<TABLE width=500>
2 }5 ?$ j- N! z8 v' [) L4 d<TBODY># T; j6 t7 \: v- L" V) O- _! ]
<TR>
+ G8 v5 {- n/ v6 r<TD><PRE>Method 01 4 E8 g, o9 N9 q- u
=========
3 T$ F1 x% X) | ]6 o: D; L( t6 {2 {
This method of detection of SoftICE (as well as the following one) is* [9 g; t+ a b' o" g
used by the majority of packers/encryptors found on Internet.
* I+ u& j! B. ~1 D d/ w" M0 |It seeks the signature of BoundsChecker in SoftICE8 Y9 t3 k" `4 [5 ^- F8 Q
9 ~3 {% i O7 f; e mov ebp, 04243484Bh ; 'BCHK'
# d& s% e- T* o2 Y7 \+ m mov ax, 04h3 n. |/ P1 m% h9 z& f; J7 o
int 3 ) u2 d9 j) |! b4 J7 ]8 c9 s
cmp al,49 v: k8 K% ] W4 h O
jnz SoftICE_Detected
6 {2 [+ @9 G- K2 |# @+ X$ s# H* C- b. x: i/ y4 C
___________________________________________________________________________$ z7 Y$ F' v0 G; w' `# A) d% A
" ?; e/ ~7 ?- ^+ |" j3 oMethod 024 g" z7 L; G7 ^" f3 @0 e
=========
4 m( d, n+ V s& d4 l
- ~' z5 \- M- @! S7 t/ W) J7 @Still a method very much used (perhaps the most frequent one). It is used- t5 M8 I8 r7 O& C2 X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- w8 Z0 S- m; B$ z+ Zor execute SoftICE commands...2 N1 ^. Z/ C: Q. C( B+ {
It is also used to crash SoftICE and to force it to execute any commands$ L- I9 M+ e* P
(HBOOT...) :-((
) L% o( |/ g; H* W+ E" q2 k! t( r3 e5 f( {/ q
Here is a quick description:
. R. m7 x) J, {" _" ]0 V-AX = 0910h (Display string in SIce windows)
0 r1 h' Y" g4 M3 o5 n5 p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" L }* d; F" K& B
-AX = 0912h (Get breakpoint infos)6 ^7 S0 @8 R3 ?; o' _
-AX = 0913h (Set Sice breakpoints)( d8 i* I- h5 J0 x9 u) d- F" i
-AX = 0914h (Remove SIce breakoints)- g1 h8 ?! a: A0 y+ L4 h
1 V9 r2 S! J2 ]; c5 z
Each time you'll meet this trick, you'll see:( q) p; c( M( {+ t( g( A1 }5 |
-SI = 4647h
$ }+ x% c$ A1 \" q-DI = 4A4Dh& c# x. J' K! O7 E6 a
Which are the 'magic values' used by SoftIce.5 H+ T4 H& w% `: |9 `8 X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" V+ Q, l7 N: g9 r; _$ j) K; n. m: o
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 z9 ]& ^, |# [! L7 k+ r% `: g
Envelope utility use to protect DOS applications:
" E/ U/ K+ Z. O; s
: _0 l8 l- [6 d# m
5 a* D4 J. X/ i; B3 n1 A4C19:0095 MOV AX,0911 ; execute command./ D* A' x3 X# }2 O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 A) {* o$ i+ {2 k8 `
4C19:009A MOV SI,4647 ; 1st magic value.
$ q2 D7 O* i! H4 Y! z, i4C19:009D MOV DI,4A4D ; 2nd magic value.5 B/ R! J0 n0 s% M; L! p: ?6 r7 _3 \
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! M& p: a" B; a- M& l4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. A( J. n' w4 r3 m4C19:00A4 INC CX
" v4 k# z' i/ F% s9 b9 r4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 Y0 w" Z7 P" z& e6 H4C19:00A8 JB 0095 ; 6 different commands.4 J. {! U7 o: ]5 J7 w4 w
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& A' u3 b1 a7 r* `- B5 Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); Q- U* u) W' p% f r7 p% s4 G
8 e" ^( }$ j) R4 n) Y
The program will execute 6 different SIce commands located at ds:dx, which
. ]& |4 l* i7 W' zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- T4 z0 x3 Y- \! W% Y# T1 U" P* P! u2 X6 `1 R- j. n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." P! D) J$ w% I: b6 x# P/ e' i
___________________________________________________________________________% {9 p" G& L3 x$ x
+ P. p( N6 n) z6 A! D7 M3 v0 n
' N- q) R$ i' v. }: P$ VMethod 03
$ _/ N6 j) ^& Y. V# ^3 R% ]$ |=========
/ N4 n& P( {" }' q1 N/ M$ M8 T4 B
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 S0 P3 h8 K& g6 I" M( N( z8 @
(API Get entry point)
: X9 m+ a: x, S* }) y/ q
( m* n+ |0 w, s+ Z. z0 M( f3 V
G$ R3 c6 d( w xor di,di6 X+ U7 g& ?' `1 @. \
mov es,di
+ [' `6 x* E& n( X7 N1 v mov ax, 1684h ! o- w5 Z% X+ W9 h2 G. t
mov bx, 0202h ; VxD ID of winice
+ W$ ^+ g6 G* d: A5 i5 u6 m+ Z int 2Fh
6 t& p" o6 M0 K' h mov ax, es ; ES:DI -> VxD API entry point& n. g$ _! d O! N
add ax, di
3 w- |/ z2 z1 @! Y* A" Z test ax,ax
% L A* ~7 Q* o# S ]1 s jnz SoftICE_Detected
; f x. D- z; K; s- X& g1 c8 ~
7 }% D5 i9 D/ `: I9 g___________________________________________________________________________
% i) h3 L( R, I1 [! P/ {
" ~4 W8 {4 S* h* ~5 `Method 04
+ A6 k/ s9 H2 ~$ a z/ ]=========, s; {* P# G6 p+ g
; e# ` ?2 W; d/ V- h0 J
Method identical to the preceding one except that it seeks the ID of SoftICE! j2 H4 R9 J$ s& p4 V" m/ K Q
GFX VxD.! ^; `- E+ ^6 R5 r! \# q2 Z
/ e4 O% {+ ?5 N2 x xor di,di3 G g1 h- i" c. _4 B5 k' V3 ]/ j
mov es,di5 s* ^9 F: b5 q/ p4 C
mov ax, 1684h
) K# e) E) ~* X6 C& H* h1 K3 K mov bx, 7a5Fh ; VxD ID of SIWVID
; O7 l$ L* d+ A: j; r. n int 2fh
7 F& h& ?( `! [$ Y mov ax, es ; ES:DI -> VxD API entry point
/ f( n3 U: V! F+ I add ax, di
0 r! q1 X! r! Q' F3 V% B. q' g) K test ax,ax
, }, F/ h: H9 M, h4 J jnz SoftICE_Detected3 o) P) L3 b% ]( B) C1 |. J2 z
0 c0 k6 w' [) R7 S3 h/ Y__________________________________________________________________________: l2 t4 D$ A5 _% \
1 F* _: J, j5 i* k7 F, F
8 z. ~, @$ ~6 n, |2 }Method 05
9 q- Q1 m7 y U& ?5 ^% M=========/ k+ h% g4 v% H: O D/ y" s
- v! T' W1 U( c& h: O+ _- Q0 W
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 y/ u& z8 ^" K2 z
debugger. It calls the int 41h, function 4Fh.: [ H% a4 x/ C, j. G( N
There are several alternatives.
' o. b+ r1 D+ J/ Q' d/ x# z" e3 c) V' u5 G& y2 F& _! h
The following one is the simplest:4 }! |3 R; r2 F
; ]8 D/ l+ \4 q& v. l mov ax,4fh
; A* l' w/ z$ t' P' J3 r% D) i int 41h8 ^4 U5 ^: H3 k1 F7 A( }) S0 x G
cmp ax, 0F386
6 Q6 G* J$ x$ K: Y! _' ] jz SoftICE_detected
0 y; }3 M- d+ o+ m
' Z) M1 x9 q& T, `1 u e8 ~8 o" a4 O, Q) V
Next method as well as the following one are 2 examples from Stone's
+ m$ R$ g) T7 z"stn-wid.zip" (www.cracking.net):
* j% M% A& O* }# g
$ ^: ]/ v( [) S! ~5 g. N; S mov bx, cs
[# B1 Q# w4 b! B lea dx, int41handler21 A% x; b9 v! J' O1 i: Z* @9 {
xchg dx, es:[41h*4]/ A2 Q. E/ D+ j* e" |! f# Z
xchg bx, es:[41h*4+2]3 E* y0 V: z2 G' t6 W
mov ax,4fh
4 E9 t9 t& m/ e% B! i! a6 v$ z int 41h
) Z K0 O& G* v; t7 Y* @ xchg dx, es:[41h*4]2 u- T) j8 ^6 H" J: U5 s0 N
xchg bx, es:[41h*4+2]
0 c4 |1 ^4 A, l4 d6 C6 c. }) j+ u1 L cmp ax, 0f386h
5 j) Y# q" V5 a' S$ y: X jz SoftICE_detected; J8 W& u; _( T# a
9 J8 g, E9 Y2 u7 Z7 \) y# Yint41handler2 PROC
' C6 P' X' h) Z0 s6 r; H m, b iret
7 B4 |9 Y+ q+ T1 ^. J- `int41handler2 ENDP
! B) J! H [1 Q' s+ k3 E) T& m- Y$ c
4 p1 K+ K& t- S8 m) a) X X
_________________________________________________________________________4 `' D' L* y* r9 y
" e; o; j6 k, V, U6 c7 w& ], @
1 d& H, C3 w/ I" ~" O/ }& y! MMethod 06$ T6 {# g. J: E* m6 G
=========5 m. L7 h. T! T9 X/ ?
? H2 W$ B$ o: @/ d* e7 M7 K, p% t; d" d8 b; {7 f: E! `
2nd method similar to the preceding one but more difficult to detect:6 m! B X4 Z' Q" x2 F' L
0 f% T5 E. d- K0 ^# b# H% G
5 a5 C& Z. v9 U4 d9 L4 Aint41handler PROC
0 Q. p# r( _( p5 W1 P/ ^) ^ mov cl,al
" t' w8 v! Q }( ]. m3 T iret" N2 U+ S3 e8 _. X% u
int41handler ENDP
7 j! B9 v" n1 t& E/ r, `3 D4 Z- _6 o+ ?, x7 w k' e
( I0 W, [6 l7 |+ U
xor ax,ax
# K% P' r; s; H4 x mov es,ax
7 W8 a& p" U; ^9 y4 ?% ]. f mov bx, cs# J& k) @5 F9 C4 o
lea dx, int41handler$ M) |* p+ W# a, z J) I
xchg dx, es:[41h*4]
: d+ o1 _: p0 R. Y; r" t xchg bx, es:[41h*4+2]
% R! r- Z8 k7 h, h. G. m! B% j4 ?8 J in al, 40h' K, U" @4 ^5 `" }' E
xor cx,cx- O K/ \7 U% K3 r, h7 J
int 41h3 a5 i9 O. k6 e2 ?0 b% l% W
xchg dx, es:[41h*4]
6 C1 x' t2 w9 L7 T+ P$ s xchg bx, es:[41h*4+2]$ Z! d8 H5 f/ C: u6 B$ L* d/ [
cmp cl,al6 R2 h6 T! H+ Z4 Q7 c
jnz SoftICE_detected
8 W$ [6 C4 p C! c7 E9 r! t0 D/ ?9 P
_________________________________________________________________________! a: G# ?5 }* b9 y0 i% @
; W/ _& X2 U# @' I
Method 07" I7 |8 a/ ?- l4 h7 k6 y
=========
1 ?, E0 f( W% K2 L3 l1 C/ N: _! c! F: c! i% F7 ?
Method of detection of the WinICE handler in the int68h (V86)% _& c4 }$ K1 l% j) ~$ T, M
3 _' u1 x$ U/ `3 E1 Q) ?5 v E! m mov ah,43h3 C+ k4 p4 p. N: Z5 H9 t3 s7 b
int 68h
/ T; H- b, j/ ?6 y cmp ax,0F386h" X A7 z5 M- s* |3 O
jz SoftICE_Detected
) E; i& C- r$ T
. R" R5 w' J& g# [) ]! T9 a! d
# d- g+ h( ^, v7 \# ]5 ?8 \2 W=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) x# h O; }4 Z r! [
app like this:5 L0 R9 N1 I0 @0 I# j X
. X3 T$ O9 i2 Q0 E" P1 a- }& ?
BPX exec_int if ax==68
+ w! T6 b6 d. T# |4 P0 ? (function called is located at byte ptr [ebp+1Dh] and client eip is
+ u. H! A- d" U9 q4 v2 Y located at [ebp+48h] for 32Bit apps)6 r& O8 F) J4 B1 @! B5 s
__________________________________________________________________________
& B: [- V* `$ O) n) j, E& M) c. K# D G% ^0 O g2 D; l
; t% I+ S9 u: |% a' c9 cMethod 08
5 l# x5 v& B( W* p( h, s- d=========0 V$ N/ }7 C' E( k1 {: v
- q% c# i% i: l, K# e' D, }- J4 x
It is not a method of detection of SoftICE but a possibility to crash the' |- C" D5 H, C- n
system by intercepting int 01h and int 03h and redirecting them to another. A) f6 z M+ F' o+ }9 u
routine.
2 _2 M6 Q$ i8 _, |# l9 I# qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* m$ Q4 V: r6 ]" w
to the new routine to execute (hangs computer...)9 e* E J$ H: R$ G+ G8 _& G6 E
& ^2 e: S5 S) O. D
mov ah, 25h8 l4 H* ]! e" y6 W/ D
mov al, Int_Number (01h or 03h)
" D' x' @ K5 [0 y% s mov dx, offset New_Int_Routine9 y/ d/ `# O" p
int 21h2 o6 j; @5 k5 c
8 a1 V9 w+ D: g6 L2 W6 f__________________________________________________________________________3 ^- Q. \# M* F# A9 u9 X' c
1 S+ m/ A: r, x+ Z# n
Method 09
; v- C2 W) p+ X& f( c) n1 j=========( N* m3 E+ A$ a; B9 k, z/ R
* i1 d# Y. ^+ K6 |9 x2 TThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 z m# c/ x/ \* g' A5 Lperformed in ring0 (VxD or a ring3 app using the VxdCall).
) J& r$ u6 C m' D. u; gThe Get_DDB service is used to determine whether or not a VxD is installed
% u- w5 d; e7 r6 A1 ^) ^for the specified device and returns a Device Description Block (in ecx) for
% Y0 G, {$ I& e& Z1 m: ~3 I0 mthat device if it is installed. d2 j( L$ C$ c% G: N
, J( [# W3 ]" K. l8 R
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID [: {% |6 D6 `% p5 z$ D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 a' Y1 ]6 n0 J% A; |
VMMCall Get_DDB# s7 {8 v' h% [$ c7 a
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ n6 M) w# d( P( i% x3 m" _
8 e+ \* p' @9 p% J- h, H
Note as well that you can easily detect this method with SoftICE:
# W, D# @' R8 [; ]8 C% d3 T bpx Get_DDB if ax==0202 || ax==7a5fh" t& W4 B9 H* l* J' c
( A2 K U/ O9 u; C6 D2 S__________________________________________________________________________. r8 @; L4 N( L0 I+ L* J& r" }
5 |2 \% u& S8 R7 p p" P) [7 |
Method 10! `6 x& o0 u% _
=========8 w8 p: d* K& _& {* e
/ Q7 \6 i: a9 J/ |6 h; z, j=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 U+ l& n% o2 z# c2 Y5 }3 l SoftICE while the option is enable!!, Y' i$ H( Z& [4 z; r
+ L' }( U( F; ?. @9 Y' Q4 ^1 w/ {
This trick is very efficient:. T2 r0 v; ^7 a/ L+ D+ w: G
by checking the Debug Registers, you can detect if SoftICE is loaded
2 X! l( |3 y; w- J4 k C: b" r( i(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ m( i) H! _' [) i3 w
there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ `9 d+ d: Q) {value (in ring0 only). Values can be manipulated and or changed as well5 t, s/ d9 H) K t0 w6 T C' x
(clearing BPMs for instance)
& V& e) E3 y* }
6 ]2 J' X/ Y3 X4 y' g9 R; R! F6 Q__________________________________________________________________________( L/ u6 k Q, h$ a
0 c3 V$ r% o$ ^
Method 11
4 K, V7 S4 j9 x7 j) p=========
( z/ d+ k0 A; K) q; P& A* ~4 x
! G6 C; l0 G' R# J) p2 U: h1 |This method is most known as 'MeltICE' because it has been freely distributed
: j% O$ x7 T; h( Kvia www.winfiles.com. However it was first used by NuMega people to allow
0 p( U' J4 e3 F( N/ \; c8 P5 zSymbol Loader to check if SoftICE was active or not (the code is located; l1 q- }7 g# o& {8 a9 J/ \! [
inside nmtrans.dll).
# S( D2 R* `- z: Z' A1 x6 ~/ M$ ]2 ~' f9 Q& N3 g8 [1 i
The way it works is very simple:
6 ]+ J+ N8 H3 r9 v8 I8 S6 nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 N& M, T' a' l1 x% D5 I! l# `WinNT) with the CreateFileA API.
4 o1 Y3 T) c- Y5 @& u. X+ a6 Q
+ t; i, E2 T& V* Z( m9 H# u1 Z a1 qHere is a sample (checking for 'SICE'): r6 c! ^" G1 S9 {& |9 u$ h# ?
8 u( V6 h* o) T/ c4 k: \' z
BOOL IsSoftIce95Loaded()
/ g3 j: x( a+ A* e{
( C' T0 _4 }& w! l% j HANDLE hFile; 0 A6 a( O$ m5 o3 z3 b( y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 W5 }) L; N0 I, @ FILE_SHARE_READ | FILE_SHARE_WRITE,& A9 E: H( i% f3 O" U, N
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. }6 r9 @$ k6 U0 m if( hFile != INVALID_HANDLE_VALUE )/ X$ h) `+ h' W% ` g9 x
{
% U3 ~7 A( X- e% s; e3 u CloseHandle(hFile);: E9 {6 e( m: Y7 m0 U
return TRUE;; w. j# G0 M7 f A; ?
}2 X' r h8 r# B5 i
return FALSE;
, k, y2 t& {! F% T/ U* T}& _1 i, z0 s8 N( z. ~. o0 V9 O+ B
4 @0 G, _& K+ e
Although this trick calls the CreateFileA function, don't even expect to be- @) D; e" R6 F+ f, I0 x
able to intercept it by installing a IFS hook: it will not work, no way!
& O# Q* B. l+ p7 F7 WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ r5 ~( T" x! Y% \service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 t+ J, r" z0 j5 v, H" @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 U% d! v; E: ~( ]field.! R! ~2 @$ L6 r) C$ I: y+ ]7 J
In fact, its purpose is not to load/unload VxDs but only to send a ' j o" R6 G5 h l; ]8 M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 l) R2 t* {% p9 U( oto the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 Q6 |9 U4 e, r0 T0 t2 ato load/unload a non-dynamically loadable driver such as SoftICE ;-). k% z/ Q* j H# f! E4 L# R7 R; i# E
If the VxD is loaded, it will always clear eax and the Carry flag to allow
( A6 F4 X; R2 S4 @6 zits handle to be opened and then, will be detected.* d1 ^* _2 q5 j# g2 T
You can check that simply by hooking Winice.exe control proc entry point2 I; n! ~: S [
while running MeltICE.5 e9 Z9 r+ y J* g' T" r4 U
+ L- _- B; X3 }6 ]( ~3 c6 V
- u/ y! k0 X. r1 u; W; l$ P 00401067: push 00402025 ; \\.\SICE" w6 D0 o+ m+ G
0040106C: call CreateFileA2 |% t z% ]/ b+ i) K/ e) f
00401071: cmp eax,-001
8 N6 z! O/ k6 e8 G! L' T; O 00401074: je 00401091
" y5 P8 V& c+ D( ]
" G) S: W' m" K2 y6 {0 n& \$ f8 }
5 Z/ @, b8 F# |2 N' F; QThere could be hundreds of BPX you could use to detect this trick.
6 F0 p* ~* @5 T1 f) z3 g& ^8 e-The most classical one is:" c2 _- c( x( W) x6 X. L2 A
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) B3 H+ V* ?6 G) n5 O3 t
*(esp->4+4)=='NTIC'
' k/ J# ?/ \! `" _8 p
$ }3 ?% |4 b: l0 r( {7 x( W6 E-The most exotic ones (could be very slooooow :-( _" V9 z$ @) Z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* i* n! L5 p" w! z; { ;will break 3 times :-(" H3 c9 E, p' h8 s7 `
8 o3 j: r) e8 l9 Q4 K+ E-or (a bit) faster: # L4 l7 l- N: d/ r
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% D! k: Y9 j/ |. u( I% m1 h1 q( _7 q( r
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 W9 |+ W- w: z( [2 }' ^& q
;will break 3 times :-(' z8 j5 o9 B$ k% T+ v0 w1 M4 ^ u
% R7 u! x- m/ N-Much faster:
* \# c# Y5 Q1 c6 y" r4 }" s, s BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 q: b" l: S+ s% l# i
3 q/ A/ e% j0 ONote also that some programs (like AZPR3.00) use de old 16-bit _lopen- \( s e: I r0 E: I: O# I% f
function to do the same job:
6 p+ `+ W$ K. d2 |; N% `3 D$ g0 ?* l2 W) w0 a' O' v
push 00 ; OF_READ
" M! H' t8 q( M& W mov eax,[00656634] ; '\\.\SICE',02 _# P6 h% Q5 M1 `+ E: }+ l1 ]
push eax
' {0 e: w2 p \5 w call KERNEL32!_lopen
& ^: f+ j! b8 `/ ` inc eax
* e2 l; w) B5 s0 \. e jnz 00650589 ; detected7 e6 _/ W) y9 H- z- H) k
push 00 ; OF_READ0 ]! ?4 n( W5 f. H9 L* c
mov eax,[00656638] ; '\\.\SICE'
6 v4 J9 ?& i6 }3 ` push eax
( A; N5 j0 N {/ K% e/ Y' _. W; q" X call KERNEL32!_lopen
" x- O! }+ j! ~9 C( _ inc eax* D I0 a1 Y1 R6 p4 }# b2 k1 M- j
jz 006505ae ; not detected
: m( X! ?$ O/ G" L5 T6 S! w3 |3 c2 h( e7 T3 H3 Y" c
% d T. a; J5 m* U4 a__________________________________________________________________________4 a3 `/ w# }- [! X3 n; o2 _
8 J0 N5 \( c$ N
Method 12
# r* ~/ P8 `. T: ~+ b=========3 O B+ E1 M- j* C
0 P, t1 y# U( F6 c( uThis trick is similar to int41h/4fh Debugger installation check (code 05
7 w2 v" {! _5 ^* z8 ^1 X- N/ B& 06) but very limited because it's only available for Win95/98 (not NT)
9 l* U0 P! p2 w5 f. was it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& t0 \" @( Z; k+ _+ I3 j
/ B% z% i) @! d4 C; ?" r push 0000004fh ; function 4fh
+ p! M1 C5 A* ~5 y! C* Z push 002a002ah ; high word specifies which VxD (VWIN32): f7 M u C2 c! X$ z
; low word specifies which service
, Y4 T$ ?1 |3 Z! L. ?6 [+ { (VWIN32_Int41Dispatch)
# z: U+ ^1 z9 ^7 c8 H4 \# J3 V$ \ call Kernel32!ORD_001 ; VxdCall
; w2 b7 u- u" u! G( s1 G5 J cmp ax, 0f386h ; magic number returned by system debuggers
! C8 j: X, s: f jz SoftICE_detected
" {" a$ G# f+ }$ m- @
9 ~0 `6 Q, ] Z- gHere again, several ways to detect it:) _& l' Z1 `6 P+ N B6 d$ y
- T2 q. @ \, m* U5 s) _ BPINT 41 if ax==4f4 A+ U# X( U, `: ?, P z
* e/ L$ d Y# q$ n& x' l
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
h& E/ |9 d) g
. p, `/ k" L" X2 y2 ~* _* l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 C' i" y" j# o' y [7 t& {8 [- z: D+ A. `8 ~ `; p" d
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* @! Q7 [* Z6 E( f/ \& ~
4 X- C+ P; X( X! `, J! H) V__________________________________________________________________________' P2 E( D6 m; q9 f
8 p* H, C+ N6 l8 I- I8 ?
Method 136 l7 O! Y# h# f/ i
=========
" \# f/ d' |' E* v9 I1 r4 |
4 w9 Q3 R8 h; n- x7 Q6 \8 j9 INot a real method of detection, but a good way to know if SoftICE is
( V9 A2 z# E& u" D: ?- d% R: Dinstalled on a computer and to locate its installation directory.6 W5 L1 r# C* v
It is used by few softs which access the following registry keys (usually #2) :/ N! G* c* `' `' ?- J9 `5 Q
5 i2 y( k# i+ B# B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 H/ b" ~% x' y5 L! q
\Uninstall\SoftICE% @* B" ], [8 _. ~+ Y" d, H
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 Q/ _5 s% v. m& }: m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% G2 i9 G; s" i% m1 v+ v
\App Paths\Loader32.Exe
* L. V$ a$ g' r' q
/ @% B& v# ?8 H% f7 D* `+ {; a
Note that some nasty apps could then erase all files from SoftICE directory
; q2 ]1 |4 V' Q! m3 _1 }% _6 ?(I faced that once :-(
7 F- r1 F6 ?, q$ k0 p, Z
) A) v7 G% Y( W2 JUseful breakpoint to detect it:
5 F( C5 M; l" N+ v/ e. Q
1 j3 V3 T' ^( P8 P7 X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 Q0 Q$ t* Q$ V, ?- D9 }
. r+ `% y1 @% ~4 n* {
__________________________________________________________________________
$ g2 j+ }0 J3 M7 Q8 a0 Z0 h& P( K" {
! L) q: N( T8 }& @) h( [
Method 14 2 a8 s+ n% s# e3 p
=========
8 B; ?7 _ F5 ^8 f& N f
, q: _1 z+ X' VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ H% S4 y" X& ]4 m( Cis to determines whether a debugger is running on your system (ring0 only).7 d, v! O' \: @
# |3 p! O, `. h0 n8 w2 `
VMMCall Test_Debug_Installed
8 x. o w- g5 g- q je not_installed( i! j$ w! w/ L! \% Y. } I8 A, p
. }' ?- @3 |8 Z/ r2 G1 L7 AThis service just checks a flag., ^( A$ w, Y7 s
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡