<TABLE width=500>
) ]# ~9 {, j2 L) }<TBODY>/ t, @7 \9 v7 R6 ]) l# I: k. N) X3 |, k
<TR>
% J+ A) F% |( i5 X<TD><PRE>Method 01 $ H0 }0 j3 T& f# h
=========9 I9 w& g4 n8 ~
0 V' B. g$ R6 b, y- k( nThis method of detection of SoftICE (as well as the following one) is
( p" Z. _# A5 |) |1 p/ tused by the majority of packers/encryptors found on Internet.
3 ^4 u# E5 }+ x: H3 rIt seeks the signature of BoundsChecker in SoftICE
" f3 o5 F, H- x% o6 T- T3 |! u
5 S2 d9 p" m( D( h# _4 n% l8 d mov ebp, 04243484Bh ; 'BCHK'
: t3 t$ s! Z' M mov ax, 04h8 F- ?- _7 z4 z! q/ {
int 3
8 z* I# A, H' R) h! T4 V8 N, j cmp al,4
" n0 z. \- ~3 s jnz SoftICE_Detected; a, D9 O* c& K9 h, [+ e
* Y9 U1 c, p; S3 i
___________________________________________________________________________
) z/ U0 R8 R6 W1 b8 u% T( Q+ q6 v) c8 J+ Z
Method 02) C9 y( h2 R6 a2 ~( H3 B: _
=========
' t" Z7 k4 D" Z: p4 K c" r; c, Y( J* F* [ `# ^
Still a method very much used (perhaps the most frequent one). It is used
3 W6 m( `) V ~( U8 n0 Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 N3 l j% i/ w/ p. ~5 w6 B) I
or execute SoftICE commands...5 S Q( X: E- j0 w1 h( W; w
It is also used to crash SoftICE and to force it to execute any commands. t. D# ]" ~6 Z- {& M; u
(HBOOT...) :-((
9 z- T* T3 [, d! L# i" y: L5 |- n; V7 T
Here is a quick description:1 D" b3 M9 [: s
-AX = 0910h (Display string in SIce windows)
! z3 y' m& y M n$ Q0 @( d& t8 `9 r-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# Q. [/ e; R4 e# z
-AX = 0912h (Get breakpoint infos)
7 p) |# ^& x& d& l8 j7 z" l-AX = 0913h (Set Sice breakpoints)
Z4 v! k3 o) I& z: d, s/ D! M-AX = 0914h (Remove SIce breakoints)) }' |: k5 o d5 C
3 w! ~; b5 U) z! h. v8 y
Each time you'll meet this trick, you'll see:
P7 p# U( F; M4 m-SI = 4647h
. ?4 ~5 Y' |$ }* _$ {" Y' s-DI = 4A4Dh
3 p, \) ^8 G# B. @& LWhich are the 'magic values' used by SoftIce.
3 N7 ?& R& l3 K9 ?9 d7 |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ A7 Y3 j3 C3 v( ?. m
, b! _( O4 |0 s! G; @. a
Here is one example from the file "Haspinst.exe" which is the dongle HASP' M& F0 F) [" }+ W" B7 X
Envelope utility use to protect DOS applications:/ V* |1 @( @& S2 O. e6 N/ ?
8 U# Q v( L5 @1 f' Y: j% `
) p/ _& \, J8 w- a6 \9 B
4C19:0095 MOV AX,0911 ; execute command.
9 X0 Y: D3 ~+ ~- G" M) W) ~4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% l, C: N5 f M0 `& _0 j4 t1 z4C19:009A MOV SI,4647 ; 1st magic value.1 Q- J2 r2 h9 C7 @2 y7 R( t1 U
4C19:009D MOV DI,4A4D ; 2nd magic value.; l% n- n7 Q9 L( u3 w( ~- A4 D3 P
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ B+ Y0 x# @0 J8 U4 A/ `- E4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! t4 F; U0 q4 D
4C19:00A4 INC CX1 m# q; d" p3 g# t9 j6 s
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
R1 B( f# T$ ?0 s- f: N4C19:00A8 JB 0095 ; 6 different commands.
5 J5 j5 `" T( j! u4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 p* Y/ e1 h7 @% Z {6 o4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" g( j+ l% D2 f9 Q+ ~6 I
$ E. U+ ^6 k4 n$ x: Q9 r
The program will execute 6 different SIce commands located at ds:dx, which# A" U" ^' A: M! `5 a0 W, N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 D, w# }4 S% X0 [+ a I
! W( N+ s: n0 f$ _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 s/ \- E8 m4 S# ~9 l# j2 f. k9 M___________________________________________________________________________
" K4 N: O% H6 ~, f6 `- @. O. F3 E& w, T6 _/ o2 U0 |# H
& w' g/ Q1 p1 q" B1 r/ @( {1 f
Method 03
7 _, p, x1 g/ Q9 \2 r: `/ E=========
- j' M7 F6 j9 U( ?0 R+ z, v5 b! a# x% K3 [ _
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( {) o2 R0 N, @$ \/ Q4 N4 n(API Get entry point)2 w) ^1 v6 ?0 z* A2 ~# O
! e/ Y6 O0 }& L, ?
/ q3 \: H. z- o7 U/ E" T xor di,di) z. h4 S% P5 D w) a# q
mov es,di, _" q& x% _1 W
mov ax, 1684h
# e2 M# K8 j* l8 n mov bx, 0202h ; VxD ID of winice
' x, K" J2 h, u' u s8 j9 } int 2Fh
/ e6 [& ^$ Y# y8 u+ Z+ B( N# Q mov ax, es ; ES:DI -> VxD API entry point Y: ^0 F+ n/ R/ o& |
add ax, di$ V. e+ n' D3 U4 G: ?( _) T& t8 Y
test ax,ax
7 j2 j4 ^ L: b jnz SoftICE_Detected
8 ^" h' ]( @% T& y& e
1 N% m* Q. a, z' c! d/ ]" j* R. G___________________________________________________________________________) n9 R: V/ E: {+ w; i$ W
+ P6 [# U- u$ }0 z2 \$ t- n. QMethod 043 |& ~6 ]5 X9 V+ g7 l
=========7 y! R1 H) l. u! U
. u, L# d" i5 }
Method identical to the preceding one except that it seeks the ID of SoftICE
, o# Z3 n8 h' e$ C1 b! t- AGFX VxD./ v) w: p% ~' }' Z; s0 z
n9 ~* t, \, g9 H; a( O
xor di,di- D. R1 K4 q- W- W, |
mov es,di
4 K5 a9 m0 K( C4 r7 L mov ax, 1684h
' O# i- ~: S. b( l# M% K5 i mov bx, 7a5Fh ; VxD ID of SIWVID/ p, s6 j& g2 g& _! \" x; ^
int 2fh; a% J/ l. ]+ G& l P
mov ax, es ; ES:DI -> VxD API entry point
2 @+ ]* S+ i' K0 e; o add ax, di
5 Q4 J& @6 L9 m test ax,ax0 B: U/ i+ z4 k$ ~2 m6 W
jnz SoftICE_Detected
! s7 A9 y4 ?( e$ ?/ O R2 M
5 P1 S- v# s8 l1 W# C7 x__________________________________________________________________________
* D! W" S' U# O1 E, C
3 S! g1 z& f& E, z7 q7 Z0 t
+ c3 d0 W: f4 t. D% ]; pMethod 05. x r# @0 Z$ \% ~# [8 u9 k
=========
9 V- z+ L2 D( g$ Y1 F( H/ A- j4 T: P) }3 K5 D
Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 U7 F5 V& ]0 L& Rdebugger. It calls the int 41h, function 4Fh.# b1 V9 ]' m" P5 U0 @6 ]4 M; N
There are several alternatives.
& H9 j2 {- j5 _* H6 }# G
+ ~: S' T" E) f0 ?+ IThe following one is the simplest:% _ f- B# n* x; X6 L1 k6 S
5 c/ E2 U& u9 f, j mov ax,4fh
a$ v6 B" Y, R3 J' ] int 41h
6 Z2 Y/ v' X% L3 x, f0 [- g cmp ax, 0F386/ h1 U c' W7 `; Z" k* s
jz SoftICE_detected
0 l! M+ V: `$ H3 M
1 I' x% F& H- K. O" G) G$ h) w
$ F$ x# z+ U9 M$ U+ e2 r! U# ~7 }7 oNext method as well as the following one are 2 examples from Stone's
, p- D9 k0 S. W) X) q"stn-wid.zip" (www.cracking.net):
! D" n _" e% C% f! D% d
7 y9 @8 _# e4 t0 q& R6 | mov bx, cs
( b$ |7 c3 D# v- F' f8 B6 ^ lea dx, int41handler2
1 ]; m# D! V1 o# {, v5 s; I- E xchg dx, es:[41h*4]
0 @" T6 C& E( ]9 h) E xchg bx, es:[41h*4+2]
2 a3 b Y7 B" A0 @ mov ax,4fh) _" h' Z1 t7 t& |( H: Q
int 41h2 }0 [2 t) u: N1 U. H
xchg dx, es:[41h*4]8 u* u' @# b/ u6 y. c) Q# y! D
xchg bx, es:[41h*4+2]; O7 u2 }4 d* w4 B+ h& P
cmp ax, 0f386h
, L1 F' E, }" g0 R- y- D" N jz SoftICE_detected: U% K1 t) L7 u& a! r
8 u# x; l4 y+ g3 rint41handler2 PROC' y D$ Z1 a B( c* P: w
iret& L) Z% A" J; v1 N% _
int41handler2 ENDP
2 v `; {& M' L5 i1 R# U% c2 z' _6 J. C. q1 S
; N2 u0 Y! [5 w) ]# n. j* \2 Y4 e+ {_________________________________________________________________________
9 f$ O0 g: k8 y6 j3 a! j$ y" T- I% x8 y7 b4 i
- T' C/ m3 J' c5 sMethod 06
( e, y8 Z" h7 j# k. p2 V4 \0 I=========6 q& i& m: j1 p2 h! z2 ]
" }! B' f2 F' d/ y
/ Y1 u+ |, m5 o( z9 z! `2nd method similar to the preceding one but more difficult to detect:
8 o$ e7 `0 O. e( s( T
+ q1 }2 U/ N( v. p: A# C8 ]5 b0 m& ]* Z i# X( T; U
int41handler PROC* W( D' Z4 u0 _# o$ E8 c: M
mov cl,al
2 c9 `1 N* c, n0 R iret
9 p( t6 O+ ^: mint41handler ENDP' L* I/ ^0 Q# A( \6 s/ q" E, ]
8 h6 p* O( ~' v Y7 p4 g( M5 ^) H& B7 N2 X" v
xor ax,ax( n6 Z: x$ X4 V* X: D
mov es,ax
( A5 d3 N1 X% N! m( F. I. } mov bx, cs. R7 P# A7 }' a( N
lea dx, int41handler/ K6 ~ J' A" }
xchg dx, es:[41h*4]1 O7 g* l6 `3 F& f* b
xchg bx, es:[41h*4+2]
4 r# J& r: ?$ D in al, 40h6 P+ }8 L3 l7 m o& ]* i) a* e* O
xor cx,cx
9 K5 r* W0 b% \- l, s4 Z' X int 41h4 P! l& k8 J# f6 c; p7 q
xchg dx, es:[41h*4]% Z$ B8 |2 ?1 G1 s2 }/ K
xchg bx, es:[41h*4+2]
0 O) Q+ t# l: n: f& [5 M cmp cl,al
- z0 c8 m" L* [. w* D% `4 I! ^ jnz SoftICE_detected4 A" E' _% @ a
( v: s$ P7 l4 w7 y% a
_________________________________________________________________________
5 I( F2 |+ G% u! e( d1 \; V* {) D6 U' Z8 U5 }6 A0 `: k
Method 07 U5 o& M: \) u/ r
=========9 h7 a0 c! k! [4 `9 [- `) r+ `8 V' N( K
# C8 R9 l& @: d; {7 j( W8 K# }9 S
Method of detection of the WinICE handler in the int68h (V86)
7 c, R& _/ q8 t6 `7 W( ^7 Z: ~
$ S. J0 J" A! b8 f mov ah,43h9 ^+ c0 `8 \8 I$ P- T
int 68h5 j! X2 c5 `$ x' ]' |4 I
cmp ax,0F386h. x% e# K9 R2 D4 l$ s
jz SoftICE_Detected! F! T& v5 ~ I. L; F% s, ]+ v+ V
% Y k3 _& H1 {) ]* ]3 p+ \
) I/ p4 Y2 Z& g2 f% i, W=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 ]# J# r; n0 Q% g" V# ?" `0 f
app like this:/ |0 Y3 u+ L" N% J9 z: Y, G
/ f* Y. W: j" o/ a, v BPX exec_int if ax==68
& ?% s, b0 v3 P( r+ y! v (function called is located at byte ptr [ebp+1Dh] and client eip is
0 d/ } I" H s located at [ebp+48h] for 32Bit apps)% { P2 U% V+ E3 ]$ s! v7 h
__________________________________________________________________________% D i5 B' P6 ^5 ^" s5 R+ W) \
3 J& s1 _3 H3 p6 x4 m4 y
# c3 c5 q% ~8 n2 \1 R: I) MMethod 088 c* c2 [4 G3 x3 J/ Z! i, {: F6 P0 T
=========2 H+ Y* y1 ]6 Q) I* k5 ]2 Y
$ A6 e% u! s# M( L
It is not a method of detection of SoftICE but a possibility to crash the
1 P0 G Z/ y$ f4 y0 i" _system by intercepting int 01h and int 03h and redirecting them to another! _4 `" \' Y" k4 i
routine.$ H" i9 |& S4 _; X6 W, \; _+ g
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: V, U! b/ l) B# }1 V0 v: G+ M( jto the new routine to execute (hangs computer...)8 ^, E% S, U5 c) l& _% i! I
7 k. s& t) x% {+ S, } mov ah, 25h6 O2 `# [. ]* G( i
mov al, Int_Number (01h or 03h)
I0 T7 P5 p- V) ^) a* _" N, s mov dx, offset New_Int_Routine' C- B9 g) C7 [6 D3 Y9 h% a
int 21h
. l$ i7 \9 g& H% \; X
# i% ]% y6 a; J# i# e0 \$ o__________________________________________________________________________
0 i+ Y( }% O. x' T( n0 ?
4 I$ h3 w' E! F. l$ qMethod 09
/ d( a: A2 |5 Q1 N) p=========& G9 N Z7 q& {5 D/ z6 }/ T4 ^
+ ?8 N* s3 q' Q5 S: n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# L* l7 s Y$ _performed in ring0 (VxD or a ring3 app using the VxdCall).
8 {& s9 I/ g# o3 F" rThe Get_DDB service is used to determine whether or not a VxD is installed
* c( k) P2 |0 ]/ J0 ffor the specified device and returns a Device Description Block (in ecx) for: z# m' T2 _7 N: u- [
that device if it is installed.* A( @4 J' }# x/ ?- Z4 l/ i2 d: U' }
& e$ d6 R0 i% c, J
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& _$ s; k% y0 U7 G( S9 ~( P( H8 f mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( k& }6 [ P+ b7 ]7 n# r VMMCall Get_DDB# W! i) ?& P. S' H% L: y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! v3 J- H: F% d2 h) c/ U( x$ }
9 q: V/ O5 Z; q* k
Note as well that you can easily detect this method with SoftICE:9 p, F; R$ t! Y' `; H4 q7 X& Z( }& G4 ?
bpx Get_DDB if ax==0202 || ax==7a5fh
3 | e7 y, T. n! t( t& O; j* \% s6 O3 a2 s0 ^5 M( l
__________________________________________________________________________
' i( ]& H s0 z' y1 p
8 M- C+ b& B, i( Z1 oMethod 10- J" |3 l$ V# v3 }/ `" q3 ]# R
=========3 v4 y4 T0 d) h( X0 t. M X. G
* u8 q; W! _6 G2 q=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 ]% P. o0 L: z+ U( l) P5 @ SoftICE while the option is enable!!
- V5 ~/ D$ F g7 |* A3 ]5 j m- T& r
This trick is very efficient:
- g3 k$ [2 g+ u0 }by checking the Debug Registers, you can detect if SoftICE is loaded
# Y" j; C, [4 G) B+ J(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 E, ]2 q7 k" E. B
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 {, x' o O/ J' _) u# |
value (in ring0 only). Values can be manipulated and or changed as well
4 _# c1 a( B. R' x, \* ]+ V(clearing BPMs for instance)% {3 b) j7 |* L' L9 |3 o
% c: P: U, {, {# L; e# Y
__________________________________________________________________________
! }9 C- R$ y1 K$ G( Z* G
" q( u& s- _+ U* B J8 B& |; |Method 11
: I8 j' O- U+ U# E; z3 {2 q=========" h/ n" v" F- j* p5 K3 L- C2 A+ N
: ~. K$ V' \; a8 K$ o- Q4 L* bThis method is most known as 'MeltICE' because it has been freely distributed+ \- C1 I1 f4 E1 _4 z3 K7 n, r; N
via www.winfiles.com. However it was first used by NuMega people to allow& U$ k+ e0 D: _6 d1 A1 p+ I
Symbol Loader to check if SoftICE was active or not (the code is located
4 W! `& I0 ~7 \; cinside nmtrans.dll)." {3 k' B# @. l* h
' e7 t/ U" U$ t' U3 E( `The way it works is very simple:
* i$ G# |( N* A6 H& l$ RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 h( o/ `3 ^+ X) }3 o2 y* TWinNT) with the CreateFileA API.
- Y% F, x! ]# x q4 j; R4 {
' q1 Q! }( o, S- R$ r2 R" I( uHere is a sample (checking for 'SICE'):5 w( F3 w1 J4 l: S% m# t# |
3 m- q" f8 G- l8 o% B$ b" k) U
BOOL IsSoftIce95Loaded()9 |5 f) B7 Z, s% V a
{+ p6 [4 M& d3 d& c3 _3 U. E
HANDLE hFile; ' T+ C A. ? L6 d& r* n; E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 W+ ~: I6 O4 N; V* [
FILE_SHARE_READ | FILE_SHARE_WRITE,
# \) O, C% T# u2 G) T NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 Y N5 r6 y- `* v: [ if( hFile != INVALID_HANDLE_VALUE )) ]# f& x9 H+ T, R, s0 b
{- W9 Q9 j" Z! h
CloseHandle(hFile);& A- N8 `- R2 s6 k; B: e4 W0 i; q7 w
return TRUE;5 [# M1 o W4 f1 f, o& _
}/ p6 w( G2 d3 a' H6 {" h
return FALSE;
9 c1 i+ u) n; i5 J}
& K0 Z, W6 J6 M# l3 l* C' k! S) _. j! F
Although this trick calls the CreateFileA function, don't even expect to be' r8 u/ j1 ]8 @8 i' ] h
able to intercept it by installing a IFS hook: it will not work, no way!; f6 z: Z w6 L: s/ x* ^ N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* Y7 f0 M4 k( \6 a1 M k' y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 S+ N" F, I# Q- yand then browse the DDB list until it find the VxD and its DDB_Control_Proc" B; E- V8 J3 a# S, t8 { E1 @& s
field.: e1 R) q3 \# L; o, N* m# Q& y
In fact, its purpose is not to load/unload VxDs but only to send a $ X: o& H6 O6 r( w3 o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ p E5 O- b# n3 Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& s. k% N" e! ]# F/ f
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; L1 C% {$ i: f3 L- u& x3 mIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 |& F' S, m! |0 L+ X
its handle to be opened and then, will be detected.
5 B/ t6 M! [# \You can check that simply by hooking Winice.exe control proc entry point4 x8 y; ^- m3 Y8 `4 W: @% y- O
while running MeltICE.' r2 T/ P! c* u" Q- M
1 }: }' t5 r4 c
. s2 s' y" j' H% e; {
00401067: push 00402025 ; \\.\SICE/ U( O4 e1 Z+ R0 {# N
0040106C: call CreateFileA: I: F% }7 [+ g/ v, o
00401071: cmp eax,-001$ Z: K8 Q T5 F
00401074: je 00401091
; e K+ [/ q( Z9 ]) ?: B+ e- V5 Y0 p" T$ z( {! ^# d
# ? b J4 O3 W8 ^7 dThere could be hundreds of BPX you could use to detect this trick.
& J) U5 r+ \: e! p-The most classical one is:
3 T' \1 r& }+ `" y% ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- c* K6 g1 S' z* n/ l. w" P8 Q
*(esp->4+4)=='NTIC'$ b4 K8 c; {" I- ]( Y
# Z- v# v% I' v7 [3 X1 C-The most exotic ones (could be very slooooow :-(
& G- ]0 q. p% C BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
{3 w2 G, ~" X# ~ ;will break 3 times :-(
+ ?; Q- Z% \. {) m# C
; u1 i3 B: e+ [-or (a bit) faster: . P& ]/ z& l9 M% K8 d
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, @( y0 B1 P' `# g9 a
# B8 F' O9 q, P" O% v, U BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 m; t7 m9 b* Z0 s4 }" K
;will break 3 times :-(
. v! Z9 X, W0 I# T* Y6 v+ z0 T! h2 k8 r: d9 ]! s3 c# S, Z& Q
-Much faster:
) q w( z6 Q6 o8 \8 q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': J; L5 l# j9 F! G- @3 e" i; c
0 J" Q- M2 D3 [2 l- {" `- ONote also that some programs (like AZPR3.00) use de old 16-bit _lopen: |& b9 g" W1 C5 r
function to do the same job:
. O2 H+ J4 M' @& g' i. a, \
7 }, t0 P+ S# F: m push 00 ; OF_READ
* {" U5 t' D! J mov eax,[00656634] ; '\\.\SICE',0
2 W; Q: E' G2 g! |. s) ^, y push eax
: i4 F( Z+ `# {* g1 W call KERNEL32!_lopen
4 q3 Q% ?( v& l inc eax
7 [$ k+ f0 Z1 m. ^ jnz 00650589 ; detected
9 i+ q$ ~5 R b, C% W push 00 ; OF_READ
! ^4 S4 H% [ f- Z1 ?! ^/ I# z& K mov eax,[00656638] ; '\\.\SICE'8 N$ r `# d# O' x$ \) ~4 [
push eax7 f" D' l) W! K6 A% O+ J2 D
call KERNEL32!_lopen# U9 u) ?) M$ A0 B$ q, q2 j$ |
inc eax. l" A/ U6 b! {1 a; i% b+ s
jz 006505ae ; not detected+ i) r) k2 e) @
% E% X3 u, Y" X* q- U: N
8 g% h: S6 I5 v/ T. i. w7 E) n# m__________________________________________________________________________
0 _* K- i4 |( I1 l. d# c! ^
) t" M E5 H6 q# H& WMethod 121 z9 L2 V8 K5 b/ h) H# R/ s
=========
/ U( p2 Y+ y+ j
9 W w" D( p$ W% I; [* g" M& c, YThis trick is similar to int41h/4fh Debugger installation check (code 05( L1 Y: I8 O6 T
& 06) but very limited because it's only available for Win95/98 (not NT)
& q8 d2 f$ Q7 [& ~( z, e, I# Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 D: [ o: P0 |; u
4 W$ r* \4 s( A' n" @
push 0000004fh ; function 4fh: L* \ X4 Z: D1 l4 _, S" Y- a. R
push 002a002ah ; high word specifies which VxD (VWIN32)
& F) E* Q% s1 ?; ~5 p$ F3 [ ; low word specifies which service7 C$ r; J0 Y, e" I# K" z
(VWIN32_Int41Dispatch)
" w5 k$ {! L6 P: R8 D2 e+ g call Kernel32!ORD_001 ; VxdCall5 |- H8 Z; ]; g# j
cmp ax, 0f386h ; magic number returned by system debuggers$ n. l& N& g, {
jz SoftICE_detected. H+ Z; W' {4 J/ k8 |
4 m( L2 T! c. y/ s9 Q; e! C3 P4 D4 [
Here again, several ways to detect it:
$ R" k9 j4 t% G- A! y. `9 e7 t3 j
BPINT 41 if ax==4f
* b0 e* ?5 t1 ~/ o/ O; T2 x' o3 I: j( m7 e
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& k% b r+ u9 l% _. I
& ^4 D, P& C( ~( O+ S6 e3 v
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ q2 s' |+ S/ `: u" ?0 z& V4 d4 S# v; F! n: u! u7 W
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# Y) {1 v/ c' ^9 _! h n$ C( A# [" a! u; W6 F( L
__________________________________________________________________________( H) @+ }( [7 ~) C+ C! u
. b! B( G2 r4 N `- A
Method 13) o" r. `- z! C0 J3 o8 u8 `% M
=========( d6 T# x2 P8 B9 N' K. E. z6 P
; Y4 v- S! y3 g9 ?- \
Not a real method of detection, but a good way to know if SoftICE is: e2 G& |4 m5 f k
installed on a computer and to locate its installation directory.
: ^4 ~! Z* M4 Y: `6 R8 FIt is used by few softs which access the following registry keys (usually #2) :5 q0 T( L: C: L3 O9 f! e
% ~* L# B' u, n2 k- B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! B+ I$ w4 m0 Q& f& n
\Uninstall\SoftICE2 H+ t: A" w) f6 i; [
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 w7 Z1 U% d D5 a |. O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ A/ M& O2 L0 E7 c; T\App Paths\Loader32.Exe( K- _- s; D" K! k
; c: S" K& _, q: {
) \( c7 K! J3 Z" {/ ?: JNote that some nasty apps could then erase all files from SoftICE directory
& i8 d8 a! S J3 N: c(I faced that once :-(0 V' {) B% G1 }" N. F x
- ]& i! J0 i- R: ]0 o% `" d9 X
Useful breakpoint to detect it:
" L- j4 \4 o; N3 |6 Q2 T' }# i5 S8 Y6 p; |6 V
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 A+ [! a( w4 p: ]+ c1 g" p6 d6 h6 z& y/ A9 {
__________________________________________________________________________
2 }3 F6 D8 V: }- g) _' E( _3 y9 f; O+ y
* r, A+ t! b: a; f
Method 14 2 C9 W \! I; ^/ g1 h% C7 ~2 O
=========$ x& y0 C6 P7 `9 h' ^9 y, x3 P
/ ~5 y8 L, D2 [1 j% W
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; {. g' F6 M% @1 `& i0 G e5 q
is to determines whether a debugger is running on your system (ring0 only).: u. V4 V' w" |; y" \$ q% F4 H" V
$ R7 q7 ~" z* S* A; c VMMCall Test_Debug_Installed
" k( ?2 q. @* ]" c/ _* A je not_installed1 y( V9 P) u' C# q7 A/ }6 e3 ?
! @: [& {& P) N& I( o8 K
This service just checks a flag.
6 z( v/ f: h9 |' a1 e6 G0 z; _</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡