<TABLE width=500>
6 s4 z+ h8 v9 J* }: \! @9 W<TBODY>
9 o; h! w7 h2 H0 M& ]4 o b0 i<TR>- Z; x, c- j6 ]# V
<TD><PRE>Method 01 0 M! A s1 }7 m, R
=========4 h5 s& T; ?8 X: N
: v: O4 K2 V; L6 D8 J
This method of detection of SoftICE (as well as the following one) is0 U% w8 q- }1 l7 x E$ [7 ]* N$ o
used by the majority of packers/encryptors found on Internet. s( s& P9 v3 W$ v; t" X! t+ Y7 _! J
It seeks the signature of BoundsChecker in SoftICE) i3 Y# c0 [1 R0 v
8 o6 D& t0 @* J; H
mov ebp, 04243484Bh ; 'BCHK'0 y6 v. T) T( u6 H; U+ k
mov ax, 04h
$ @4 i. W8 H4 J( P, r4 i8 K+ A int 3
0 e( w. Y$ v' F* ~! l& n cmp al,4& I! r8 R6 u5 G: ]+ Z
jnz SoftICE_Detected3 d# P6 D: h( X1 T7 M% P! L
! h5 v+ W/ ?, w: i% H# {" q8 W
___________________________________________________________________________
% ?8 p; {7 {* `1 K! c; l2 o# j7 q( i( \: Z7 ?3 O6 m, U
Method 02( ~) ` o$ M" m9 @" x( k9 H$ ^
=========9 C2 U& x& y2 D, m6 S
& f2 C" w# w" W7 i$ }9 [% C8 tStill a method very much used (perhaps the most frequent one). It is used4 u) J' Y0 S4 j$ R2 g; K3 S) u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ f s9 a, v8 x! o! E! eor execute SoftICE commands...
8 O( f0 a. g# a% a* s' PIt is also used to crash SoftICE and to force it to execute any commands8 h9 W7 q" c) o
(HBOOT...) :-(( - _" c6 d, x: y. ^
) b. V0 K/ g# Q5 ]Here is a quick description:8 N; u" @5 V; [) Y+ h5 M& H$ J+ ]6 d
-AX = 0910h (Display string in SIce windows)
! M9 M" s7 i$ z& z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 |2 s% S8 N; x8 P$ o6 i _% |+ `; c-AX = 0912h (Get breakpoint infos)% ]0 A4 I0 V' s4 |
-AX = 0913h (Set Sice breakpoints)$ W7 C. b n3 O+ U$ {
-AX = 0914h (Remove SIce breakoints)
$ v! Q- {; F# q4 j, W. ^7 l3 V* k4 ]: [
Each time you'll meet this trick, you'll see:4 b. U3 W# } O
-SI = 4647h2 {/ O' P+ J8 d- s
-DI = 4A4Dh$ }; |! x6 y% i* Q
Which are the 'magic values' used by SoftIce.
! i" t: y6 C8 x$ m) |/ h2 lFor more informations, see "Ralf Brown Interrupt list" chapter int 03h. N1 }% m' @4 r5 O% k# u
$ ?! ? M8 e' c: j/ a- y6 C5 F" Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP Q) c2 P( v6 ^% S S. L" a1 @ [9 S0 `
Envelope utility use to protect DOS applications:2 z: s6 j& C- v; D
) H8 R; c( B1 `% p" K$ G4 _
: z8 ?- D0 L% b1 z0 W- M4C19:0095 MOV AX,0911 ; execute command.2 U3 X+ _8 [7 A( x- G' X+ h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 E; a" A* {5 q. m2 q
4C19:009A MOV SI,4647 ; 1st magic value.
* q/ h7 g* _4 w4C19:009D MOV DI,4A4D ; 2nd magic value.% o+ g9 b% T1 W1 x% N O9 i1 e- W
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 `+ E5 i9 `* ?# n, B
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 i6 o: N( g3 u4C19:00A4 INC CX
& S% c- Q9 ?7 t5 }9 }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, T" s1 Y z0 B$ _; T p6 i, @
4C19:00A8 JB 0095 ; 6 different commands.
" Q$ K' C( e* z4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 E+ D+ ]1 U, P1 `- D% n& g
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( a4 ?9 V w1 e/ E* b, }1 U0 s* Q8 v$ c; C
The program will execute 6 different SIce commands located at ds:dx, which
" ^$ k. r3 i& S+ c! I) Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
I- O- }/ ~8 R: K( q
0 @( y% N# J8 k2 y& I' ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 V9 @8 [! p1 H- ~ l6 M" e7 x' C0 R___________________________________________________________________________# c9 V: O/ L0 f/ t
3 \+ |" Z- |# w: l2 N% {1 z# @8 q* n! o3 U& _
Method 035 l$ q! O% ?$ r+ j' ~6 p$ Y0 \# Z. ~
=========
% C0 D$ P" ~3 @4 D% k* `/ {' S/ a9 B" C0 M* }* H! n$ M7 h8 ?! g
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) X& M5 L/ m* [2 N% g0 _
(API Get entry point); x0 H- p: k5 E- h3 N5 |
1 k3 a" E( ]# `1 D. t5 {
0 Z0 ^; j3 _' }3 m* _% z- c2 Q# G
xor di,di
$ r+ f" a% M; N9 i: L1 L mov es,di3 h) ~& X' d. T- v8 E' S4 ~) F* K
mov ax, 1684h # y8 b& d1 n; g: R9 e
mov bx, 0202h ; VxD ID of winice8 i& }4 k7 |8 t: \3 M
int 2Fh
* ~8 A" ^+ ~- g& Y1 d mov ax, es ; ES:DI -> VxD API entry point# b! q% ~& v) x5 d
add ax, di
* N3 M; k8 R1 Y e! C# J( o" ? test ax,ax
g! Q6 h8 y1 a) L jnz SoftICE_Detected
+ M7 ?5 p) B* \8 ~3 U, M
G# p3 z4 Q5 t' \3 r; u9 k) H& l___________________________________________________________________________5 J& P- ^+ p |. D7 a
4 Q' C$ ~- b7 F" h, D% a
Method 04
) u' a1 Z8 W x% q7 L& Z=========
; B( P4 I1 ~8 z1 V) k, I1 z
; w0 g# Y: g* O2 k0 E! nMethod identical to the preceding one except that it seeks the ID of SoftICE$ |8 k5 Y3 q0 V8 S2 B2 z
GFX VxD.
# `+ W* W1 e' e7 k. m3 z8 w0 h( C9 \/ h: D8 m( X
xor di,di
@8 r' U1 R: Q2 | mov es,di, k. N# P( H; [, } O+ H2 _
mov ax, 1684h 5 R$ H; R2 u5 _: w! {8 U0 C# d
mov bx, 7a5Fh ; VxD ID of SIWVID
$ L8 x# T+ m6 H' {+ g; C int 2fh; [/ t5 L9 u. X6 i; T
mov ax, es ; ES:DI -> VxD API entry point
* c7 Q3 a# Y% A4 B add ax, di3 m- P" v6 t I- C! Q! F# y3 f2 O
test ax,ax
4 p" w) I% n0 R jnz SoftICE_Detected; t4 h! J3 C# ^9 n
- y( M; b0 O6 ]+ c__________________________________________________________________________
. J5 l7 E1 b9 b/ \& u: ~. r# M; ~# P7 @
2 F/ \% F6 c& dMethod 05/ f* S9 p# [! j. l
=========* x! L& T2 K1 f- V& d% u W
, h) c" \0 ~3 W' |3 D" t j( f
Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 M0 r# ?9 H& g! R% c* S/ O) Q( Adebugger. It calls the int 41h, function 4Fh.
! f3 Z, R8 f: O( W! u QThere are several alternatives. ) {- r$ c$ a$ {
& \, }1 U/ Y. v
The following one is the simplest:
# x; f, b5 A2 H3 a* x! G# b- _' e2 B9 q! s, w/ b
mov ax,4fh9 o8 W1 z4 _, |% b4 y) V% f, g
int 41h
5 f$ G( ]; A q1 H# B' J5 \% L cmp ax, 0F386, `& P* c# M0 [; y& s7 u
jz SoftICE_detected
: i/ b `+ f) X$ `+ P' b8 J4 i5 P: L; M& c" _" @
% h% Y2 c# E+ T' `: v4 a
Next method as well as the following one are 2 examples from Stone's # E1 d6 x) H0 _4 s9 h( l
"stn-wid.zip" (www.cracking.net):
# |: ^% J; U W7 N
/ `# y2 F! w3 B! f) k1 S7 M% k mov bx, cs/ K5 q& U4 @- v E* j/ @/ J
lea dx, int41handler2
0 O5 n; N K( [1 T9 g0 X2 Q" A g xchg dx, es:[41h*4]3 t4 Y1 d% M' k( ~
xchg bx, es:[41h*4+2]1 s5 {. W$ i2 y/ h
mov ax,4fh9 S, o0 P# h/ s2 X- l
int 41h" x- h6 G Q q5 C( J g7 c# g
xchg dx, es:[41h*4]
0 V2 h4 s' r8 n$ e! |+ { xchg bx, es:[41h*4+2]
7 R) O; n# m0 ^: x: [( y% x. ?! O8 z. g cmp ax, 0f386h+ E! q' e1 S8 M7 L% G3 p! j
jz SoftICE_detected- S' e) Q* i6 h, T5 Q N0 F7 a
1 Y; v9 G- t; \( }& z( k: Nint41handler2 PROC
3 S1 H; F- W+ m' { iret7 Q0 Z7 k* k$ O5 c, S* {; d
int41handler2 ENDP6 c v! p, n/ I* o
5 t' C# g9 ^5 k1 d5 \; v5 ]1 J
8 @+ Z2 V: A" `$ U/ h+ @ J' A0 c
_________________________________________________________________________0 d, O" U! C0 q' C( c( V
# p" X# w1 p: D2 N( W8 a
S" O' c' O- ?& ^
Method 06
( E4 [, W/ @3 }6 R- f4 u/ D& V7 X=========
+ f! P0 Z4 c( m' x3 N) V. @& ?8 E, J4 i: H7 o. p& f# v5 ?5 q b2 s* y
4 s9 [" h$ g* a
2nd method similar to the preceding one but more difficult to detect:2 h1 w3 V% G7 a7 F$ [3 q
5 y' F* Y: k" X; r! R" E! M& V0 Y1 h# w
int41handler PROC
$ t/ t/ K K" q mov cl,al
1 |2 ?, L) `( y; r iret! Z2 H& v! b3 H# o
int41handler ENDP
4 `& Y% V+ ]" T
9 Y" |' L6 n* h: l4 Q0 ~3 c
! x- L- `; w) d+ h! B5 Z& M- K9 K5 {! u xor ax,ax
, H: l: G- r0 Q; k, R mov es,ax
7 A3 @) H8 D% g* o7 ?! k# ~" @( s mov bx, cs" `6 p2 i, D1 G# E& k! `9 V% Y. p
lea dx, int41handler n$ D/ _, N4 b
xchg dx, es:[41h*4]8 \0 F6 P( O- w" f& {
xchg bx, es:[41h*4+2]2 h- e6 M1 Z! C0 C
in al, 40h
0 I9 L, A) `& p4 D/ K8 d9 i xor cx,cx
+ M# B8 U; {% d4 b4 ^ int 41h
' w5 i7 d5 w2 F4 Z6 l4 q xchg dx, es:[41h*4], b6 h+ {9 q. e: _. q' V
xchg bx, es:[41h*4+2]! u6 f2 x# _! d
cmp cl,al
' h0 j& A4 p( ?/ m. B b2 Y jnz SoftICE_detected
; H- x$ H+ w. Q+ I# [, J3 c4 P# O" H( |# Z7 z
_________________________________________________________________________
9 x0 ^9 c% m* Z9 E) q/ a1 k& p3 Q! O. @6 S+ ]
Method 07
& C0 e9 t) P( _ O9 I=========. \4 k6 R- ?4 G+ `' q
2 o8 A* g6 |* ^7 D) rMethod of detection of the WinICE handler in the int68h (V86)
! H1 ]0 h1 H: v: a0 Y8 A5 O& D* K5 a. V7 c' U* x4 q1 D$ B6 c) V; u
mov ah,43h7 A1 E# `* U! t4 F- T T
int 68h
: ?" |5 y; v8 J' \; W) N cmp ax,0F386h
. \1 ?# K( j6 @ jz SoftICE_Detected
: [2 a3 q5 q) L6 D' f
2 M* O* L& Y8 I0 v2 E6 l! B* ^
; f$ n6 c3 D& m9 U=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; X* w& d7 X5 x# N
app like this:
! h7 \$ M1 h; Y1 J& v; e8 g9 k. Z9 g. U V
BPX exec_int if ax==688 D b- K8 g _9 R
(function called is located at byte ptr [ebp+1Dh] and client eip is
0 j: w% c5 {0 h& M4 Q: R) q N located at [ebp+48h] for 32Bit apps)
& W6 R) R2 s$ b* z__________________________________________________________________________
6 J9 r4 W: H5 Q# v/ }2 h8 Z
3 e* i; H3 j9 z7 _! Q; g
( h/ \+ C! L6 A" Q" d# BMethod 08
: w" S: B) ~; W8 t( p6 e8 {/ Z=========3 `& c5 C0 u* b& N9 O
, e# u# p s+ ]2 M: jIt is not a method of detection of SoftICE but a possibility to crash the# W* k" M7 F; }; T3 H
system by intercepting int 01h and int 03h and redirecting them to another
. B* z6 c/ H" K- m3 e# e: Groutine.
; O* g( f8 w8 h' KIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' ?; d! o" m& a7 Y& `to the new routine to execute (hangs computer...)
0 w# F5 d# I. s+ A. g9 \. v3 `% }
; U" {8 {7 Z6 d: s. J: ~ mov ah, 25h& n7 @! ?" e0 [- T) B1 e8 n' }
mov al, Int_Number (01h or 03h)' [1 t0 a7 R) c% u0 r0 b
mov dx, offset New_Int_Routine, @" G! @6 K6 ]1 \
int 21h
8 C( i. S# ~4 k- V, H) k
" @5 E6 k) |) g. I__________________________________________________________________________
+ j# i* E' `, Q9 n5 Z1 @! |! E6 j* x4 m( `
Method 09
" F) a9 {* d/ e=========
) q# h; i- y/ Z
( I8 C+ r9 q- d7 ?, ?8 P+ vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 g+ ^7 N1 I8 s3 w( Q
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 I2 S' Y4 y% ~4 F) T+ P RThe Get_DDB service is used to determine whether or not a VxD is installed$ I* s+ ?/ v0 r% Y! T W
for the specified device and returns a Device Description Block (in ecx) for& ~1 s0 N7 F; s/ g9 F; x1 W, t
that device if it is installed.
8 u7 U8 t+ D5 H2 _1 M+ R" k% } j
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, c }! h l H" m- G. v9 { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" ~+ X4 r% b8 B$ n, X2 a9 ? VMMCall Get_DDB9 C7 N4 j' u" Y5 S7 d
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# t) u p: G1 y& h8 v8 P4 H
7 {6 a# U+ ?2 j) q5 O; \2 e/ z- }Note as well that you can easily detect this method with SoftICE:
- _# M2 s8 o! g& R0 G bpx Get_DDB if ax==0202 || ax==7a5fh
5 F8 C4 f# ]5 E3 h) H4 [+ z2 @ w N) `/ D8 u5 p
__________________________________________________________________________
2 v, {; b+ o5 X2 G: Y) G
/ Y8 h( g9 s' @: x5 G! ?3 OMethod 10) M1 s5 A1 ]- D5 ?) d& W7 S1 @
=========
) {" S! K( I+ k2 t, K# y, ], Y' u( r3 J7 ? H: ]7 O
=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 v; }, t6 w; |- p- o3 b SoftICE while the option is enable!!. Z1 K2 o) h* I1 U; k W
$ Z: B3 G$ Q x. mThis trick is very efficient:
. E! U$ k* }+ |1 l a# I3 mby checking the Debug Registers, you can detect if SoftICE is loaded' \+ N/ }4 A- @
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& z, d! }8 q0 ~9 U, D
there are some memory breakpoints set (dr0 to dr3) simply by reading their* |1 S. d$ B; z6 y( r
value (in ring0 only). Values can be manipulated and or changed as well5 Q0 z1 x0 F0 s
(clearing BPMs for instance)
1 q& M5 r2 b* a( V9 A5 |4 z% H2 H' u6 e& h
__________________________________________________________________________
2 K' H# V- _# f% L4 y
: Q2 @5 ]& \+ ^4 M' b* TMethod 119 q/ f7 m$ |2 }( @: ?
=========
( g# r' O! ~8 T! c P; ^9 s. y Q" l# S) r* g D+ A
This method is most known as 'MeltICE' because it has been freely distributed9 |# y9 O2 i- X& L% i: G$ }
via www.winfiles.com. However it was first used by NuMega people to allow2 S4 H2 a5 d' b2 z( {8 B4 o; t
Symbol Loader to check if SoftICE was active or not (the code is located( ^' X; g& H0 Y' v% v! e' d
inside nmtrans.dll).; h, F2 M, X2 j+ D: S5 a
# W3 y$ \- D6 |) N' f g' {+ R
The way it works is very simple:
# Y% u1 M" A6 ^/ I1 R2 iIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, ]6 ^# K( l3 }8 Z' T# g! q% Q
WinNT) with the CreateFileA API.& m# N% U' h' p, w
( @$ `7 |( P% z& U% |9 C0 t5 oHere is a sample (checking for 'SICE'):# q' @" o' A# z E* f6 n
2 f$ z8 p" ?* A) p L7 E/ g
BOOL IsSoftIce95Loaded()6 `- n# b3 F- i( G6 d: J& y9 p
{
' f% I' ]( z% ?" q) K9 K HANDLE hFile; 6 }8 G, ` o( o: [+ q
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, F$ F. h$ q, m* i. g' j FILE_SHARE_READ | FILE_SHARE_WRITE,7 U1 r( X8 H2 O( N0 h
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 ?5 m" M+ }( N3 @4 i if( hFile != INVALID_HANDLE_VALUE )
d# s$ S/ v5 @$ |( V {+ p8 Y! y- i% P+ w. X
CloseHandle(hFile);3 A2 P; g0 q. I9 n2 I
return TRUE;! D; _" M7 S5 e( E* h1 R* v9 T
}
2 F# Y2 `7 o/ _/ S8 q return FALSE;9 a p" X; z4 o- [5 g4 M
}
- Z0 f2 @9 \9 g3 T$ S% }; y9 z: B/ B C9 R5 w( b1 M
Although this trick calls the CreateFileA function, don't even expect to be1 s+ V$ s7 ?+ Q5 Z5 z) Z! c
able to intercept it by installing a IFS hook: it will not work, no way!
2 ]( R9 ~1 s- [" K qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 B( E* q7 L3 O3 o# u% M3 ~service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 I' Q" S- {) V9 }5 ]and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' w! ~- F; U* f* v9 efield.
3 S3 v( [; }/ Y1 i' Z$ KIn fact, its purpose is not to load/unload VxDs but only to send a % M3 N! m; G' A; q( _
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% C4 [$ C6 ]; o- N( Oto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ Q5 b) f9 y$ O/ l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 k" _- O9 z, y4 t0 j
If the VxD is loaded, it will always clear eax and the Carry flag to allow
M; V; ~( ~2 G* x- sits handle to be opened and then, will be detected.6 W( R+ U) H6 E( H6 b0 n2 V ?
You can check that simply by hooking Winice.exe control proc entry point
7 Z: {0 W4 @5 ]. Cwhile running MeltICE.- D) H4 k% n, }5 v
1 y- ~' _. ~8 \# b$ @4 |
. b# o5 F0 J+ p; A9 K. P 00401067: push 00402025 ; \\.\SICE
% Z8 [2 Y8 I8 l8 b& o; K) j; [' V 0040106C: call CreateFileA* k3 c( Q" a0 t' }
00401071: cmp eax,-001
. @9 `. Z: }, ^1 f- A9 r" j 00401074: je 00401091
4 z; J$ U$ |: n5 ^( b
, Y8 } x1 M( f/ K+ S3 N+ J
1 K8 N: X. [( M2 NThere could be hundreds of BPX you could use to detect this trick.
/ t- a7 c9 K$ B6 z3 ^$ i6 j-The most classical one is:
: X* W/ \. Q8 h; p BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 p. c2 y* s; g$ v6 g! @) O
*(esp->4+4)=='NTIC'
# F. q9 w# F) L8 H1 h2 S2 @( Z
9 t+ {+ a0 {3 y3 F/ B* [-The most exotic ones (could be very slooooow :-(; ^" f7 J6 c; B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) E E( O7 G2 z* Y8 E ;will break 3 times :-(* N9 b/ c A" T7 s3 h! C' Y
$ U/ \/ W/ |) d
-or (a bit) faster: ) L3 I: k( {/ F: ]2 l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 d8 w1 ~0 D& o3 ~5 e. a
0 \! o; T) P. _5 k8 ] M
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ b' g) G' b$ _9 f ;will break 3 times :-(
1 y, C6 C- R( y2 c0 a6 u4 h% @& ^$ F- ]5 X8 ]" Z. n
-Much faster:9 q" _: l0 ~; y: \5 |$ ^. Z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* J0 i* i/ I, f3 u/ e$ o0 t8 J, q% u; w }! q$ ]7 g- p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 t" P0 y2 ]6 s% E# }8 qfunction to do the same job:* F- _0 {2 j+ s: R2 f7 q
4 k! x* P) J; `9 K" \ push 00 ; OF_READ! K) V5 j* B5 c, E: q' j/ X" z
mov eax,[00656634] ; '\\.\SICE',0
( ?; P" c8 v4 ? push eax
. O3 J6 ?% U1 g4 w' y! @4 p: u call KERNEL32!_lopen
" K3 }3 X5 g1 X/ D' c3 w- I inc eax
' X9 W# U! |0 T9 Z5 k jnz 00650589 ; detected
8 A; o" _' f: M; b/ w push 00 ; OF_READ! ~( _/ i! W( b" N6 d0 e
mov eax,[00656638] ; '\\.\SICE'
! z8 w' K, u+ H' [) C9 ^# } push eax' A5 ~% a6 h3 _9 ]) b8 g+ l$ \, s
call KERNEL32!_lopen; {7 J( `+ v8 B
inc eax
1 M6 \6 y) X1 w$ z |1 W jz 006505ae ; not detected
, x8 O& a( G+ M% Y. E3 n% O/ m
! Y6 F2 I, Q) m4 ] B, P) A6 X3 i0 w. H" z. h$ f
__________________________________________________________________________
) G3 l( H: C6 {' a g. F+ p) F
0 K) @4 p% J' @: T% YMethod 12
4 p: ~# v/ j, C) C# L; c3 a" W=========" P2 C E1 d# Q: _/ ~% [; v
1 @8 v/ u E) z5 x! LThis trick is similar to int41h/4fh Debugger installation check (code 05+ \5 b4 z3 X8 J% J- Y/ _; W; F$ T T9 ^
& 06) but very limited because it's only available for Win95/98 (not NT)% [ R5 ]2 f5 m3 Y+ t& Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( O: x! y0 @, n- b
1 P, h3 r5 l$ P push 0000004fh ; function 4fh8 ], [. @) }& d, ]' p, K
push 002a002ah ; high word specifies which VxD (VWIN32)
8 c; t; k: }) A" n" V! R ; low word specifies which service! s, a/ K' G8 n$ \
(VWIN32_Int41Dispatch)2 e5 u, x% N3 a( C) c. r% ~
call Kernel32!ORD_001 ; VxdCall' N5 ~& D1 a7 ?! q. ?( z. n- n
cmp ax, 0f386h ; magic number returned by system debuggers- G. B! b) p! l3 i* p5 `
jz SoftICE_detected
2 x# d# r0 p* F' ~- T
7 m% |6 }. w; J/ JHere again, several ways to detect it:
4 e0 L* O5 V% [- K- Y
& R! x3 V/ q/ b6 l9 F0 V' D X) w BPINT 41 if ax==4f7 u0 z" }; A$ z! e' y: g! Q
6 z, |! J7 r: U& m6 V% K' M
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# c/ d) t5 ~# ~6 d
* @+ b& e! p9 M BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 n0 Q* L9 P: n: g! Y" H3 e5 b% F
0 O$ {5 @* |* V& C BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, Y) _3 Z% f" M# X& R
) I+ i7 y u5 ?) R" ^__________________________________________________________________________* [/ F7 b2 h* W+ t' P# G5 q
% ^; j4 o7 Q, h. x# RMethod 13
3 q R1 `" H, \& A$ f=========$ E4 m% [# e* W$ c2 E, r
0 h- g+ B' t, d" S7 P* {Not a real method of detection, but a good way to know if SoftICE is$ s/ u/ r, M+ [; B1 {2 @
installed on a computer and to locate its installation directory.
* A5 h/ M3 _/ TIt is used by few softs which access the following registry keys (usually #2) :
% P1 q5 `) H8 M$ w' x
' t3 d$ F' @& F* n% q/ _-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, E' x0 C) Q% n) s
\Uninstall\SoftICE- s# p3 Q7 Y% Y5 S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 o$ B# ~0 s' a: @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 d2 R7 t8 D$ q) c- i\App Paths\Loader32.Exe
3 W6 R9 z- H$ G
9 x1 M: }7 P8 y3 y% Z) G. C+ m. E) L
Note that some nasty apps could then erase all files from SoftICE directory/ e% F6 V y$ T2 U. E
(I faced that once :-(
+ j' C2 _; S3 t
4 e! L3 G" p$ o) u+ c$ _; L7 WUseful breakpoint to detect it:4 y) _0 v; V* ~) b d
1 L" d2 ~0 N5 u. @' q5 l: l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 Y3 u( ?4 ~5 q3 L# r3 n( w
8 C( F8 x) L6 W+ q. i__________________________________________________________________________
% ]) E4 |( f) [( A: N
v5 J! c/ r2 O' K) L# A! }/ c
1 @ z) o9 k5 t8 n k( Z* JMethod 14
6 m. I0 l6 f z=========
! H. V' p5 ]& }5 X" i2 B: B1 u5 L! q- H' e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. x$ _# S# W' K+ M9 `is to determines whether a debugger is running on your system (ring0 only).+ s+ D% i7 K1 r+ Q. p6 e
' [* K2 D/ M' M C9 T2 m d
VMMCall Test_Debug_Installed
5 U- L3 t5 b6 p2 f' R! N: a' ~ je not_installed. P9 s+ p8 S# k0 K% W% z0 f
4 G* Q1 |, ]) f8 H5 N: L9 CThis service just checks a flag.$ }7 p y' b: d+ U% Q( J& |
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡