<TABLE width=500>
7 L6 L3 V& J7 R4 |1 w( S<TBODY>8 T2 k' c! K" t4 A, m4 }6 @
<TR>
9 o5 V% e0 {- L2 G# g* ~<TD><PRE>Method 01
9 |0 Q% U5 P7 a0 d# V8 l=========
( I( Z" ^' a7 |! s& r& }; x! ]
& G0 ]# X7 v( V/ i% Y2 oThis method of detection of SoftICE (as well as the following one) is3 L1 ?1 N) b9 ^) c$ N
used by the majority of packers/encryptors found on Internet.
, n" {, e" _4 Q, l; ~1 V4 ZIt seeks the signature of BoundsChecker in SoftICE' v! u* ^2 Z. `4 Z, Q! T; ~
( l3 S$ Y! k0 h4 ]* [
mov ebp, 04243484Bh ; 'BCHK'" ~& X$ J* Z/ G8 L! R
mov ax, 04h7 A0 a% q& A |# V! w0 V z
int 3 ! ~& o9 Z! o. m! f; F
cmp al,4; V% h2 H9 p+ j7 L) A$ e
jnz SoftICE_Detected; M/ R7 Z+ b7 s2 q' ~. q
8 n. {' K3 L6 |___________________________________________________________________________9 ~& J- G4 T' d: G! `' c$ s0 c3 ^
; Z% |- |& E7 e5 Q( X2 ^' e u8 _) n
Method 02; g% [$ D; A I# g5 [1 b, Q
=========4 T$ B7 t6 M n0 [# R2 n
" {: d9 J% @, n R! ^- a% _0 ]Still a method very much used (perhaps the most frequent one). It is used5 }8 _$ g" \+ j; A- F# q3 n! m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 ^) a* N5 Z% }4 R" G; p
or execute SoftICE commands...( ]9 t6 e- Y% q7 K8 L3 m2 z
It is also used to crash SoftICE and to force it to execute any commands
! @' w& p3 o! D3 j& o(HBOOT...) :-(( . x0 |; n6 M8 G9 m
: w" a# Q8 A3 z; k6 }5 fHere is a quick description:& a1 w9 y O8 x6 k- E( E
-AX = 0910h (Display string in SIce windows). l: p4 f0 N* }' j. J5 ?/ N# f {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. x% F, w8 _, G3 H# W-AX = 0912h (Get breakpoint infos); O8 q! l* S/ t [
-AX = 0913h (Set Sice breakpoints)
8 F7 m4 v7 n+ k1 `, G-AX = 0914h (Remove SIce breakoints)
! \& e& S. L" y% M2 X, V) z; |
( i$ e% K* Q2 N1 K/ { W1 tEach time you'll meet this trick, you'll see:0 ~+ ?8 k8 P$ K; [5 p$ p6 Y- |
-SI = 4647h6 H: v6 R9 U2 k
-DI = 4A4Dh0 O' ^1 S5 S1 u$ n# {- T
Which are the 'magic values' used by SoftIce./ ~6 I8 o) A q9 d& H7 c0 q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# ~- j$ H; \ I: i8 o: X0 I/ S. N6 ]+ z; n7 A. E
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, i& P* c1 O& W. x" A; _) xEnvelope utility use to protect DOS applications:! O5 W; i9 L8 Q1 W$ q0 f9 b* l
k, c6 z3 n6 a2 m, z* f4 a. d j, i( @) F7 ~# ~$ N6 B- M$ p" P s
4C19:0095 MOV AX,0911 ; execute command.
/ |; k( s" q4 F8 l2 c5 {4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 _2 _8 _' a5 h5 E, M4 G
4C19:009A MOV SI,4647 ; 1st magic value.
0 b& |3 K, C, J, |. H2 p2 s+ u- t4C19:009D MOV DI,4A4D ; 2nd magic value.
7 Z* h) T& z8 B) J7 Y4 [3 D4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- }/ l: r4 W( H% z. B6 c: r4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; h2 ^; u; T4 F" m
4C19:00A4 INC CX
2 _% s, `( `4 |& i& U1 K4C19:00A5 CMP CX,06 ; Repeat 6 times to execute w3 o0 q$ P6 b# s. W- E" L
4C19:00A8 JB 0095 ; 6 different commands.+ c+ O$ T6 \$ a0 b, o. ~# Y$ d" C
4C19:00AA JMP 0002 ; Bad_Guy jmp back.' T8 q, g& W! s& t [1 i
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* ]' V5 `$ f9 @$ @
0 M, G1 H/ D3 s' S4 g G
The program will execute 6 different SIce commands located at ds:dx, which
7 f# X& ^' b# i6 c$ e. B3 {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! b' _0 W9 u; m5 U
$ m- j0 I/ H" }- v% w5 u/ v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- V% Y4 P! ]$ e A# u
___________________________________________________________________________5 P; j& }: q' g6 F1 }
8 D1 X( J; j9 H( ^! c( d4 w" v: K* i9 D* i3 K4 P
Method 03
# [4 T; z( x1 b; R: v! U9 K=========
% M& A# x6 \8 e! |/ [6 k0 j% F/ y" o1 o5 \0 L) v+ q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ y8 E, |# r; M3 {. R6 \! \, n(API Get entry point)) _: Q7 F/ [% W4 v$ e9 j" X
/ _. m6 a$ x2 z$ K7 @9 L+ d
0 J, m2 l7 e( L
xor di,di
" ?3 f; v3 M) {7 H. c$ g% h4 e mov es,di
7 O6 F/ S* W {2 V mov ax, 1684h
8 h0 p9 l6 u* C6 j1 s& _5 ]- V/ G mov bx, 0202h ; VxD ID of winice$ x: J$ ?. Q4 y% N) ]& W, G5 @
int 2Fh
* l, f; ^5 S6 k' X- P mov ax, es ; ES:DI -> VxD API entry point- Z+ N. p8 n5 E" N6 g
add ax, di
{ }6 P) Y6 k | X$ i% Z test ax,ax* W8 p+ R. p2 J- n4 L. @) R
jnz SoftICE_Detected
/ ~' Y# { x* b0 B1 |8 p. y$ B
4 R0 G0 Q9 U" ?+ v: L4 H( _. z( z___________________________________________________________________________1 l/ l' m7 ^# C, j: L1 d/ e+ T
' N5 r: r: ^$ c: R+ c1 }& a
Method 04, M! m7 k M8 L* W
=========
+ N7 n/ X/ }2 ~0 V' e ^9 _$ E$ K. D8 P, q0 {
Method identical to the preceding one except that it seeks the ID of SoftICE2 Y# h. a1 W+ N# k# o& G
GFX VxD.
+ m5 F v- N9 W$ M7 Z) _( x0 Z# h$ q7 c/ E0 y9 Y/ Y0 L5 W
xor di,di
; _, n0 @% D8 C- p& u. X mov es,di* z% M5 R: c: K7 |- _
mov ax, 1684h 5 G# U8 G7 `8 b6 p6 j5 e2 Z- B
mov bx, 7a5Fh ; VxD ID of SIWVID! f" E7 N A0 N6 n
int 2fh
( P3 d+ f9 `8 I6 {& l2 Z, X6 y mov ax, es ; ES:DI -> VxD API entry point1 D; D2 w3 q. K. c
add ax, di
$ B7 D% {* [ {7 i test ax,ax
* G' [9 q4 _. ?5 B jnz SoftICE_Detected% @" S/ C, |4 ?8 ~" Y. a
) C, g/ F" M7 S1 V# r, F4 ^
__________________________________________________________________________% m6 c$ x# G# i6 d/ I8 l8 z y5 q
( W# S' l/ y) G/ w! }
* F9 V5 Y4 E/ I' e7 Q7 t1 TMethod 05
6 Y" \3 G' Q4 T- ?. r! C=========8 Z2 T: I, N; E' d7 E' I
8 S6 o$ R( G2 h# v, n
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 p: g( Z: U6 Udebugger. It calls the int 41h, function 4Fh.
* p6 X( i7 T! R. n7 Z: GThere are several alternatives.
+ ? g3 n2 a( e4 ~
3 p" P3 i! r3 w( R9 mThe following one is the simplest:& O" p' o* n5 a7 L4 F9 C8 v! u5 s. H
) o% g3 W: ?3 i( W8 f7 Y mov ax,4fh) V* L7 }- D5 W2 A- G
int 41h
2 Q4 \$ Q- p' f: n% U cmp ax, 0F386
. T- b( c, W7 Y0 f# v% `) u9 e jz SoftICE_detected3 o0 @4 d0 ?) V' k
3 c) N+ h2 g; t+ y- t, l
7 }. z' k1 E1 M+ c8 d: k3 t0 eNext method as well as the following one are 2 examples from Stone's 5 t8 S" b& P5 M. t% |6 O
"stn-wid.zip" (www.cracking.net):
6 S" N1 s3 l& X& S
w4 j# P$ E2 B& d: X! O mov bx, cs
6 _" O- a2 C) x( r lea dx, int41handler2
6 ?7 Q1 o: _) ?. A' i# [/ a: ]2 X xchg dx, es:[41h*4]
* \- ~: V9 T7 g2 c7 q xchg bx, es:[41h*4+2]
( p# J4 h; r& r mov ax,4fh
, E( V$ I5 o4 U+ v; u! I; r int 41h G% O$ E. j r% p! k% C3 R
xchg dx, es:[41h*4]
/ x6 V/ f) e* ~ xchg bx, es:[41h*4+2]
x6 g( d0 j3 \8 {) e cmp ax, 0f386h
$ I9 f( P% @' O2 ` jz SoftICE_detected
/ Y+ S. m$ g( B
! h3 X$ n! ?; j6 Dint41handler2 PROC
% [& V; s! t+ G iret0 l0 H8 m8 a: S3 X/ I, V O Q
int41handler2 ENDP4 |3 N) ]! E- ]* T$ ^$ ~! Z
5 Z) z5 v) ~9 o0 Y- V1 r
+ W, Q2 ~5 i5 K+ W
_________________________________________________________________________
( s0 g8 h4 a3 g7 v8 ?- K/ j# K
& e8 ?- P3 h8 a; B3 I; s9 k! j1 @: z) H
Method 06! f) x# Y- Z: n& w3 f
=========
9 }( ` {2 O: V5 m/ o( G( B. P' Y; E% p* G( B& v4 T( n ]& n
2 T8 K, g9 ]; x; t3 p' ?3 M: y4 _
2nd method similar to the preceding one but more difficult to detect:2 I7 }$ F: w0 x1 v9 @7 N8 O+ s; K1 ]
4 k) X+ W O5 L, ?1 B9 {2 g7 u" A- |2 x: o$ r
int41handler PROC) m4 H& e( [1 M9 n. r. x1 c3 o
mov cl,al% I3 e6 l2 q4 X* {7 g; H
iret
; m+ C& F5 f5 R3 I/ g0 d& J' sint41handler ENDP X d. Y! d3 _! u( g8 y. o
4 n8 v5 E* |6 Q
& M- j* B% d3 {- @( A, a" Q _ xor ax,ax0 i" @1 a0 f9 m3 e2 R# O# @) I9 q
mov es,ax6 q- ^7 I! R2 }+ a: ~( e" w t
mov bx, cs
! @7 u4 l- J# s- N* d2 v lea dx, int41handler; ^: J( F+ E+ I8 `
xchg dx, es:[41h*4]7 ]$ Z& o: H; m% M' E
xchg bx, es:[41h*4+2]- E. x1 l0 }; L7 d! n$ y; T
in al, 40h
# A4 U/ ]) _% V+ K3 \* E xor cx,cx' L% b( z6 W" J/ T9 t
int 41h
) I# i7 N" J( O* H2 J- G6 L0 S xchg dx, es:[41h*4]/ v$ d( X% a( ~
xchg bx, es:[41h*4+2]
, h; y B+ {+ g7 L& Y9 F: N6 P cmp cl,al
8 l' p5 g8 V6 j% @ jnz SoftICE_detected, q/ G- r& [; @0 K
# [7 ^% S3 p% n, \% h% t9 m2 y# T_________________________________________________________________________. D3 H5 D- x' k# a& y& E( V
2 M+ ]/ |+ l1 r. C* k
Method 078 W7 n4 b# Y6 M- w0 v- t |0 q
=========
1 E5 Q# G& a" r0 k; l( o
5 j" }8 c2 W! d9 W$ D) n* K5 ?Method of detection of the WinICE handler in the int68h (V86)
- g4 @, b y9 q& E0 ^& B: E( H2 @4 V6 _" H& G! t' v3 M9 r) b
mov ah,43h
4 y U X7 b# S0 v int 68h
G8 c u0 B' B cmp ax,0F386h4 f1 M3 i3 R1 b/ m: P
jz SoftICE_Detected
! |4 N$ v+ {2 Q" a/ u
R h0 D+ K8 }) c) q) Z+ P1 |2 N3 _
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ g( s0 [: B+ p( E& t
app like this:: o! x% ? W$ g& s4 t
" U: q* `$ c0 T# k; x s0 l BPX exec_int if ax==68( q4 O+ E' ?. j( i# H& x2 O
(function called is located at byte ptr [ebp+1Dh] and client eip is
! M. E+ E9 J- Q3 C# z located at [ebp+48h] for 32Bit apps)
& p3 E' u, {* o& J7 Y4 k0 V__________________________________________________________________________
$ x6 W, f( T% G7 f) _7 Q( ~' G
4 I5 U/ }4 d2 J$ U
7 j0 w! r; k3 J, OMethod 08
1 X- |& J- |2 J3 B- \( [=========
7 @* w& [0 K. v
6 C3 g' O/ Q4 ]# b2 Z8 W& J8 @It is not a method of detection of SoftICE but a possibility to crash the% t4 s# ?, z5 M
system by intercepting int 01h and int 03h and redirecting them to another% @" e4 Q; R' Z# @
routine.5 i) w* N5 t+ X
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ k7 u) g% n7 ^to the new routine to execute (hangs computer...)
% Y4 e+ |& z0 a6 l
3 P6 s" m# L' o6 K' P; c6 q; _0 w- E5 s mov ah, 25h0 P7 A: \$ \. t n8 B7 _. M4 ^
mov al, Int_Number (01h or 03h)
: r6 ~9 g' N5 K mov dx, offset New_Int_Routine
$ P; t: o J2 j' }. J! \" N6 _ int 21h9 A2 y/ j ]2 m l+ j2 U
/ E& f$ j' M7 e) f2 ~8 t__________________________________________________________________________5 E) h& X! I8 |" t1 `- E
9 _+ U& ^5 |/ Z9 v6 j0 OMethod 09
. F& y9 P7 F# \8 u=========
& {9 @1 I4 E. p# ?
T8 W: u, M* x) w! W8 e5 tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ k8 G/ Q* n7 U6 D& x2 r
performed in ring0 (VxD or a ring3 app using the VxdCall).
) O7 \. v% H! P4 U! LThe Get_DDB service is used to determine whether or not a VxD is installed# N4 B4 ?) v$ p# d A! E- P
for the specified device and returns a Device Description Block (in ecx) for
3 h. t" E! ~, Y. J% {that device if it is installed.! e1 L+ |" L J4 T0 Y! a4 v
7 N. `9 S; M' J5 b2 G3 Z5 o
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& N2 ?, h1 Y2 E# C3 z5 p7 X mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ q7 K* O" d) r* y; W
VMMCall Get_DDB' o: V1 Q! X" ?- `; j: \5 g
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 s0 o F! q# {7 L- z# o9 d7 ^: H. y7 K
Note as well that you can easily detect this method with SoftICE:
( ~4 }) X0 ]) T" P. I1 ?& F bpx Get_DDB if ax==0202 || ax==7a5fh
' C% c, O2 j7 d* N* S
) T7 u& n+ F! T/ E__________________________________________________________________________
0 q! k. ]. f0 i8 g8 M1 A: G& k7 q! s& k. Q$ w% h: g
Method 10" s' w* F) k" c: G0 b$ b! k; ~
=========/ q# |4 @) S/ S9 W
0 b- W1 h0 c0 }( h2 r
=>Disable or clear breakpoints before using this feature. DO NOT trace with- j. Z* u+ z, n
SoftICE while the option is enable!!
6 Z( f- w1 m7 C4 Z& r1 Q; ?8 Y2 p7 e9 r ^
This trick is very efficient:* k; g4 _/ `2 V- H" r) z4 r+ K
by checking the Debug Registers, you can detect if SoftICE is loaded
1 }1 n9 a" U7 T5 w+ H. k4 E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) [( S5 l5 F& L: zthere are some memory breakpoints set (dr0 to dr3) simply by reading their2 C# f6 g6 H0 C+ A/ h: c
value (in ring0 only). Values can be manipulated and or changed as well. H8 P' N# T) K. D
(clearing BPMs for instance)
0 }2 Y/ l i' _1 ~" ] l0 @, {* E- f. y+ _ e- f; T$ j
__________________________________________________________________________
) J4 ` `2 S9 H5 E9 N5 a+ E+ Z& t8 V3 Z8 f# {- z
Method 11
' c& ^ l+ I9 C! t; N, X* D=========) P0 o$ P2 t4 f1 p. |( R4 P0 t0 h% n
2 Z2 Y2 Z9 R/ W' QThis method is most known as 'MeltICE' because it has been freely distributed
2 K" e0 Z: `3 m* ?/ M, n8 ]5 Hvia www.winfiles.com. However it was first used by NuMega people to allow$ d* P4 K, g' ?) _ M
Symbol Loader to check if SoftICE was active or not (the code is located% U! s# [ D% A0 G0 J0 K
inside nmtrans.dll).& [( f; L% ~; h( v( }! L" ]
$ K+ g5 v7 n. V2 r: ?5 z" y+ A, G. zThe way it works is very simple:
* y( X; f- ` d; }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ M) v6 I- B y, PWinNT) with the CreateFileA API.$ j. l6 S: E: |9 Z3 f' O% J
9 ^4 x: P- x5 \! F9 p$ xHere is a sample (checking for 'SICE'):* y/ p8 t: K) }0 i3 T4 ^' T
& q7 Z+ X* Z- c' {, F0 dBOOL IsSoftIce95Loaded()
# o! X, V6 {' `. W+ w4 Y# m{
' o, Q" E( r& A$ v+ }- b HANDLE hFile; 5 `0 ]; O* ~- c8 v4 [+ U
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) a1 e' k: M v2 e' I
FILE_SHARE_READ | FILE_SHARE_WRITE,
! [: _+ X# Z. z! m3 { NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% k D- [/ v6 h, Z- V; j6 \* m if( hFile != INVALID_HANDLE_VALUE )
2 B% x, T4 a# B$ @7 G {+ Y. V5 N/ L4 G. v* |
CloseHandle(hFile);
. s5 V% v8 \( M1 U" \/ F0 E return TRUE;
3 \2 L9 r* `# i9 i0 B; o8 t }
- v- h7 }7 S/ _) g$ s% [ return FALSE;1 C5 C+ A6 k) Y6 G( R
}
3 F {: S( j8 k& j6 `( i' b6 Q: S/ V1 y: l) H: i; B* l
Although this trick calls the CreateFileA function, don't even expect to be2 K; {+ F ^# Y! Z9 C& p5 _& n. p
able to intercept it by installing a IFS hook: it will not work, no way!- q* M$ ?" L; p; S8 q* l4 X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 }0 N: y: T8 E+ \% Y7 G6 k5 g$ x' ~! gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! U) j- `. H) o5 k( n. d( c
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ J3 K0 `+ f# z/ o" P, @8 bfield.7 f; y1 d3 k3 w
In fact, its purpose is not to load/unload VxDs but only to send a
3 ] l1 G4 F' s4 P0 {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 ^, ]( v v' `, `# \
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 w! j' |2 F) vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
# X! o) C. x. Z# x" l0 ]2 |If the VxD is loaded, it will always clear eax and the Carry flag to allow! \( U7 R# P1 M0 y+ G% X
its handle to be opened and then, will be detected.
$ F+ X! m8 K$ s- C; QYou can check that simply by hooking Winice.exe control proc entry point
5 h; { h5 G4 l9 s3 `& B2 x. ]! Ywhile running MeltICE.; E8 \, _3 ]# }- t4 A) r
) G7 ~+ O4 s, X7 ^3 U* T" ^
4 \- l9 P ]+ V' M" ?& o 00401067: push 00402025 ; \\.\SICE; O- Q: Y* S. \ X7 L
0040106C: call CreateFileA
/ J; X" d! V; z; O: [& R 00401071: cmp eax,-001
4 E8 e' l' [" `9 R1 Z 00401074: je 00401091
8 d+ t9 ^6 L" R) d& V
6 _# c1 F- _- \( z2 I1 H% c7 b; `+ {+ K4 g' b
There could be hundreds of BPX you could use to detect this trick.
5 O5 W- o, P' G; e! n-The most classical one is:
, _& v! |% u4 l4 P9 } BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || x: D R: |" ~
*(esp->4+4)=='NTIC'
. S/ r G V( R8 u+ e9 D
9 Y! c @+ l' X-The most exotic ones (could be very slooooow :-(
, \, R4 Z; A2 B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! L8 o! d4 N: T2 p; C, }* n8 Q6 X
;will break 3 times :-(
. T* r: I: x3 `1 g+ R! n
" n1 n5 e5 d* X' K7 }4 J0 _-or (a bit) faster:
0 B$ |. a! y; t6 t& ~* k BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ p5 p/ S; t, l( J, l, M
! |- T0 l4 T5 J* T: z0 |9 K4 d BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 ^5 X0 |' V! {8 B% ^" X ;will break 3 times :-(
, h# @$ M. Y8 J$ k- @1 l: ~4 D- N7 c4 d
-Much faster:
7 ]3 J7 W+ U7 W8 O: D BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
Y. k. t! q; b U: J. M* W/ a1 E# z" p- u9 [
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: G4 S0 M/ i J4 o4 R r( e5 T" pfunction to do the same job:( n o5 m( Z; C6 M6 s
W$ ~( `1 M6 u( u: o push 00 ; OF_READ
. c/ F; J& j, P# u B! z mov eax,[00656634] ; '\\.\SICE',0+ h% c7 r0 h3 f9 w0 H5 b+ U
push eax
' [& c4 W. ^4 Y& ~& z5 c call KERNEL32!_lopen M- c8 a1 L6 k7 |4 B
inc eax
1 n1 Y6 q# {/ C: h0 m. J- W* ^ jnz 00650589 ; detected
+ {3 Y" F3 {6 v push 00 ; OF_READ
# I# N5 O' d% K' @+ r# F# r mov eax,[00656638] ; '\\.\SICE'9 G" r# x2 k0 n: M/ N; J4 Y, g) J- U
push eax
, l1 |, r: i [" ?. ^7 D call KERNEL32!_lopen1 m/ Y* e Z) g& f
inc eax
6 u" Q& `5 C( B& m, e5 a jz 006505ae ; not detected$ [8 b/ e9 Q( N3 z) [
0 _, f( I% X9 \0 H! c$ K$ b6 y$ F* F: x4 T, w3 @
__________________________________________________________________________! u' z/ h4 i* l# y: J/ u0 u
& I! p1 \& ?( }4 D* A- R
Method 12
- O, V3 p6 Q# t=========0 {& a% }0 N" N2 q z$ ]) I) _. y
4 c. ?# a: `, Q; a* k9 a! HThis trick is similar to int41h/4fh Debugger installation check (code 05" m; S% [+ v/ j) O$ y
& 06) but very limited because it's only available for Win95/98 (not NT)
' C; c) o- X5 W( b! Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.& w; q! y' A- D8 d# u/ ^
- \$ g# @. `9 N5 K2 _/ M; g push 0000004fh ; function 4fh/ y( t0 {9 b% t0 X; Y
push 002a002ah ; high word specifies which VxD (VWIN32): U# z Y; c) q, U: K
; low word specifies which service0 O7 ~/ c7 J& K. \. L
(VWIN32_Int41Dispatch)1 C+ c2 r& k8 i6 j# M
call Kernel32!ORD_001 ; VxdCall: h' o" P, {: A* z
cmp ax, 0f386h ; magic number returned by system debuggers6 i5 d9 A9 [' k) c; F [
jz SoftICE_detected
+ h$ o; |/ G0 A# Y2 B
0 N) g1 m0 P% B- W R3 VHere again, several ways to detect it:9 W, q5 N$ K0 X( a
+ m$ ^( j1 p4 k& F1 v BPINT 41 if ax==4f) q5 U1 B7 @3 U
5 J( U: `! s& b) |4 A# q" r BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( g: G- {" L. u/ D$ Y L
% u% \6 ]; i. \7 X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 _( W4 o% w& F' Y
$ d/ l& j' p0 z+ a1 L" b BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
x9 w# ^6 {9 ^/ z$ p
/ @8 ?# _# ]: s# f" N2 n0 Z__________________________________________________________________________
6 s0 L% w4 G4 n2 ~7 a! G+ C- N$ F: c/ R" Z' U* m
Method 13+ ] N+ `$ t- `
=========. @9 q! R+ A+ z5 H Y
5 B4 H5 Q% u: j* h) x% ^# P9 M
Not a real method of detection, but a good way to know if SoftICE is- F% z3 }* h! s) u! p+ T- L4 P* ^
installed on a computer and to locate its installation directory.2 P2 s2 r; e [9 x4 C3 H; ^% C7 l
It is used by few softs which access the following registry keys (usually #2) :! w8 h/ x+ y" Y* D4 d
% M" X# B5 {0 u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 S4 A0 ?! T8 X" W3 w @" W/ w\Uninstall\SoftICE6 E6 A9 P( W) W& h7 x( A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% R4 O0 r) G! @; J* ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 J4 v: E, T6 ~7 \\App Paths\Loader32.Exe$ Y* I5 G6 F* o0 X
5 U+ L- t* F4 c: O8 g* j% q$ u
& ?+ W% H) O9 v7 M; m. t4 r& ANote that some nasty apps could then erase all files from SoftICE directory
% |" X- q/ m: l6 a8 S! [! i(I faced that once :-(
0 b! ?; o R6 r8 [ P# A! D: y+ L% q* u! T& `
Useful breakpoint to detect it:
0 M9 L8 U: A) e6 X6 B' I2 D' T
& r( h- _3 b3 f5 w" h BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 t! r$ h; E. g- _; l: X( o& \, k P: ?
__________________________________________________________________________
' d w0 O; |' Z) J2 [8 d7 z2 ~ \2 y; o+ i8 ?7 ~: d$ Q4 L
7 Y" G7 p' U2 x5 h; }$ J1 L
Method 14 ; K& _# |) U6 v% B2 X+ O3 y
=========
6 ]0 G3 w1 g4 W! m0 e# J
: J6 o6 { h+ c9 _2 o" @. nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* _" r1 @& V$ j5 V5 {3 _% ^
is to determines whether a debugger is running on your system (ring0 only).
' g- _0 L. S4 p$ C" ?- t+ w; H& U7 x7 j9 v4 D& x+ Q& c+ X
VMMCall Test_Debug_Installed# O! j: U5 a/ y
je not_installed
0 ^. w' Z M' _6 R) l
' C9 G' H9 i/ a0 yThis service just checks a flag., z6 |9 S( t" q( a0 v( ~
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡