<TABLE width=500>
# A, b: y4 |6 r+ V1 z: y<TBODY>* b* k, F$ V2 U8 e
<TR>
1 q: }" k( n ]2 P# M/ x<TD><PRE>Method 01
* ~7 d6 L& U3 [% B3 ]6 u=========
9 P# A0 ]) g" }+ b9 N
% ^7 e- I% T+ D* R6 d; tThis method of detection of SoftICE (as well as the following one) is
* N" f7 U. e4 d3 j, oused by the majority of packers/encryptors found on Internet.
$ D* R# {5 v' ]1 B- W3 @# B/ nIt seeks the signature of BoundsChecker in SoftICE
3 _) }: R4 Z- ~+ h" [ N- X3 L4 [
?, n& C1 f: ]+ a# A mov ebp, 04243484Bh ; 'BCHK'( D3 {0 C5 w7 j* f1 {. s, g
mov ax, 04h' ~' s/ N! a& \0 o) H) G
int 3
* U) ]7 X- |: l% K; W C cmp al,4
: U/ p3 V( [8 g9 C jnz SoftICE_Detected! G- v; z, A7 h0 H: H
) W4 ~2 b5 m+ J# H___________________________________________________________________________
' b t/ Y7 {2 w& ~9 l& r9 w A2 ?. m" P. `$ Z0 t0 ~) [
Method 02 R( I, z7 `' a
=========9 v/ A1 f& B! i6 D
4 A* y! `2 |! b" ]Still a method very much used (perhaps the most frequent one). It is used6 b) `3 I$ U) ?
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
j0 o9 P; q' }8 sor execute SoftICE commands...6 S9 X* B: ?; x, h
It is also used to crash SoftICE and to force it to execute any commands# l/ @5 P( B- s! C8 t+ \9 c& X
(HBOOT...) :-(( - |" S; n9 Y$ {. O
1 `6 t$ t# o, E9 |% p6 A6 NHere is a quick description:, U2 }% F( ?# k+ [" u9 S
-AX = 0910h (Display string in SIce windows)
( I- e9 T2 ~. ]( N-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), A6 B9 s1 J5 B! d
-AX = 0912h (Get breakpoint infos)
; _6 Q2 q- P6 ^-AX = 0913h (Set Sice breakpoints)1 D* d; C/ W- C- k5 ?2 p
-AX = 0914h (Remove SIce breakoints)
: y @; O+ U |4 y, v7 Q) L+ k3 t9 y# J! s" j& @
Each time you'll meet this trick, you'll see:
, y8 b0 _6 }2 y9 p/ N5 k-SI = 4647h
( B8 E$ O$ l/ X* I. Y/ t-DI = 4A4Dh0 A+ [. J9 g) w1 f" h; @
Which are the 'magic values' used by SoftIce.: t0 x: F8 a% `3 Q+ P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' g8 i2 Y( a) J
/ M: |( ?3 ~$ n7 D$ z
Here is one example from the file "Haspinst.exe" which is the dongle HASP8 t/ E: p8 ^( [! x4 l0 x5 @+ o+ i
Envelope utility use to protect DOS applications:1 C8 a* d: B2 s) u: K
1 U) w! a" P4 P! [ t1 Y; e$ F
# c9 p" M" o" }
4C19:0095 MOV AX,0911 ; execute command.
0 A" O9 m7 x# D! K/ b0 L! I1 e4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 g& _4 h# `0 P4 b, n' s- {
4C19:009A MOV SI,4647 ; 1st magic value.# R4 {$ A5 v; |0 D( K
4C19:009D MOV DI,4A4D ; 2nd magic value.# Q1 U( q% `: i2 }
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) I4 ]. E" G# ]2 F" S1 n4 N- K: k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# J! _/ o: @8 t; n
4C19:00A4 INC CX9 A( T" g8 w! J# R$ `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 r- ~7 q- N3 _ s" L4C19:00A8 JB 0095 ; 6 different commands.
+ H+ t" e( \2 B, ]1 x) i. C% P4C19:00AA JMP 0002 ; Bad_Guy jmp back.; j0 k D2 d' i0 ?2 _
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- Y' q6 W+ ~/ I: d/ L. p3 M. w. Y- }7 F$ V
The program will execute 6 different SIce commands located at ds:dx, which a0 P! _1 Y) z$ C& K2 P2 u; k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 S+ P- K& k. D4 ?! `4 F w' q3 U" I6 d8 n: ^+ Q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 F! T( V/ W* n, {+ h___________________________________________________________________________
' q9 e I" e. _5 ~% `" [0 t) R: G8 V
" z( P' H; S2 A% y X1 j" U; r, }% _
1 i% _8 l; o! h, l& }Method 03
6 U/ Z+ ?* X, M) f========= j: {9 K5 D% N+ U
5 b( V: n+ c3 \) g Q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: Y3 h# q# f6 R$ i(API Get entry point)
$ S. n( ^ D5 g/ @# m- H ) I& C8 S2 j1 E6 p6 z
1 B, F1 K k( M/ K& ]* ]$ ? xor di,di/ s; X; x) P! @
mov es,di
" I+ N" `) l% U4 C, h mov ax, 1684h
& ~3 G+ J+ J+ h0 G2 u# x/ w mov bx, 0202h ; VxD ID of winice7 k' D6 i8 b+ n* ]6 W: y
int 2Fh1 ?( M `- G% |- f
mov ax, es ; ES:DI -> VxD API entry point/ y2 A( R, Z, }: T! o
add ax, di
) w: i- z2 A* }: N/ v+ ]5 e test ax,ax
: o( T5 V4 v* [3 l. e# A jnz SoftICE_Detected
% h2 c, n0 h! x. t" J5 ` d3 c+ i) I& r0 O# j3 d1 J. A( x
___________________________________________________________________________+ r5 i4 ^6 ^7 u. n* i( ~6 E) k9 [+ ~
; x* p' P/ R4 h& y; bMethod 04
" [4 w# m; A+ H3 [=========. Y: y6 R" D2 K1 e
; k) j- Q. {" S9 h
Method identical to the preceding one except that it seeks the ID of SoftICE8 b" T2 \( N3 ]' v
GFX VxD.
; |" U- ^; j3 N2 X. |) j
7 N R! W. ^1 I% A xor di,di
9 }3 r" Z' y8 l2 l- O! ^0 ?3 L R8 W mov es,di
: }3 t# D7 Q4 L6 e R4 T6 G& V% k mov ax, 1684h
/ Y0 Q; J& x) F mov bx, 7a5Fh ; VxD ID of SIWVID! d" y; N5 t9 W d8 x' B" @/ p
int 2fh
5 e, z0 c# @6 n2 t mov ax, es ; ES:DI -> VxD API entry point \6 ^: u9 h3 n
add ax, di
7 v) `5 D: |5 x- U4 f test ax,ax0 ]2 I( o9 [1 c* e
jnz SoftICE_Detected9 |$ f* O6 O6 p8 N0 [: A
$ k$ j3 E( t9 J6 d9 B4 [/ E" R* l. K
__________________________________________________________________________5 ~4 P3 l* S9 ]
5 G! g% g9 w- l/ w" x( d8 ^( m% J+ n6 w/ c- P: D
Method 05" s* T+ n/ c5 m! H" k# ]0 V9 ~
=========
$ [. i5 U* w; C" y! H1 v" `8 K! q N7 v- E
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 K6 `9 c3 k& s% v' P! w/ u: ?2 [
debugger. It calls the int 41h, function 4Fh.6 h' I3 y$ r/ }2 j- r; B+ E3 b* G
There are several alternatives. 4 S5 H# H" ~; ]
( ~! }3 f; _6 h2 F
The following one is the simplest:
% X, u$ C8 G* q2 J8 T9 G" Q$ l% p* P, Q, J) N. F
mov ax,4fh
5 r0 o& H7 X) T( L int 41h
?! k: a9 N' n( n, G cmp ax, 0F386. S# Y( ]# p7 z( e# I
jz SoftICE_detected8 j' w: d& V) y* h2 O% u) c' A
2 K& ]: b) ` O4 i3 u% \8 u( i
$ T( }/ I$ Q9 p. ]; D, j3 O# y9 XNext method as well as the following one are 2 examples from Stone's
z$ [% r; u" M8 U* n"stn-wid.zip" (www.cracking.net):8 G, r6 ]0 t# D8 D8 M$ r
! l, E7 q$ ~. _6 |, E( L2 F
mov bx, cs
5 b& h% m: O4 f; t3 e. Z lea dx, int41handler2
; {/ I# V# _0 o K" Z xchg dx, es:[41h*4]
) o( ]) {* D8 Y* s9 Z8 N$ W xchg bx, es:[41h*4+2]
+ f2 P9 \. E/ F( j9 O$ U mov ax,4fh# F2 ?2 ^0 l7 |( a; {- z8 V
int 41h
' @6 `% q3 M( T4 J% d0 K xchg dx, es:[41h*4]
0 c- }; U. H- G xchg bx, es:[41h*4+2]/ z1 u' I" c" U# ]% l6 }
cmp ax, 0f386h
, ~$ e" p' A3 c. X' N jz SoftICE_detected% K+ G0 S D$ @$ ~# v0 p
" ~; P- x# M- i7 X* r" lint41handler2 PROC
7 d+ y! C- u* Y4 y7 K9 d' _ iret
* E6 r" m- |. y2 m0 A: j h! Jint41handler2 ENDP
( A: n g# o% H/ g2 ^2 O' _# F! a3 V; t, f' n9 k3 z
, @; q( U* D. j! r/ ]6 ~" R
_________________________________________________________________________2 |( Q: R: n% {" r; O
6 h; k0 e: S& _
0 _ C/ f; M' F+ L" uMethod 06 H8 ?, p; S0 w. W/ J+ w7 K7 L
=========1 `0 F8 P7 ^9 u) n' @2 o* K
( q w) O/ z- H5 b) e5 c
( ^1 N2 X8 l7 |+ G2nd method similar to the preceding one but more difficult to detect:
2 {- Y' M9 v; [( W) Z* W
0 o2 g# h/ J9 |
$ j3 W5 V3 H- ^4 \& ^int41handler PROC
9 v/ p1 L5 D( ^. |+ ]0 |$ ~ mov cl,al8 Y* N/ }: w! D& ]6 ~
iret+ T" c e5 R" x p
int41handler ENDP
. W; ^# v! [( r2 o+ y$ W. B9 u) K) V/ U" J4 F1 X
; m ?5 q4 ?! \: P0 W/ T/ x9 T
xor ax,ax
7 \$ Y; Z: J6 C mov es,ax2 J3 `% H" k6 x
mov bx, cs
0 V, P9 L8 W: l$ Y0 X' ]: Y Y lea dx, int41handler
$ B3 q3 S# {% A xchg dx, es:[41h*4]$ Q( ~$ u$ i N" H ?& |
xchg bx, es:[41h*4+2]
0 o$ ^9 N5 G5 E2 {3 r in al, 40h
0 q# j6 g z" |' j5 ]1 d5 _ xor cx,cx
5 w! g, j2 x9 S' J" q int 41h
1 t5 o( }- n5 t4 G xchg dx, es:[41h*4]
( P2 s! B1 @. Y2 V4 b! n0 S xchg bx, es:[41h*4+2]) W" e" d1 k3 x/ b5 O
cmp cl,al$ J% A8 ]. D2 e' G3 ?
jnz SoftICE_detected
4 e7 k0 X) M, K g) b# C6 G- E8 x2 W* }
_________________________________________________________________________
) f4 a* H0 D, H3 K7 u: L2 U* T0 G' C/ v
Method 076 Q5 S$ s0 O' Q$ E
=========8 O; I j g; M" \
. d. Z+ x) ]( w3 g% p, s& r: I5 J+ fMethod of detection of the WinICE handler in the int68h (V86)
- B. o, y# l; ?+ ]& n9 C8 j# J: l3 `4 u( ^0 z5 g5 ?; ~' H
mov ah,43h
- h8 h; u6 r R, {# h8 \9 b: L, C: \ int 68h; p( f4 p% A+ Y8 Z
cmp ax,0F386h
: u' i/ I4 L# W& A1 B jz SoftICE_Detected" P, A# ^3 \# o" {/ w
" B' J1 k$ A& N/ W% H
9 o& a- n7 {, {- Z/ l" E3 i8 L1 @' j=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: a' l' K0 r$ F" D( C0 {* G C
app like this:" g4 C; x9 ~- {. p/ G
`* i0 |3 `! {" E$ j
BPX exec_int if ax==68% B9 x1 ?: K" ~1 ^! w, E+ R: [
(function called is located at byte ptr [ebp+1Dh] and client eip is
+ I( ~, D, E4 J) u4 r v2 b located at [ebp+48h] for 32Bit apps)
" m$ h8 _( V ^! `__________________________________________________________________________, H; y8 x2 f0 B$ z! l
" G. ~& R4 G' g& A9 m, V
8 H0 N7 g% J7 j. z& h+ |Method 089 g v7 D. Z& m. w* _! Z# \! R
=========
/ u0 n# r* [3 y* [, L8 a6 V8 q! Z# t7 L+ x; O/ K; u. O
It is not a method of detection of SoftICE but a possibility to crash the
: P% f" l6 m) u+ z7 u: `# rsystem by intercepting int 01h and int 03h and redirecting them to another
0 v" m/ O" V5 P9 n- }" {: W- Rroutine.
5 D; X6 i. F+ ]+ s. i+ q5 n1 |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: M6 N' o0 `* U! k
to the new routine to execute (hangs computer...)
! t' t, }5 c7 h/ W2 [7 A( z3 _, O
E& S* k! C9 V! E mov ah, 25h- n- s( g* o9 y7 h
mov al, Int_Number (01h or 03h); t( }6 V; T& s9 n% i
mov dx, offset New_Int_Routine$ m, b6 h N; W' O
int 21h
; |% ^3 Z% s) q, _! t4 o5 B. ~2 X& k
# l1 q. |" x' a5 t e h% n__________________________________________________________________________5 i) i! L2 i0 A5 V+ Y9 y7 O
; K( v x# D" U! VMethod 09! K, H. M! i9 E, F
=========
& s* S! J* { p) I7 C2 l7 K6 S) ^7 s( C0 T. J* H) L+ y- u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% F0 ]5 }0 m0 Z) c2 s% i
performed in ring0 (VxD or a ring3 app using the VxdCall).$ I3 f* [4 t& _
The Get_DDB service is used to determine whether or not a VxD is installed8 D! f3 ` c2 L
for the specified device and returns a Device Description Block (in ecx) for- Y: {1 N6 C/ ^$ s
that device if it is installed.4 g& n; H5 B. n# i* I" U5 f
* O9 [* U8 O- D @
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 R$ L& l+ k. A. @% r7 B7 _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ u: D8 b# u$ C1 ~( F" D6 R2 f; j! } VMMCall Get_DDB
- Q0 G: |$ c0 S# Q3 T& S F; z9 o mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ y5 ~- z6 P& ~6 R( r
. b9 w! k2 m9 v3 @3 G& |% q; u; \& QNote as well that you can easily detect this method with SoftICE:5 l2 Y5 T3 d6 q! z7 G9 _
bpx Get_DDB if ax==0202 || ax==7a5fh
) p" Q1 P- e8 g* `; b, r
8 I* y. ?* W z9 D__________________________________________________________________________
$ o* f# c+ g8 M4 y! L, j2 T, z; r9 H. R7 t+ ~; V
Method 10( Q/ E! b& j* P' s5 u
=========
! G% d) p1 y9 ^ T+ [: l" `& Z9 A% e5 ] K9 _) ` S4 b) J
=>Disable or clear breakpoints before using this feature. DO NOT trace with0 ^5 F6 z: R5 J' I N3 ?) t& I
SoftICE while the option is enable!!8 ]6 B0 r/ K" K7 \( i
7 h' \9 r7 @+ pThis trick is very efficient:6 Y6 d& w" x6 J, @
by checking the Debug Registers, you can detect if SoftICE is loaded! k0 ^5 s9 C3 G1 e' A! c9 g- w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 ?( u/ {) F7 k, {5 O6 f3 k! l5 Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" V8 ~, ?& t* \+ ?# ~4 }4 V+ B% l' ~value (in ring0 only). Values can be manipulated and or changed as well
3 `$ X4 r* E& P) s2 `) a7 a" [(clearing BPMs for instance)
. l0 v9 R8 k, U2 a9 \' q7 Q/ i
" {; P8 B3 R( }8 ?% v! d__________________________________________________________________________
: }' T! K9 P/ D+ I6 N# p. r$ Q
9 b9 C- N% e) O% v( d9 m% IMethod 11
' M4 L9 I: U' n; X7 E=========9 J; S1 B( x& i6 R9 e) g0 q2 C
% m8 ]: Q+ E6 f9 `7 I
This method is most known as 'MeltICE' because it has been freely distributed( p8 u; r! b) e3 I& u) n
via www.winfiles.com. However it was first used by NuMega people to allow
9 F# a7 w9 X8 b" j7 GSymbol Loader to check if SoftICE was active or not (the code is located/ f4 o- x& ^* Y
inside nmtrans.dll).5 y! D" a4 ?( n0 c: T" Y; _* ~
+ b) }5 ?6 p" f( Y; aThe way it works is very simple:
2 P) A* m& t% @, H, q& }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& @. J( V) ?% e% D
WinNT) with the CreateFileA API.
6 b( c* B2 g, s. ~
5 a; H. f6 t2 oHere is a sample (checking for 'SICE'):
) q/ Y9 H# _# t% x6 X
$ K* W! |7 y+ q' f2 |8 E1 m* TBOOL IsSoftIce95Loaded()
1 Y5 m" r5 N8 d$ S1 ]{2 h& I: B+ R- p+ i# l; D
HANDLE hFile;
# _0 ~2 h. g3 Q- n8 A hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 e; Q8 `( k7 z. e
FILE_SHARE_READ | FILE_SHARE_WRITE,
4 |' G7 y e( w" x- i7 @: r NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! j4 `9 o1 ]' Z2 p: }/ S) X
if( hFile != INVALID_HANDLE_VALUE )# i& p9 a. y. z
{: _' _3 U5 V# O8 n. w! }
CloseHandle(hFile);. L2 z# A2 E2 [$ `- F6 a0 ^
return TRUE;! _& u$ i, o6 s: W3 ?- g; Y
}3 A; i. x7 t3 y; H% c; @9 s' v
return FALSE;
2 K N! M1 b4 W- s b1 `" N}/ D! }, G; n3 m9 s& o; p
, i% n) Q0 Y0 p8 C) FAlthough this trick calls the CreateFileA function, don't even expect to be
4 v) o' Y4 G2 N* ]3 _able to intercept it by installing a IFS hook: it will not work, no way!9 N) s v; ?7 Z( {, e5 l! R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ n% U8 C: d$ z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, M8 e3 ]) K0 {8 U) Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc0 |$ d6 c: h! j- i: P
field./ d# E7 @/ l/ m0 Y
In fact, its purpose is not to load/unload VxDs but only to send a : E U& Q# p, C7 J1 {, ^
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- ?4 ?( X# m1 f; Eto the VxD Control_Dispatch proc (how the hell a shareware soft could try2 s' z$ e- X6 ]6 U+ `3 v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% m- U/ p" R1 o0 r, v" P
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 I0 P# Q. @4 W m+ ~5 Eits handle to be opened and then, will be detected.
: P1 Z' j' s& p& XYou can check that simply by hooking Winice.exe control proc entry point
& ?/ v- ^/ R3 s0 }9 _. f, J$ W) Uwhile running MeltICE.
& H u( u# S3 b$ L3 S- A( j. m' ~
! |7 U1 p* t" P: m( v* J9 n$ `+ O1 H$ A( z4 H& g7 Q3 ~
00401067: push 00402025 ; \\.\SICE
& w- E) S! i: O( C 0040106C: call CreateFileA
& M P5 N9 G; V% k4 ?. H8 e 00401071: cmp eax,-001
# x% ?8 u2 b7 m7 P/ W 00401074: je 00401091
" M# Q1 f! F3 g" Q7 F& W" X$ |
+ B# S6 b% k0 T, W9 d- F% r% Y7 X- [. _5 L/ F: ~ j
There could be hundreds of BPX you could use to detect this trick.7 b/ P7 x1 i. X) @, @
-The most classical one is:
+ S4 U$ }- w: K: Y, M BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' Y# ?- f( S0 _1 S) }/ K2 s$ ?; Q
*(esp->4+4)=='NTIC'5 P" Q, a( y( s7 m$ \/ r, z
! L$ M( c# ?1 X0 |
-The most exotic ones (could be very slooooow :-(7 N4 q% A3 T+ N( ^+ ]1 z% A
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * p% j+ [, q- R* f+ F8 ^6 q
;will break 3 times :-(' j. W' g( e* z0 F
0 n$ F* J" H3 H1 D$ V1 T2 R-or (a bit) faster:
- X9 h! e8 F% e! f BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" J& A2 X' j* ]2 L: h' G5 D* U
3 n# F; A7 ?% p, N9 w
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 w/ Q6 z+ N+ ^# `1 n0 {
;will break 3 times :-(9 n% X( p j$ ~; a S
( L& Z4 [6 m! I, r- q7 N4 k! ?5 B-Much faster:' Z0 D! o& s, L# ^# N7 D
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& \. q$ _* D" [3 g6 n
& v. ^' q0 h& v' g h. @Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( H# V0 V& F/ k* ?' T9 n" U
function to do the same job:
, f" B, m7 o7 h, s3 C1 m6 g
5 S, u/ \; f& y. F1 X* A" C5 K2 v push 00 ; OF_READ
. Q4 V8 h) i( d2 ], n1 `/ x mov eax,[00656634] ; '\\.\SICE',0
6 q& Y4 g2 F2 G+ P* U9 q5 { push eax
) _6 E, |* V6 E" z2 I Z3 [ call KERNEL32!_lopen6 d/ m; I; I* O! i7 N9 I2 @
inc eax
* P! f" r) k w; M" ~/ N3 R) D; I+ l jnz 00650589 ; detected# b9 B* f" A u/ E/ s" D% T8 C
push 00 ; OF_READ
3 t8 a" ?+ ?+ v mov eax,[00656638] ; '\\.\SICE'! O! |1 K$ y3 @7 s& S" q, x
push eax
# I+ Y7 g3 B3 D6 S1 I call KERNEL32!_lopen
$ L1 f( _' e9 d8 }* ?% A inc eax) j7 T0 a* ]% w' L
jz 006505ae ; not detected) T& _7 u# h$ G
1 n9 U3 ?; Y! G# L
" u; w" ^" U& c7 X ~6 d0 @! w1 p__________________________________________________________________________
7 i: {' `: V, V9 o$ m r) }
; u6 B- [: C- V2 \4 K( aMethod 12$ u& e) E8 q" ~) E" Q" l9 g
=========
1 p7 N7 e+ x6 L
- H' b( K! `8 G1 f7 F$ |" r1 U1 ]# Y# HThis trick is similar to int41h/4fh Debugger installation check (code 05- a6 s0 f2 o8 x `
& 06) but very limited because it's only available for Win95/98 (not NT)- E: [' i( R. S! c4 V
as it uses the VxDCall backdoor. This detection was found in Bleem Demo." V& A! d( a' q! r
# p& Y/ X* o5 U
push 0000004fh ; function 4fh( t; K4 o) u6 B# w0 W% f0 A
push 002a002ah ; high word specifies which VxD (VWIN32)
4 w9 r& a' J! ^0 ?& n) P p ; low word specifies which service& s2 @9 y. T% j" l
(VWIN32_Int41Dispatch) ~0 J) H$ p4 e$ q7 d
call Kernel32!ORD_001 ; VxdCall5 _: X" n" N, e- q& g
cmp ax, 0f386h ; magic number returned by system debuggers* o1 N+ Z. J: y4 X1 M' J
jz SoftICE_detected- V: G0 C, x. r5 x4 d7 j
" p& g1 E5 K6 W; h. F6 kHere again, several ways to detect it:
" h9 y8 ]) A# Z. x. j
, F; e! k$ c4 p/ }( d# l n" q& ~9 R BPINT 41 if ax==4f
. O4 j- b+ X) ^. M1 K! q. d2 I a* v! m/ s9 c4 N8 S
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 B+ o7 x8 T; T0 n7 g
0 t/ k+ m$ }8 U% V- n1 }' Q7 u4 x
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! s( F0 X% ]: o" P- J7 H1 a! S
, \+ E: V: `& c9 x( o P! a; u BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) R8 n: @! G# t5 q( l# v; r, B/ ~' Q- \
__________________________________________________________________________6 h2 s- k5 F- o8 t- A
+ W Q+ c& c$ z
Method 134 J5 A+ b, ]8 u. M2 P2 [
=========! u. Z$ E2 }1 t" C
) M: T9 K5 b5 @! W0 O1 iNot a real method of detection, but a good way to know if SoftICE is% u2 Y+ e. C: d i: L0 J- u
installed on a computer and to locate its installation directory.
) Q; R6 N# K9 {! ]It is used by few softs which access the following registry keys (usually #2) :7 n; `3 k0 j- Z* x2 ]
/ [, f/ W/ f3 C9 T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ g+ g3 P# O! t, W1 z+ ?\Uninstall\SoftICE( }5 f1 |0 X/ i2 Q5 @# _& @
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 @; e9 p4 n& Z; Z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. T7 a! ~. R5 V4 m\App Paths\Loader32.Exe$ G6 a/ f8 u+ K% t# S T# d6 G
% \/ L6 H9 B) ^7 t* n \
# U3 U- m1 b; \9 V8 N* a6 ~Note that some nasty apps could then erase all files from SoftICE directory) t9 y! h; D, I1 P4 ]: x
(I faced that once :-(/ x! W+ @1 I% p' b7 C
2 c% ` H5 [$ u" m& e% }" W
Useful breakpoint to detect it:: O# U( A( l( f: Q: P" q& N( @
( p; ^" f% H) o o# C1 O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) @6 F( y6 @6 k( T
$ J- l" a7 b9 k( w__________________________________________________________________________
& ^% k( ?( t3 L+ ?$ }4 r
* |$ J0 h* l/ T- u- u
, i8 q! p7 }9 B5 H! M5 YMethod 14 + k6 ?6 t. \5 [2 \4 X$ F5 `$ k
=========, _9 g8 D* ^. {( q. p# \. w
' A) ~ z; s0 d+ a: Q" l3 A, y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: L3 _5 v5 n" @3 S1 n( {# b! zis to determines whether a debugger is running on your system (ring0 only).
4 [7 t1 T( G0 Z# n; S! e1 {: L* b' ~
/ r: R% g7 E2 v# R* A" c VMMCall Test_Debug_Installed: s7 A) c- U/ Z; t' h
je not_installed
7 J9 j5 U' i9 A, o+ m2 F$ A4 J! M0 ^, b
This service just checks a flag.$ N" V" J- @8 K$ t7 |, m
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡