o( x5 t- [8 A
Method 11
4 X7 v8 e H+ ?% a+ k=========( p; g3 h* U6 W7 q( I5 d3 S( K
( ?' b/ l1 v" l5 `3 u/ yThis method is most known as 'MeltICE' because it has been freely distributed
+ }( m L6 C! P4 y; K9 Hvia www.winfiles.com. However it was first used by NuMega people to allow* J3 l& e4 W" q' y/ U! {. L
Symbol Loader to check if SoftICE was active or not (the code is located0 ]8 g7 O, ~1 y6 d7 Y
inside nmtrans.dll).& I3 G9 e/ v& `3 E3 ~$ x. O& K4 {
. o" f- g6 w5 a6 k1 s
The way it works is very simple:' y" R& @( @0 N. t4 L* J
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 q& w* l9 j7 r0 BWinNT) with the CreateFileA API.2 o& ?2 U" i+ }! q
( l- h+ U1 j! Q6 b( DHere is a sample (checking for 'SICE'):3 W1 \0 Y+ Q1 z. r' h) E
2 ^& W5 T' G/ r% R( OBOOL IsSoftIce95Loaded()! x- \3 q$ x( M2 `
{
/ I. n3 H9 C7 i2 u5 { HANDLE hFile;
5 w' V3 X) E4 N* G4 L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) I9 }) |0 ~- q1 h4 B2 f' Z8 i9 @+ A
FILE_SHARE_READ | FILE_SHARE_WRITE, ^ e5 M. o( e: w+ @
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; d4 ~) x, I0 @ R- `. y
if( hFile != INVALID_HANDLE_VALUE )+ E& t' I( D/ T1 B" U2 d
{
- X/ T4 |) x0 `, {3 Q. _ CloseHandle(hFile);, Y! R$ i0 C% ]7 s& r$ F' [, s& h
return TRUE;8 c8 h7 z4 ?6 D+ a
}
' h/ Q/ V% f& a1 C" B! Q& M return FALSE;& e9 H1 x: p) u( o, o& X- H9 u" U
}
. {3 ~" w9 q5 b4 ]6 g9 n: V
7 @0 x' j) T6 ~5 w0 p: ^Although this trick calls the CreateFileA function, don't even expect to be' |8 H. ^, e6 s5 ?' |
able to intercept it by installing a IFS hook: it will not work, no way!1 p) b" ]. S4 c8 m ~# {0 _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ n, B/ _5 c. B6 b, K' ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
u! `' R, I# @0 G5 P" Z* W+ {and then browse the DDB list until it find the VxD and its DDB_Control_Proc. E- C O* _& M
field.7 |$ o! J7 m% n( A
In fact, its purpose is not to load/unload VxDs but only to send a
7 d1 N2 k2 S6 n6 y8 v0 {9 D/ dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) [: l; K* q5 @& D' X5 m$ J; K
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, n: X0 Z/ s: C5 d7 i6 V9 rto load/unload a non-dynamically loadable driver such as SoftICE ;-). }5 E" [: k2 M) s# |
If the VxD is loaded, it will always clear eax and the Carry flag to allow9 x3 j4 e0 J7 @: u
its handle to be opened and then, will be detected.7 w- |; z0 g7 [, ?* M. r
You can check that simply by hooking Winice.exe control proc entry point
( j9 k" n( @0 x; H6 r( Iwhile running MeltICE.
/ s/ z7 d, U& u+ y+ ]3 L4 S" z6 g) w" e' W1 u# g2 o# t; `: Y
! ^: z' \/ O) l& E+ v$ x7 T( b
00401067: push 00402025 ; \\.\SICE) P" l* X; L. D% P. l8 t
0040106C: call CreateFileA/ v. L/ {: F( ~( N& [
00401071: cmp eax,-001' e% f( ]. }' U/ V3 Z
00401074: je 00401091; j% S8 _+ N% S! p+ O
+ l0 K4 L# X& X9 ?2 N" r! E
+ ^+ T, P3 x- UThere could be hundreds of BPX you could use to detect this trick.$ c, d3 x1 A0 S
-The most classical one is:
4 e2 g+ d0 N* ~! G- X1 q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! i8 K9 j! w- H) o4 u *(esp->4+4)=='NTIC'( \; ^7 v0 }) M! }3 N
3 Q& e, u x, |$ ~6 p m; Z* n
-The most exotic ones (could be very slooooow :-(
% L8 z1 B: @, ~& S1 ?* |" ~+ @ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 A. y, t+ i! e' K3 s7 g2 q2 b& H0 ~
;will break 3 times :-() }& y% t1 O9 L+ C7 q$ f
5 N0 E1 i2 V, }, u C
-or (a bit) faster:
4 U/ Y$ @: a) l BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ w. F% D# G' r, f6 \2 E, K# \/ }6 I1 O7 Z$ {& _+ ?
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 J3 R3 n) G# [9 v4 t
;will break 3 times :-(
, h9 U# x% k0 ?2 L% S: n$ X; |
9 T# v/ K. J J- q3 ?; z- q-Much faster:2 _7 V V1 A2 Z( n- i: y5 t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. _, c1 f' b3 l
4 `( X8 R% T7 Y& y" I% Y: \( ?7 O
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' M- E) u/ K: k$ G: ~function to do the same job:
3 Y1 ^* N3 G3 y) o V
" T9 y0 t7 \1 C1 K6 `4 s3 p push 00 ; OF_READ
& Q2 }3 |7 G: M9 Z3 ^1 R' _/ w mov eax,[00656634] ; '\\.\SICE',06 f6 A+ q! W/ i9 r) x
push eax
) r. E3 U8 z1 g% F6 F( l call KERNEL32!_lopen* U8 t9 ^+ |( K C% j9 K
inc eax
1 S1 }/ c8 \# B. v, S) } jnz 00650589 ; detected) v6 ~( }" b7 K
push 00 ; OF_READ8 {- K! H$ O! e! j
mov eax,[00656638] ; '\\.\SICE'1 ]& \) A+ L; D3 O, S4 g% N
push eax
$ p# ~% O" R, o$ \2 ?6 s" C call KERNEL32!_lopen
7 _2 d- _* P* N$ Y/ h inc eax O y7 L4 ^8 I8 s: ]; ]& G, l
jz 006505ae ; not detected
% r$ y3 D, Y% f& D1 p$ D0 `& t4 V' W
5 f8 z3 l0 n$ V% N# i__________________________________________________________________________
" d; D7 Q3 F& H" h, V4 x* ^: X2 l1 {# B4 k: u2 L7 r4 a
Method 121 ]5 k0 [; N; {6 m$ j5 ?' u
=========
& o/ h7 V" S! O. g$ r* w
4 f& x6 R: R) S" V# N6 ?This trick is similar to int41h/4fh Debugger installation check (code 05
& ~ W1 B; I( W7 ~* h( L' H4 o& 06) but very limited because it's only available for Win95/98 (not NT)
; R+ ~; J+ k# Y7 T5 y% Kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, N( ?% R. r1 ^
( u2 G8 b6 j4 K! Y/ Q% c push 0000004fh ; function 4fh
: P( @7 {% j, N3 g+ \8 s1 S push 002a002ah ; high word specifies which VxD (VWIN32)! o ]0 v$ m4 ]! H
; low word specifies which service
6 m, y% I9 @- h3 Z5 V9 k0 s/ d( A (VWIN32_Int41Dispatch)
' d; o8 v8 j% |+ j" b call Kernel32!ORD_001 ; VxdCall; r. K5 w4 ~; S; \( i
cmp ax, 0f386h ; magic number returned by system debuggers
5 D/ |, e$ E7 Z+ ?+ D5 k. E( Y jz SoftICE_detected3 W5 O2 g% e2 ]( X6 p4 M- Z
; U8 h: V# G. P& t* ]7 {. d4 i
Here again, several ways to detect it:7 J5 F3 F- [" o. l/ e/ t
. A5 P+ i9 g/ D9 L
BPINT 41 if ax==4f0 s$ L" `) A' G+ r6 F. U
6 i7 ]4 \9 h6 k: O BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 ~; L: g8 H1 E h1 @
) c* _+ Q6 a% \) F2 k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ D( l. N5 q0 q! W6 x) z. ~' A
& }1 ?4 X' Z9 m4 m, `6 ?9 l7 q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 p& @! y0 Y) A6 A% K. g/ d \! P1 ^& Y" |/ `: A
__________________________________________________________________________
$ E/ h. ~7 G3 d: U }2 `
) M. ]' L! D! o, j) ?Method 13
; Q. W% O, a- c; o ]; _- f R: K=========
/ p7 j" ]* ]; o" m8 Q3 K
6 B7 L, S! i3 a) F* v' M9 uNot a real method of detection, but a good way to know if SoftICE is
* n1 |2 D7 Q- ^# j, e! Xinstalled on a computer and to locate its installation directory.* D6 @0 m- C4 }& D0 t+ I8 q: C
It is used by few softs which access the following registry keys (usually #2) :; t/ ~7 J$ A0 _8 S
3 D% ~3 p: V- r* l8 N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 U6 {& A& O0 a6 H/ U( x& T
\Uninstall\SoftICE
$ T& X0 v/ E& Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 a$ ~/ n* A- d/ y7 G5 l- E( u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 U4 j% R k% i! y
\App Paths\Loader32.Exe
3 i' p# s. E9 m4 n, ? L' C8 U4 t& s# g1 _, R! O* K0 W4 A
2 q- p, N# F& v% o# ?! C0 uNote that some nasty apps could then erase all files from SoftICE directory
% p$ I1 o! \; H* s+ J/ _% M# y! b(I faced that once :-(2 |( p: l8 ?0 G# Z: R0 a
! n9 v% H8 M1 a( T( Y
Useful breakpoint to detect it:
* Y6 i" q) B7 H* A& t9 J5 \
5 i; y H4 D f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# F4 H9 {2 E3 C' I+ Q3 ~, ~ ^1 {8 C6 s/ N% m
__________________________________________________________________________) ]0 H- u# h: O$ u! {' o- y0 c' O8 O4 }
+ `, ^# U9 d5 T8 `( c6 J; l
. ]( g, @) O6 ^( H+ }; Z o
Method 14 ( j3 g, h; u9 l: t
=========! V# i' J0 r2 C& K9 \) ]; V, |
5 t/ Z1 Y6 s$ T; H0 C1 p/ N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 O2 Z4 J" W, \0 Y8 p* m
is to determines whether a debugger is running on your system (ring0 only).& k5 `2 e9 G0 D5 q
, E) P3 |6 i1 X
VMMCall Test_Debug_Installed2 d& C; t9 S. s$ P" |. {
je not_installed
: k& r T, o0 S' h
; O9 \# o: L9 t" G9 J, S9 [This service just checks a flag.
* l. z5 e5 o: _9 m* f1 U</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡