<TABLE width=500>+ P# N7 ~8 I* G/ f* G* ]; q5 @- Q
<TBODY>: R! J( z h0 \5 K! C
<TR>) E* ^& H) g' g
<TD><PRE>Method 01 : O: C7 I4 F8 Y A* G% ^4 v' C; y
=========
. k1 N) a' }1 A
: r3 f2 q' a- v- X1 H+ w' kThis method of detection of SoftICE (as well as the following one) is
) V e6 ], F0 a O& s# q) ]used by the majority of packers/encryptors found on Internet./ G# s/ X9 \8 R, ]
It seeks the signature of BoundsChecker in SoftICE! [" Q9 H. x/ X' n! i& Z
5 F/ Q$ N/ f# b" T- M+ ~ mov ebp, 04243484Bh ; 'BCHK'
8 \$ m, z) d" a- E mov ax, 04h
. c0 U9 s$ W! [" N. h int 3 ; Z9 L' f, H! b# M
cmp al,4# I7 ?# K1 `6 r2 T8 Y0 F9 B
jnz SoftICE_Detected5 l. e* T. c( A' d2 G& Z
* m- M- N+ q5 C/ X7 I& z5 y$ z2 c
___________________________________________________________________________$ v/ ^( `, C7 S+ L
6 x2 _, h: p$ j0 A( j4 TMethod 02* ~; R! G, x5 t+ k
=========- F8 \6 O' ^. R% g# h) f! Z; ?2 @ w( K
8 Z7 r' _+ ?, g+ QStill a method very much used (perhaps the most frequent one). It is used
+ s* P: Q8 a, yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& l3 |! q# P' S# qor execute SoftICE commands...
* v& K1 \& c0 x z& LIt is also used to crash SoftICE and to force it to execute any commands0 H7 n1 z& G% @1 u- g' u$ | K
(HBOOT...) :-((
/ l) G1 C, [2 F; b$ D6 T, a# y* |5 a* ^( D, }+ J# h
Here is a quick description:, V( w5 g' q+ u2 M! I
-AX = 0910h (Display string in SIce windows)
% Y& g1 |' x" h0 u; @-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 p/ i/ s* ^5 U/ }; S-AX = 0912h (Get breakpoint infos)
9 [. k6 A" G* {4 O0 k M0 W-AX = 0913h (Set Sice breakpoints)
6 z# ]& X" q. y-AX = 0914h (Remove SIce breakoints)! }! E7 w r8 W2 B4 R# \
# Y: r2 n; n, r3 H# J
Each time you'll meet this trick, you'll see:
& K/ s# I, e* Q9 j-SI = 4647h7 b! r& E8 ~/ m5 w7 f, a3 `
-DI = 4A4Dh4 T# J4 W* V& ]' a: u9 ~: b- o4 V+ ^
Which are the 'magic values' used by SoftIce.
4 H. I- U/ C3 B) F. YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- m' M% i. t* o/ K P/ ~7 Q
! I) H# m: \" f5 U
Here is one example from the file "Haspinst.exe" which is the dongle HASP0 c& P4 S7 P |+ S7 l
Envelope utility use to protect DOS applications:
6 Z% U: H! H3 L6 Z ]+ W U( J4 y3 `' Y8 J! T; v2 E6 b
7 \1 Q% Q7 e8 C! L) i3 J Z4C19:0095 MOV AX,0911 ; execute command.
! n- C3 C1 c- a3 \% J! Y$ ^) L4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 `: I* d7 u$ T% Q5 R0 X! S6 S6 _, K: L
4C19:009A MOV SI,4647 ; 1st magic value.
3 E, V# Y: `0 P( ?2 h% O3 H* N! w; w' T4C19:009D MOV DI,4A4D ; 2nd magic value.2 s( g! U; s' ^5 E4 ^7 S
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 K) t1 K9 z+ T4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 Y7 ^& e% l- m7 \! [: y' [0 L" x
4C19:00A4 INC CX
3 {* o$ h. A8 t" f" y4 N4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 T* Z. n# T" u/ i4 x4C19:00A8 JB 0095 ; 6 different commands.5 M' M4 g! q. S* m
4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 j' i: {) [6 k8 T. q- C0 g
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 A6 s. s' G* n; z" W5 A
3 o! }( f" n4 i1 QThe program will execute 6 different SIce commands located at ds:dx, which
7 k/ C: U4 J h5 `are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 ^4 a8 X5 q" n4 h6 s# H2 y; s
' f3 K: h- B! A1 F6 H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& C% v. w: g4 u. n# C- ____________________________________________________________________________
. D% k6 y3 O: ?& m: v' M4 b: ~
) c- ^# ]4 i% D# N) b- Y' H6 q6 A1 l. V
Method 03
2 d+ y6 U4 J8 h5 ^=========' o% n/ G+ R3 ?/ N% `3 o
o; b) W5 V0 B- [! ^- \9 V- Q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, n) a" h: O$ b" l7 ^
(API Get entry point). M7 z1 j( c' X. u9 I5 ^: K
* ]) U1 ]4 g0 u2 o6 r$ b
* G6 y ]9 w% | xor di,di3 Y1 s8 t G5 ]; _5 a+ W) w
mov es,di2 `, \6 z( }" Q
mov ax, 1684h
3 n4 M9 k: v4 W3 k0 e( U; b mov bx, 0202h ; VxD ID of winice( h5 w% A8 Z8 B: x! Z+ K i
int 2Fh
7 j$ [) c3 V4 ^, B: r& d mov ax, es ; ES:DI -> VxD API entry point
) A* K6 i' u* y6 N/ S' x add ax, di4 f6 q: Q& P5 F: P
test ax,ax+ m6 u; [ e: b; u/ c
jnz SoftICE_Detected" _; k; ^3 q* ^( R, [
( s4 h2 j6 p7 G6 d" H7 N( |___________________________________________________________________________8 w& `9 t8 S$ L8 X7 G" ^
. G% |# h( l- q1 o; w
Method 04
/ d6 A- M2 t; ]5 D% h7 N) a=========
. W7 B1 i8 H1 t: O" @
% c' e" w( s! S4 ?8 ]) cMethod identical to the preceding one except that it seeks the ID of SoftICE
2 j5 _( c5 G% f: o/ q) \- HGFX VxD.
9 X. j- T! `6 F6 S
; ]. i5 d- f: v6 u+ V2 m' S- A xor di,di: M7 j) K4 N; f- f2 x
mov es,di' ^' U) S4 I* m% g
mov ax, 1684h
* ^4 D0 j3 T8 s7 r* i# b mov bx, 7a5Fh ; VxD ID of SIWVID/ n: e6 l- `+ @8 D- |
int 2fh! }: Z; }0 T' G C7 o9 K+ ?, \+ g7 k
mov ax, es ; ES:DI -> VxD API entry point+ n q4 ~9 I4 e
add ax, di
0 {/ q0 V9 [; p* c test ax,ax4 v& }; g% ^& Y( K( A+ l
jnz SoftICE_Detected
0 j4 O5 o' e! a% B* y) N: l6 h6 U
! ~( g) h# u/ B. E+ O2 T__________________________________________________________________________
( m. ~5 |$ T% j+ l
" @: s+ ?( L: {8 u6 i: b2 I) e, j
) |7 |- r2 f* oMethod 05% B* ~( _7 d/ o9 |9 k/ e; L* {
=========
, E$ |5 m! B5 m* I8 h+ ?/ N+ t& D f1 W
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 H- w3 a7 N) {" e" U0 G1 U+ Wdebugger. It calls the int 41h, function 4Fh.( B/ p1 R: T/ [! F( ^4 s" q
There are several alternatives.
: C& O' i; a7 M. x- W$ Z; k+ P( `. `$ J0 ]
The following one is the simplest:& r7 `# @/ M+ b0 v1 O
0 w. L4 P# U$ A
mov ax,4fh
3 i/ p/ c6 |& c$ B& T7 H. D+ q; i int 41h
& P$ i! Q+ C: x! E! E cmp ax, 0F386/ y& X, d. W3 u* m
jz SoftICE_detected
" A( v0 ^# H0 p
* c/ w" i% T6 s/ T4 ?( ]
# o1 h% N+ B Z! K. i. s# mNext method as well as the following one are 2 examples from Stone's / c. A+ V* H- \' `
"stn-wid.zip" (www.cracking.net):, W/ @* y |0 i K" P+ N
" u* l7 I# R8 C% f& `$ ^2 Y0 e3 G
mov bx, cs
' \8 Y% \- G/ j! i7 A1 K0 t+ } lea dx, int41handler2 ~& t6 h1 G5 _" U0 ]
xchg dx, es:[41h*4]9 X, R0 _3 ?. U6 e+ _
xchg bx, es:[41h*4+2]
$ m& V% o4 r U# \ mov ax,4fh
, ~3 |9 i3 D. i+ u4 [+ J int 41h0 n2 ^( i! K } n3 N2 p3 k. F
xchg dx, es:[41h*4], c9 t0 M2 X4 n, q% f W
xchg bx, es:[41h*4+2]$ e& {4 k$ I) h2 S, @9 Q) L* s
cmp ax, 0f386h _' S$ O3 Q1 c9 A- r
jz SoftICE_detected* H9 w. M: h7 y2 F# u/ K! R4 }
: f. s- F z( U% X- F' x. C
int41handler2 PROC
& Z; y2 Y* K; W3 ]) q8 Z iret' @( m8 ]' ~- f2 v: K
int41handler2 ENDP
* Q- [; n, F! ~4 N; T# D" {& A
/ M* v+ I5 R9 q: Q6 O: P3 _) G e; s) w! E1 a) G) u$ I
_________________________________________________________________________
- B% q7 S0 i2 ]1 q
( \# m# ~: M5 Q, p# j9 p3 ` c3 I1 U) R( K( m* t& b
Method 06
8 i* ?: V j$ H! x [- X% i& o=========
7 y2 h4 e o' ]% {/ z: i* r3 j0 |; Y! t% b' p6 G1 A
9 S( g% x( k9 i7 ?
2nd method similar to the preceding one but more difficult to detect:
9 @1 |! t9 t. V+ Y* w9 F% w
$ v" e1 v+ B8 Q0 [
! c2 d4 F) O: C$ g6 f6 e& `int41handler PROC2 t0 l9 h9 G7 D$ P# A/ o& k" m
mov cl,al
# V3 Q: ]$ k" e4 u" w; [- Y iret
3 A+ O; V. J4 y r- \' wint41handler ENDP; i4 K7 E8 W9 n% m' w, U; e
5 T4 T/ E( }4 l' P( Y M+ T3 V/ I% ~! v: K6 A
xor ax,ax
: I) y! s% ~2 \) ^6 _ mov es,ax
# |: {+ ~4 g# H1 V7 `# d; s mov bx, cs8 H- V( ?" t# I* b
lea dx, int41handler- ?. Z: P1 w# i ?
xchg dx, es:[41h*4], V }" d- @& y5 P( k
xchg bx, es:[41h*4+2]
. l) }: L6 k: V- h in al, 40h
' J" P8 u9 @8 t' w6 p: n xor cx,cx
: o8 I2 ?* ~' K. m" ^3 O4 _. K int 41h
* Y/ u- ? G) f# T% j: y2 [5 V xchg dx, es:[41h*4]
' J7 ]: E6 l3 a* B6 v xchg bx, es:[41h*4+2]5 [& d: o* o6 s% E
cmp cl,al: w t& m* G$ C
jnz SoftICE_detected0 M+ l$ \5 T9 g3 \3 u
; l+ \9 V( r1 \' } D) U/ Z
_________________________________________________________________________, ]" D9 U+ v) X- O2 W- D3 D" T
3 n" c0 @4 ?! K; VMethod 07
9 _4 \5 y; L- Q$ n=========
( p7 d1 ]/ D. o) z, f% ?7 L- f. p6 f, l: r) M1 s5 y* c& J
Method of detection of the WinICE handler in the int68h (V86)
) R d$ X3 X# S+ k, y. l
' N) }/ p- p) w4 n% z" F* e* X mov ah,43h F% S! V& |/ Y" h
int 68h
2 H9 F4 u8 q3 w( ~( F# | cmp ax,0F386h4 b4 U' Q; C$ ^! s8 p
jz SoftICE_Detected0 m6 | L+ J' p/ q1 M) ^
( w, |+ ?. r/ E9 C
' ^4 w7 U5 f7 y8 g6 L; f% q! Z& `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 f+ ?. h- `, \: A6 P* h
app like this:
' Y2 _, W8 U5 [4 y
. g& _, E5 x6 s; {, g! r BPX exec_int if ax==68
6 K2 i; K+ i, u" ^3 U: c (function called is located at byte ptr [ebp+1Dh] and client eip is
9 X; M$ I% O5 o located at [ebp+48h] for 32Bit apps)$ d; O/ Z! |' V: z
__________________________________________________________________________8 ?. @+ `8 Z5 Q* {9 f' T* G
1 g8 @8 |3 @2 B2 _) z! t. l) k" j
2 g8 {. N2 G& m$ E; xMethod 08
- F" R( h: c+ e& w1 q=========7 g0 `2 b+ p% B9 _, n1 W& ^7 g+ u
9 Z! O2 k% N8 N
It is not a method of detection of SoftICE but a possibility to crash the4 U* }' C2 D) W( [/ E( z
system by intercepting int 01h and int 03h and redirecting them to another
* B0 K: z! g7 H! c0 V+ Nroutine.
2 {3 {8 G' }( L3 PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* W& f" t7 E3 y' T
to the new routine to execute (hangs computer...)
# K& E; f$ ^* h
/ H/ A3 A4 G! P; x z) r mov ah, 25h
/ h. ^4 o, z( X2 s! [2 f8 y mov al, Int_Number (01h or 03h)' b: `: j1 K/ [4 ? ?' d* z2 f
mov dx, offset New_Int_Routine
! N# L' g! `! b/ U% E* Q1 ~ int 21h
/ [7 Q& Z% b" N6 \: O M+ E* u) Z& ]
__________________________________________________________________________
. n& z9 {( l1 |6 n, I# g) t$ _& p7 w, J7 X
Method 09' _+ @( |( t, e$ [& f( ?
=========9 Q$ j% A( }" s+ c4 n6 a. ~5 @
! }3 c9 U3 c% @7 B/ g" h y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 l! f C% Z5 Q2 O0 b4 h
performed in ring0 (VxD or a ring3 app using the VxdCall).
. V! e0 _+ T3 I% v/ wThe Get_DDB service is used to determine whether or not a VxD is installed
: u. @" f- ?$ r9 O3 U4 X. B dfor the specified device and returns a Device Description Block (in ecx) for
2 h0 L+ [9 R3 K! k2 I7 P0 Qthat device if it is installed.
0 ?. W+ X5 ~0 T: A# y& C5 v% M0 F! Y
1 x. T! |8 I; \7 y8 d, i. K/ } mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
k: a, H+ n4 D/ v3 c" b mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' i5 l- i/ L, u6 x5 F VMMCall Get_DDB
1 z) Y" ^8 ]& C m* W* v' l% m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" r- \" A; o% L5 j7 @3 E
' O; s7 i% O0 Z3 ZNote as well that you can easily detect this method with SoftICE:7 C U. I, p9 y& ^6 k
bpx Get_DDB if ax==0202 || ax==7a5fh
0 X0 D! O5 i1 D; w) f5 u
; W4 l0 v$ ^* i0 G0 N5 v__________________________________________________________________________7 ?% a9 O/ p6 Z3 k$ ^2 f9 x8 K+ G) Y
& k0 F. Y8 w# g5 F" l7 ~# N0 [+ t
Method 10& Q+ I/ x3 I' ?3 h" i7 a: X
=========
- l |& {2 m# {/ Y' C# N z8 z8 K7 F3 }/ s# v3 c7 d. v# {* Z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 J4 i w4 a) ?) m g7 n' W SoftICE while the option is enable!!0 I" m1 ?; ?. ]
: X8 t4 V" e6 N1 `This trick is very efficient:/ N0 ?: |5 ]7 j/ Y' ~4 b8 P# a
by checking the Debug Registers, you can detect if SoftICE is loaded
( I1 B) ?! Z+ V5 I$ S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, k p y, ]$ C# Q# R4 i- Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 W! q. _* h% U- B& x: ^9 u
value (in ring0 only). Values can be manipulated and or changed as well
- K2 @1 C5 `" y9 b3 [& `' y; [: C(clearing BPMs for instance)
5 w# @# p1 u! u0 {
; V4 [1 \3 F2 R, R4 {" j2 t__________________________________________________________________________" |" e# I7 i2 ]* u+ P, i/ L5 `1 q8 F
$ K' u& ?0 z2 M" o; c- R7 a
Method 11+ Q! X% A: ]! c; o& `4 z. C/ J( F6 H
=========
( O0 t u- P3 I; V) m |. E3 u6 P( \4 u/ M9 L
This method is most known as 'MeltICE' because it has been freely distributed& H5 }, r( [' b$ ], x
via www.winfiles.com. However it was first used by NuMega people to allow+ O7 I; S J- z% r9 `' Y
Symbol Loader to check if SoftICE was active or not (the code is located
: t, ]% p- `8 minside nmtrans.dll).8 m0 G1 q/ P* S8 z, ~
7 Y: b) h) v3 ~5 t5 VThe way it works is very simple:7 q0 o$ J8 ^) w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! o6 f: r6 X# \WinNT) with the CreateFileA API.; [% I, d4 |% K
+ i# c4 _3 q7 Z0 {. E7 P
Here is a sample (checking for 'SICE'):: I2 y7 j& m9 h1 P) X, `
& u2 d7 s7 n) n# j' i8 P
BOOL IsSoftIce95Loaded()
4 c% c7 k$ h; e" T+ \{
! c8 N C: O n m8 p3 b% A, H8 t HANDLE hFile;
0 ?9 M7 x! Z: `% l* G) b, M& q6 D hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% u& C5 b) Z0 g" |# m6 C FILE_SHARE_READ | FILE_SHARE_WRITE,
3 E: ?) f3 R# m" V5 @ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% ~5 Q9 H; w7 p8 R if( hFile != INVALID_HANDLE_VALUE )' G+ Y) v( l4 V9 Q& y. E
{
7 c9 `4 y1 y: ]8 J/ a" z- A$ f5 Y' { CloseHandle(hFile);
2 g6 |5 u# T. |" `+ T, a8 ]( C return TRUE;2 Q' `; _- a. a! ^4 ~2 B# x, u7 ^
}1 K& _. o5 R- I% H/ y
return FALSE;0 j2 P4 a8 a) |* A, c% u. D E
}7 D! H$ _# w+ y& Q
" w, z6 E, a: o# h/ b! z
Although this trick calls the CreateFileA function, don't even expect to be
4 T) W4 \6 q" G6 F! E" ^0 Hable to intercept it by installing a IFS hook: it will not work, no way!0 Z) U: }7 a8 {. v2 E3 d/ L
In fact, after the call to CreateFileA it will get through VWIN32 0x001F0 O8 ?( q9 @7 b5 f& R5 c, E! Q5 Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 g* ]: g: _( n' _+ M w: m/ n% dand then browse the DDB list until it find the VxD and its DDB_Control_Proc% e/ g1 d5 C: ~+ s
field.. ~ u1 g1 Z/ m, S. R* `
In fact, its purpose is not to load/unload VxDs but only to send a
& J. q l1 F o$ b4 t$ ]; HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ Q4 ?1 I* w2 {3 X% ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 r' L+ ~+ J1 D" U5 C* H) c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( Y; b5 c# I' a/ ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 ?/ c o& }1 {; i0 T0 z8 Fits handle to be opened and then, will be detected.
- c5 b) G9 v3 hYou can check that simply by hooking Winice.exe control proc entry point
# K9 K# V0 [% M% E# D" ^while running MeltICE.
?0 h9 L4 o* K. c8 v. i2 e0 z% O( e& f
# A1 I/ l$ o5 a- F5 A1 e/ e b/ M
00401067: push 00402025 ; \\.\SICE' h9 t& m, V8 v1 O$ K/ [3 r
0040106C: call CreateFileA
3 y% k2 U$ m- d 00401071: cmp eax,-001' F0 o" F7 F, }
00401074: je 00401091
6 w" R- v: \: `7 U6 u, G9 W+ N4 i6 n
4 H4 t% K! U. {/ GThere could be hundreds of BPX you could use to detect this trick.; H* w' @5 i# G. o& ]0 `0 M
-The most classical one is:
3 S& A5 Y1 `, I$ I& b BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& T' Q+ ? m+ ^& G( |1 x *(esp->4+4)=='NTIC'0 r# _5 W) b( Q0 o# _; m9 k* }
3 O& ]! h# F# C& t# E: @4 i-The most exotic ones (could be very slooooow :-(
% `% r. v3 s8 O- w BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * Q- w% Y% m2 z2 K! h
;will break 3 times :-(
/ \5 b$ y; f, B$ I3 v8 G8 p% I( C0 j. h0 W8 O& p! s( J8 o6 i
-or (a bit) faster: , I$ C: o& t/ `0 ~. D! C3 L
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" ?" @4 e. K6 n
( y ]( c0 F8 M# e/ j BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. W* e: @( l; x+ \+ O" Y& v1 U- ~2 i ;will break 3 times :-(5 B3 ^; e$ r) ?. h5 K
# W, s7 k( ?7 r( b% p! C-Much faster:
1 R+ f/ e O+ F! D w! Q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 b, u. L) d2 I) a; L: d2 v
]4 v3 Z8 P, E4 g' sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 n$ a1 P- Y: Q4 y; t5 I/ a/ efunction to do the same job:
. s1 Y I/ }" A% R. Q
c, T% M% L* T push 00 ; OF_READ% Y/ h( ]: X; _* y( x: v8 H
mov eax,[00656634] ; '\\.\SICE',0
( b9 K4 r8 _: k push eax$ @, |' P0 h: b0 i; B" v+ ?; C
call KERNEL32!_lopen- B' {! a" t0 L; {! k: X
inc eax
* l. p: ?. U0 S% d jnz 00650589 ; detected
" w8 {" [# W, \) R* {+ I push 00 ; OF_READ
' ^1 Q( G1 @0 V, S; s* ? mov eax,[00656638] ; '\\.\SICE'
0 B& t1 l# S+ B9 E3 O O1 l, m push eax
6 B7 q, T* E9 ^, k2 E call KERNEL32!_lopen
3 J m& J- X' b) _- B$ J) C inc eax
/ @2 v. F4 y8 |' u4 B jz 006505ae ; not detected
# z; Z7 S1 n; _, n* @4 }3 x V9 F: F! _; k$ L9 p
. L' r- X& z1 G- G$ |
__________________________________________________________________________7 j; N% z: |9 C6 C9 C- K6 A
* Y4 o) `& X' Y& D# Y- v
Method 12
+ z6 E6 e; B b=========! A% e P! H: D! h2 v
" J. P1 M S o* `# UThis trick is similar to int41h/4fh Debugger installation check (code 05
1 w% x& w) y) b p$ S* L& 06) but very limited because it's only available for Win95/98 (not NT)- u5 v4 f) L5 A& S; E( n9 G
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) V8 H: X0 T5 W: g2 v
7 [1 }9 J0 E6 G1 N2 Y5 q$ D. c; D push 0000004fh ; function 4fh
+ Q8 T8 e/ s! ^5 Y push 002a002ah ; high word specifies which VxD (VWIN32)* Y3 b0 J- ^+ k1 x+ ]& j* a7 z
; low word specifies which service
1 k; {) |3 c' A8 Z( { (VWIN32_Int41Dispatch)
& I0 P* S1 a' J6 @ call Kernel32!ORD_001 ; VxdCall: ^% s: a( K) j. e
cmp ax, 0f386h ; magic number returned by system debuggers* q% [' v: x* G! K
jz SoftICE_detected
6 d$ N; ]; }9 x! ?0 W R
5 y- q+ e+ [7 ^5 DHere again, several ways to detect it:3 Y/ I1 r4 y. @
# o4 o F/ L0 ?0 z0 A BPINT 41 if ax==4f
3 A8 `& t& ]: p3 l8 P* X
+ { [3 x8 M6 d7 Y# a% Z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 k) t% `$ m, u- c4 v$ m
5 T* z+ u2 h! ?! O' X' { BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" n. R& ^& J5 L8 a8 G5 B3 ]9 W/ ]2 b' w4 G7 Z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; B5 `6 Q4 @9 n" g' l8 k. P
$ o- [( G: k( R__________________________________________________________________________+ W) l: s& f4 `- z
3 v A9 E+ }8 dMethod 13
3 t" F" I! r, ~3 Q2 h=========: a; ? R% O# W0 t" B% }
& d# R( E/ k! [* a8 ~5 [6 L
Not a real method of detection, but a good way to know if SoftICE is
0 I/ b6 {( A$ R6 Y% H& P) g9 T- ~installed on a computer and to locate its installation directory.
( o/ Q% U3 _: Q% I9 X. RIt is used by few softs which access the following registry keys (usually #2) :
/ a' _# g( ^' L' `" x9 w- `! I5 T% ?! x. `9 y6 E+ _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" L6 F2 {7 t9 ]8 G4 R' U$ A
\Uninstall\SoftICE
4 A+ e8 }: U% b- H" M-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 d4 V7 N7 S6 l5 B/ q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 r" ? {- k6 ~3 p\App Paths\Loader32.Exe u2 j/ l- W0 J4 o8 T
5 j4 ~, P8 ]5 b: w- H6 G9 R5 N4 z! m! ]) @1 n, v4 _
Note that some nasty apps could then erase all files from SoftICE directory9 G: `1 o l$ | e
(I faced that once :-(
) `5 X- `6 c! B+ ]8 U2 t3 _: b
. m" [: E" l, o( K: s$ w' TUseful breakpoint to detect it:
* R6 w( f( [: p% }7 x. J
4 e; ^- R* _4 F+ K; _' M9 r BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 ?4 \+ ]2 y3 g7 T
6 [: V$ n+ i2 L3 Q- f+ J# }
__________________________________________________________________________
3 W- W0 n; `0 s( j/ Y: Z* D6 M1 l% b8 V1 X% A- F
! ^" e8 p- P( l- Z$ T9 DMethod 14 ! U5 Q. w" i8 j
=========
4 F. \9 c& C# H& h/ j
7 Q5 K. i" q$ F+ P* o. _4 wA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. z9 m m! N' o8 }0 c
is to determines whether a debugger is running on your system (ring0 only).
( `2 ^# u- W a0 ~: E8 Y8 x
, T' @: ~6 d( ], h. W9 b VMMCall Test_Debug_Installed+ X; n7 ^% w t1 A' X
je not_installed# o* m. @6 ?. V1 A0 S: t8 O x' f4 V
. i, G# Z( t+ {. t' D \This service just checks a flag.
4 @6 C1 H3 A7 Y1 U</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡