<TABLE width=500>
1 {* h4 t- \& H @<TBODY>. F6 |. n# `6 r1 v
<TR>- S0 | y$ O6 J+ Y3 f* f: G# c7 A
<TD><PRE>Method 01
2 r- ]- L! m4 p: _+ y% p=========: c# g" ?& n2 l0 I# e. R
$ x. v2 q! P' n8 j8 AThis method of detection of SoftICE (as well as the following one) is. `5 D' p/ M0 ^/ |4 F H9 F
used by the majority of packers/encryptors found on Internet.
* o4 H2 L* E/ a* f7 g9 mIt seeks the signature of BoundsChecker in SoftICE% w) P/ ~1 s+ W2 H2 @, S/ X6 u" G
/ c: x! x( f W2 A6 X. a" K. x
mov ebp, 04243484Bh ; 'BCHK'
& y1 F5 ~# m8 m9 \$ H9 ]) C3 b; N1 w mov ax, 04h
. @5 s1 k1 J) s$ q3 B int 3 : q4 Q4 ^' s4 [9 D; @& y
cmp al,44 q- z4 _9 x, W. o. n# B
jnz SoftICE_Detected
L) G3 @$ B- {1 y0 o0 X7 i* g0 w9 O/ d- ]
___________________________________________________________________________
" Q1 \! S# |+ S4 s0 Q1 M
6 f* N' P w% M! mMethod 02( v! Z4 S2 P/ ]9 ^
=========5 o& S; M* I# T/ c
( Y% b0 y% N5 Y9 V! k- gStill a method very much used (perhaps the most frequent one). It is used% X# M# M- _% X- s% B2 m6 |4 P, H
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 @& e/ P" M1 b2 Y3 t* l0 @or execute SoftICE commands...3 Q. Q8 q! v) t! |1 k9 G* J
It is also used to crash SoftICE and to force it to execute any commands
! I* D8 ^' a7 K* _2 B(HBOOT...) :-(( . @) S' k8 Y6 \/ Z: ^& R) O9 z
8 P- |, F& ~/ p0 a# M
Here is a quick description:
* m* M; a/ B9 t5 i-AX = 0910h (Display string in SIce windows)
# B: j6 @( d( Q/ n-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ Q" i$ x; N1 t& S-AX = 0912h (Get breakpoint infos)0 j( X. q2 m! H3 L0 P
-AX = 0913h (Set Sice breakpoints)
1 D+ R' K: }: J( h9 M+ s4 F-AX = 0914h (Remove SIce breakoints), d' u. e4 ^& ~3 u
' c! }! g0 Q# P7 EEach time you'll meet this trick, you'll see:2 ^5 T* ~% l u
-SI = 4647h# ^ I: o$ f! Q2 y6 ~2 K4 r3 L- T
-DI = 4A4Dh2 C6 w: S( F8 e5 S9 Q. b# R3 J6 O
Which are the 'magic values' used by SoftIce.5 R6 | S3 l+ V% L# s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. _4 Y: e' n" k6 b! _+ \
0 k- J9 ^# H2 w! A- I) qHere is one example from the file "Haspinst.exe" which is the dongle HASP0 f/ T- R5 z& ?8 t( H
Envelope utility use to protect DOS applications:8 Z/ e; Y+ o9 Q" M, a2 u$ M$ @2 Y+ X
0 {5 _# b J$ O# X5 K; ~
: M& z) z% E: w- A7 l0 l5 B5 [4C19:0095 MOV AX,0911 ; execute command.
1 W) h' i, ]" Z8 M: F7 c4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- x7 u% z7 Y, Z0 I' Y4C19:009A MOV SI,4647 ; 1st magic value." _4 N* J, f3 ~: |- V# \6 ?
4C19:009D MOV DI,4A4D ; 2nd magic value.
+ H! D1 `' N: V3 D4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ ?0 v' I0 S$ w" u- A. t! x
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) c, m: a# D# M3 ]7 h
4C19:00A4 INC CX
2 h, N, F+ }! J9 f4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' |; T& O6 ?$ U9 x4C19:00A8 JB 0095 ; 6 different commands.
( w a* M. Z' P; h4C19:00AA JMP 0002 ; Bad_Guy jmp back./ e7 e& i- O) k9 O1 Q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 t5 f7 m8 m( E5 B% V7 C3 z8 B
' q# A7 d* ]6 r; k! n3 ?4 }The program will execute 6 different SIce commands located at ds:dx, which
& c' X% U5 \: Z1 s7 |' p( Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: {+ _7 _" T9 ?: u, {" s
. `, L- l8 G' s8 [! ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& w+ I# ?" I4 n. c& S$ Z; l
___________________________________________________________________________
+ w% f7 P) O' s8 K9 L7 q! O
, K& d0 p0 {% y# y( r ~6 d& @% S
Method 03# D. y( k! n# {6 u
=========1 ^5 I( v1 k, t
3 B- i3 s7 M l6 {; {' ELess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* | F+ p. T: d0 z; ?
(API Get entry point)- \3 Z; W* }4 ~2 s) Z
, M) k3 k% i. { E& B
0 s+ O) Z5 |& J7 \6 X xor di,di
% _* S. b" F4 j4 R3 m: _ mov es,di
8 s: U7 S7 s3 ?; x* x' v mov ax, 1684h
/ ~. m4 u9 G: C+ m mov bx, 0202h ; VxD ID of winice
* X0 f/ I& D o. D; [ int 2Fh0 r& d8 B: E, p7 B
mov ax, es ; ES:DI -> VxD API entry point
+ ^& X. V* `# v& @" b& X: S add ax, di
6 x7 P. e6 a- h. Q test ax,ax
0 o' X" w8 v$ H1 K jnz SoftICE_Detected
; g: W% a+ }, w9 K. g
; V9 ]3 i& X1 g5 i, `7 l___________________________________________________________________________
5 I" k0 l# n [1 e7 s" ^( u1 i3 z) F% V! R
Method 047 V: y, ?" s+ B/ t! D
=========
& F! k- w* U5 Z6 ~- x- ^
4 R1 R: k' Y4 R5 r {( qMethod identical to the preceding one except that it seeks the ID of SoftICE
+ ^# @! j" @& ^2 `GFX VxD.: K! _0 b5 B. N8 k. V1 X
# S7 H9 f5 y! Y+ S k; U* n, Q9 M2 ~ xor di,di
' c" t M7 G# x4 z: v5 q- M mov es,di# B8 X+ s0 ]9 }" s) w
mov ax, 1684h / M$ a- q2 t/ z+ W9 t; h
mov bx, 7a5Fh ; VxD ID of SIWVID# a: o6 Y4 g% m8 _# @
int 2fh1 N* @/ L4 c W9 d9 U1 J
mov ax, es ; ES:DI -> VxD API entry point
! u" N, N. Z* o add ax, di1 ~1 p% t8 X7 h
test ax,ax
& f. I h5 y. F o: o8 K jnz SoftICE_Detected
5 k C$ K- H0 g% V) S( ~5 y' g2 k# w- c$ _6 x$ Z
__________________________________________________________________________. i6 r' T# \* ^- q* H
- v' O' t2 e c' y0 D6 `
! f, T7 K4 c$ gMethod 05
) E3 W( i9 g+ X: L R' D) i0 G=========0 j% t4 R' m$ C$ {8 H% [8 W! x% r
: p1 o4 Z/ [+ z5 g! a4 ?2 d! `, E' t; \8 `
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% F- m1 p1 X$ n% |" ?debugger. It calls the int 41h, function 4Fh.0 z5 t: k& `3 E8 P
There are several alternatives. 4 k& h% z3 u2 v% E
9 P8 {6 y5 d7 y; u" DThe following one is the simplest:
- Y n- k8 ]4 n3 L u( J' ~. j# s" m
mov ax,4fh
. O8 w& H$ f; F; A) d5 J int 41h) l4 @3 K3 e& ]) W
cmp ax, 0F386
& {/ C# b z; H4 q- e jz SoftICE_detected9 z* V, z8 S G+ x% w
' Z+ M8 x( p1 j, D% g" A
8 o1 p5 g0 [8 [$ s, m R
Next method as well as the following one are 2 examples from Stone's
B; O$ m+ h+ m5 ?% L* w"stn-wid.zip" (www.cracking.net):
5 T1 R' s# _% R# h# x' b# D
) D, d/ E4 l9 {9 ]6 ?2 | mov bx, cs
^0 S2 J4 Z3 ?$ U! m lea dx, int41handler2/ C! q S: l) l/ Z
xchg dx, es:[41h*4]
" D$ T/ Y/ R) i xchg bx, es:[41h*4+2]$ m, d+ H4 [: O, e# ~- O$ J
mov ax,4fh6 M3 u8 z4 }: k& j" ?1 n+ S7 g
int 41h3 W+ W9 p2 S4 K, k5 \. A. @0 b0 {; N
xchg dx, es:[41h*4]
% g F7 `1 r2 i3 S xchg bx, es:[41h*4+2]
5 Y$ q2 T! u. y: S4 W' f cmp ax, 0f386h
$ W( @6 E: k' R3 B4 D jz SoftICE_detected* R: n2 C- z! A7 P7 c* o ]' r7 U
( g2 V, Z! j" w7 f$ p
int41handler2 PROC* |2 v7 c# ^) E. Q% E1 ], a
iret$ v/ ^ b+ h) u8 a" Z: w$ r
int41handler2 ENDP
) i; h2 a( _8 f( `4 a6 Y6 p* k
' ^7 g. [0 h/ W2 D W! q! h7 Q
# K0 \# f; N5 u6 a' B. M_________________________________________________________________________
0 q6 w* R( G8 p% T. @1 A2 M' K0 U5 H% T; H- Q' A6 E
6 Y7 p% }% D2 i7 t
Method 06
- c0 J' P& B5 z% w+ a=========
/ y6 @4 ?0 f8 P+ @6 j$ s% u z5 u) d3 o& c
2 h/ f; k4 l' I- I$ y0 W2nd method similar to the preceding one but more difficult to detect:0 r3 j+ L L: A6 S; o
/ t% L1 t; e- H. }' r
8 Z0 ~) F+ D5 t, n5 `8 A
int41handler PROC
8 _# B- y" T% T8 e( b) j' Z$ W mov cl,al
1 Q2 y3 r+ t* {7 F' n iret
+ G- N+ {* P" v3 r3 Rint41handler ENDP
; }) l9 _/ y0 ?( V" I
, i' t# F6 Y5 f- b
+ o' w2 @- ^, R7 j% f xor ax,ax% j0 l: g( r. J& u- s
mov es,ax
% l5 S! `) Q3 v% c& ` mov bx, cs
/ f2 D7 H" N5 o; f2 c) p$ a: J, l9 E lea dx, int41handler
$ t t5 j# x5 R9 J, X L; R xchg dx, es:[41h*4]
9 z- D5 x! j' A6 @ xchg bx, es:[41h*4+2]0 f6 L& z2 X% p9 {( m3 c
in al, 40h, A1 B1 U. ]1 g% V# h9 K
xor cx,cx
, [( S2 I1 ]8 D" @2 y, q- D int 41h
5 p& L. @5 w* z0 Y+ J xchg dx, es:[41h*4]
0 J# z9 s% g2 P3 U xchg bx, es:[41h*4+2]2 c6 H* W b, r `+ |6 }
cmp cl,al/ A8 K2 @* \+ [. W0 v1 m) p, y
jnz SoftICE_detected
5 v# x# o+ ` K+ ^1 A6 P- z2 c
_________________________________________________________________________! Q9 j$ A, d7 \5 F
; H1 y% @. f: G3 ~1 d, K
Method 07! Z( `0 B; P" o4 J& p% W
=========
, ]7 b4 r9 s7 }3 v# f9 y
8 g8 ~" Q, E7 ?7 vMethod of detection of the WinICE handler in the int68h (V86)
0 I; n, I: E0 C& l* E5 ?8 a& f5 C1 T9 o
mov ah,43h+ [$ S) H/ ?% N! Q. ~8 ^
int 68h! D- K' M# M. }0 ~0 r& H
cmp ax,0F386h' Q1 W. x* Q" @5 r' [9 p4 ?! p: a
jz SoftICE_Detected1 U6 K1 r9 Y, w3 q( b
" a* d( Q8 P3 C2 T
* Y1 d/ z4 n' \$ s- p: Y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 ?& G8 d+ \" B! w/ p
app like this:
# M% Z D! B! f: Z1 v6 {* q- P2 f9 O: r
BPX exec_int if ax==68
; s; _. Q5 m# l3 F( c+ D0 D1 g (function called is located at byte ptr [ebp+1Dh] and client eip is" z& c, G* k* J. `# @8 ?
located at [ebp+48h] for 32Bit apps)
G0 A3 R1 g9 W1 `0 r3 V__________________________________________________________________________
- q4 ` W& r/ O, c l+ }' M, O d. w6 n+ Y
: M$ j9 ~& D+ W) \$ X& Q: ]
Method 08
/ S2 S) ^# t0 l s* X3 ~=========
! i+ ]9 ]6 U3 @7 X' |3 q: `+ U L; P8 E# ~
It is not a method of detection of SoftICE but a possibility to crash the) j' V, {4 g1 m3 B& c
system by intercepting int 01h and int 03h and redirecting them to another5 X6 a2 |" C2 f! c3 A, O
routine.
' b# k; C9 g7 S0 O/ aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 [6 {" U8 ~7 Z' s. O8 K% \
to the new routine to execute (hangs computer...) T3 N; a1 a% w/ O; U4 v1 T
* Q0 u3 T# t; q2 e" }8 B( Q$ Y mov ah, 25h
' [8 q/ X7 A: _0 ^# \ mov al, Int_Number (01h or 03h)
8 b/ Q& }% Z# e" x: _- C. {* b" T mov dx, offset New_Int_Routine
; L; n7 |0 e& U, w/ _. Q/ X int 21h
& {& Y9 t: p7 g4 U Z. _2 ^- \( @6 s F
__________________________________________________________________________
3 ?8 B* h+ c/ B, r! ?
$ r) I6 c& S- W% dMethod 096 B( E0 ^& y( H, l. Y2 U
=========
0 E& ?7 C4 j1 s% P7 O8 ^+ [
$ p. E" z; @- |0 C5 l5 K: gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* d2 x0 j% V; Z4 S+ S+ w
performed in ring0 (VxD or a ring3 app using the VxdCall).5 l z2 V$ E+ Y
The Get_DDB service is used to determine whether or not a VxD is installed7 `# c8 N; @+ ]& o2 G9 t, {! X
for the specified device and returns a Device Description Block (in ecx) for
6 @ f+ L, j" ^& ]! `( H( ?that device if it is installed.5 W4 m$ [: G$ D$ A) @1 t7 ?' q
& v4 q* C$ I5 M+ Y: H3 m mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 A/ R' |: R9 ]; ]9 F1 r6 Z; V: m# E
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ S4 D7 c5 C! ^ R0 C
VMMCall Get_DDB
% C, e* O% C3 m @- a m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" f% f4 @9 j$ x3 _+ k5 ^
$ i' t! X5 }- ~
Note as well that you can easily detect this method with SoftICE:: ~6 U! w0 U& R" `; b% ~; \. ?
bpx Get_DDB if ax==0202 || ax==7a5fh, x5 v( f) v$ s0 d) c
+ ^& g1 c: I% o4 Y# p. R. X5 C! R A
__________________________________________________________________________
' k6 _, [+ N; W9 R; I2 a6 y% N+ H! G, N9 o- h2 m
Method 104 Z! W6 C7 a, w1 k
=========' d# Q* o U6 U0 ^0 [3 k4 n
+ C) G1 ]) G' k! S% J' B
=>Disable or clear breakpoints before using this feature. DO NOT trace with, R& e! M8 t! L& {& R4 Q
SoftICE while the option is enable!!/ C# d2 f [) V, e$ K
! ^1 J5 c8 E& }+ W( m9 RThis trick is very efficient:
$ g* l! t, b- Jby checking the Debug Registers, you can detect if SoftICE is loaded- e, r: K$ z5 H; l" P+ a" g3 I/ D1 C
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; D" w" S; h% R |
there are some memory breakpoints set (dr0 to dr3) simply by reading their- D9 ~' b4 \0 v8 J- v. a W h2 N
value (in ring0 only). Values can be manipulated and or changed as well ]2 D' }' C) u! [' ~1 R
(clearing BPMs for instance)
6 A& l- m+ V1 m6 e3 V/ {% i" ^, p
& M: B$ C; Y( {* c& ___________________________________________________________________________/ e$ i' N5 q; Q9 A9 x6 T
/ @) p8 T; X; ]
Method 11& {7 z0 a: j5 ?# ~$ ^
=========. e" D e/ ]$ ~( n
+ T, B* b0 f7 K, V8 F1 h8 V- QThis method is most known as 'MeltICE' because it has been freely distributed# y( p9 X0 ]. z8 X
via www.winfiles.com. However it was first used by NuMega people to allow/ U) j& {" k, G. R5 v8 Q
Symbol Loader to check if SoftICE was active or not (the code is located2 @7 x9 \' B; `" l7 K1 C
inside nmtrans.dll).
3 R& X$ A3 x8 u* K& B! m/ o
" e" |$ m' Z; }% hThe way it works is very simple:
6 `1 p T5 ]+ G/ ^8 NIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' J+ W4 c7 M& w! W- ?WinNT) with the CreateFileA API.# J1 J7 K+ x2 C
2 w" N }6 u! g- j4 jHere is a sample (checking for 'SICE'):
% J b5 {7 h& t( \ L9 m
3 L6 ^1 l i* C4 ]+ a" g6 F) hBOOL IsSoftIce95Loaded()
3 t2 ?& B& D# E# ^, {' o{$ k6 Y! N$ e! \; Y$ o: H, K
HANDLE hFile; 0 j; ?, u9 Z. y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 X/ ?9 j' V% D3 k7 u, [8 d# z FILE_SHARE_READ | FILE_SHARE_WRITE,
- _+ b. ]# [6 Y, [ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& D1 r9 F( |+ ?) [& b if( hFile != INVALID_HANDLE_VALUE )4 N1 h! F" ~7 U* F
{1 u( K% n9 \) F7 s- \
CloseHandle(hFile);
" J+ l" E( q' x6 x return TRUE;# c: l" e( h! p2 x
}/ q3 x+ c B3 l( M2 a9 u w9 W9 a
return FALSE;- x0 d; J. b g2 Y
}4 K- N. T2 T& Q$ {$ \, q
( G1 q4 j; @: `" Z$ m6 JAlthough this trick calls the CreateFileA function, don't even expect to be1 l( F! t% ]6 j! |& k, j/ A( j
able to intercept it by installing a IFS hook: it will not work, no way!/ Z' @! ?% F% N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 v& [. N* ]. T z* I' f1 m1 dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) E% w7 D7 m1 @2 ~9 @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! w, {8 Y. }5 M9 Efield.
# `: D; B8 z. C; l* A& y! ^In fact, its purpose is not to load/unload VxDs but only to send a
; Z0 b4 G; Y) u- K/ n5 V# w- JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# h% \5 D$ L/ X4 z0 ito the VxD Control_Dispatch proc (how the hell a shareware soft could try
% U) p" x& D) dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. g2 W+ }- C' O: G* f* e$ Q0 ]If the VxD is loaded, it will always clear eax and the Carry flag to allow/ R4 u' ^' G3 r3 B
its handle to be opened and then, will be detected.
8 \) U: B; a2 Y3 N7 h0 RYou can check that simply by hooking Winice.exe control proc entry point; B: v% b1 }- ^0 H c
while running MeltICE.
- g; I6 G9 o' f( Y& a# p' p* k4 e; I# c5 i7 u$ W. J' J* d
+ W3 N# \8 `' I- a% d; v/ e 00401067: push 00402025 ; \\.\SICE1 i" l' g3 h6 c" ]1 Z) j
0040106C: call CreateFileA8 x( x3 s9 F2 J. T
00401071: cmp eax,-001( t' Y8 h% v& u" S. P3 D" U
00401074: je 00401091
" [+ r! ?, K# l. Z! ^( B" O
8 l8 b1 O3 S5 P" } \
: F& a# s7 D$ l' x; @! p4 x s$ xThere could be hundreds of BPX you could use to detect this trick.
' e4 w% ]- C% w9 a0 E; t% U* H, z0 B-The most classical one is:
4 a$ r+ k1 A/ Y7 {5 N, X& J BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# l4 u7 Q/ q3 q! v9 j3 s *(esp->4+4)=='NTIC'3 Q3 o# }, u, P r' b1 G
: o8 s5 v/ q5 y; \* P$ e-The most exotic ones (could be very slooooow :-(8 T' ^1 j: F& L/ h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' Q K; k# g6 Z: c" ?8 N! h" ~ ;will break 3 times :-(
) d9 O, q. t& [% F: z+ q. K9 b s$ R1 N. \% |8 R2 ]+ d
-or (a bit) faster:
6 e: K5 a8 J) z& c g3 b" h# P( H BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ d, e2 K: ^5 h. D/ k* q- R: ~
; i: n* m( z% x7 Q- w7 F6 F: ~ P% A BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% F( T5 `' a+ W: X' M9 p/ J, C' G ;will break 3 times :-(# G; `( ?; G! G, l% _7 e4 K
5 A1 s8 z0 r0 r-Much faster:
4 z7 u8 d( y3 A0 H& @* h BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" y7 P% u/ H+ R1 [0 T+ z& s2 n+ H
* _1 q% U# m* A( D$ j. T4 w% o
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% J ?+ j7 T( nfunction to do the same job:) a0 q5 t/ `7 W
! n# K/ m; j6 c) k" h) R% S! v
push 00 ; OF_READ. U/ v- Q$ N1 ?# s! x
mov eax,[00656634] ; '\\.\SICE',0
+ `9 z3 i/ ^/ i, G3 c& ^ l# E r push eax2 H! \8 G8 ` m3 _, D; ?% C" H
call KERNEL32!_lopen1 V0 n+ H$ Q' @) f# Y& Y j
inc eax ^4 k) M$ n) D# x% ~( N& _3 l! z% z) \
jnz 00650589 ; detected" W! S- o" u1 l9 ]; o; x' h
push 00 ; OF_READ
# r' X/ A5 j- ]0 A( l# |7 F/ l3 p, C mov eax,[00656638] ; '\\.\SICE'
( [8 B6 c, Q4 E" E4 |+ q push eax( q( `, P; P# I& {- m$ t( ^
call KERNEL32!_lopen
$ @" F2 E) k1 l3 y( ?. M* u; d inc eax! C* b/ T2 |" A8 s3 G0 b5 O& O
jz 006505ae ; not detected" L: [+ r' x/ z/ G0 {
5 D; A4 r( c0 n" T$ |7 V3 _6 G, m0 c& _
__________________________________________________________________________+ T3 y: N4 _ l4 M- n0 G
$ w6 m; ^! y" a9 |4 r4 yMethod 12+ U2 n5 \5 l4 j3 a4 r+ i
=========
1 g4 [3 q9 h, \ @* U3 I I% z
" e2 A" ?/ Z& G5 e* tThis trick is similar to int41h/4fh Debugger installation check (code 05
! @. S9 C/ T: D( v. u" q& 06) but very limited because it's only available for Win95/98 (not NT)
% y8 _, K, L% Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ G9 y9 K- I" D9 a0 e' S( _1 F$ {
- T9 B! I6 N+ R1 ]% U# f
push 0000004fh ; function 4fh0 G% V# j- [& |- u% l- D
push 002a002ah ; high word specifies which VxD (VWIN32)) r" `: K# q I: ]# N
; low word specifies which service. w/ Y9 ~( t+ p& e
(VWIN32_Int41Dispatch)
: ~# S( T' f7 ? call Kernel32!ORD_001 ; VxdCall; J1 ~) E! l0 `0 M: j
cmp ax, 0f386h ; magic number returned by system debuggers
1 V0 B. r4 M2 h" ]" T, g jz SoftICE_detected
( ]& v+ |% s7 W" W, I
# v: C/ _! N+ f" K# m. rHere again, several ways to detect it:+ Y7 R7 s, @9 F$ Q4 E
4 h# M# \! L9 H( X" z BPINT 41 if ax==4f
( w4 b! n" g" {) V# e. F
) p) E( R( q1 b( J% a' V$ W) s% k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 d& K; J7 b! c* S8 Z
. e" X; g0 g, X& V' m BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 g8 e3 P; o8 u# I4 V5 s: N* g* e* i' W$ n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: b! C: u; @) D) ^: G) Q: Q
1 Y. d) L9 D9 ?1 X$ Z3 t__________________________________________________________________________* q8 M: ]3 ^8 K. w$ v; e* L
1 {" n( X- \- c9 \! E- P8 k
Method 13
* L0 K5 p" V% t5 x- y0 T; {=========
+ L: ], ^: S- X0 v" @8 h6 S
3 p$ C, C6 S2 h% X% J" t% Z2 TNot a real method of detection, but a good way to know if SoftICE is+ W( F( \: U4 N; x: O0 o# v
installed on a computer and to locate its installation directory.
% I) G+ `; x* q2 w4 _6 EIt is used by few softs which access the following registry keys (usually #2) :/ ]# U4 r1 Q) h, K
+ F' ?8 g2 d0 F/ ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 z2 V( B& y% d2 L1 d: G
\Uninstall\SoftICE
% l. m- g3 x+ Q% t4 p0 c, s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 O, v& O7 [: J-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ P2 ~2 |9 R) ]2 ]8 O$ z8 l2 @4 |\App Paths\Loader32.Exe
% q6 N/ ]& R0 s+ L. g7 ], V+ K: v) l
# B' t5 ^( V5 a' b- P
Note that some nasty apps could then erase all files from SoftICE directory) a! n0 i8 O) o% c
(I faced that once :-(* r" L0 i/ P2 j% p2 D
" p0 j' x2 {. h; Y! H) d6 \
Useful breakpoint to detect it:
* p, z' E- V" e4 \. l
+ t( V d/ \' r1 X4 K7 L5 @6 Q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 |/ b9 H; y* \" `; m8 X2 ?8 D' w1 D1 T
__________________________________________________________________________
# R4 w4 i# ` O Z
+ R! Q& F% y, l8 W6 E- J' x
. ?( L5 t# B" M! @ ?' K& fMethod 14 , C: I0 @, [3 X6 h' J# `
=========' l$ h0 _1 T) U% ?7 _3 D
0 U/ z9 g9 i2 v. o! b" J1 q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; R3 |( w" M% A3 E" e: f( F
is to determines whether a debugger is running on your system (ring0 only)./ ^) H- _+ ?9 [) E( c/ B
, T/ v3 d8 @6 J8 B+ K VMMCall Test_Debug_Installed) J8 P( S8 c8 Y
je not_installed$ I8 d- R% s$ K* i: `1 d
% W N5 D% B8 J0 KThis service just checks a flag. |0 _ n( G* c5 {6 T- ^4 ]) j+ p% T
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡