<TABLE width=500>
8 }; X1 s# N( A3 j" }$ W<TBODY>- F( F: Y3 s1 @8 [: n
<TR>
+ }+ W3 s+ S& H. r$ P7 u7 _<TD><PRE>Method 01
' N4 J6 W$ m* E9 G+ p- `, U$ v=========
0 r4 @8 i8 s( \* q9 B8 w6 u- T4 O
8 }' e7 B' ?3 ]8 i& RThis method of detection of SoftICE (as well as the following one) is
8 n, ^) }; T2 u8 Tused by the majority of packers/encryptors found on Internet.0 L @9 O" q7 d0 M7 ]) a
It seeks the signature of BoundsChecker in SoftICE
6 P9 B, r+ m8 c
v0 j0 E, x( L% y mov ebp, 04243484Bh ; 'BCHK'
! g Y) `. f5 [" F mov ax, 04h* b E9 Z3 w8 a J
int 3
% ]2 u( u3 v7 \. C cmp al,4
/ e0 E8 ]% C, j5 w9 c; c6 m! `3 e# E jnz SoftICE_Detected
5 ^9 x- D& R/ ?0 j+ \+ A4 t( b4 `! B# S- M I3 y3 U- l1 T0 h5 S
___________________________________________________________________________
4 [+ Z" V$ J# a e2 z5 W' o( @1 k. k1 K4 F
Method 02
8 U$ V6 I8 ]& o6 G c8 w=========. y- c B. M* \; t& j- o; I
) Q' d9 T! C# m* g- JStill a method very much used (perhaps the most frequent one). It is used
/ E% U+ |# ]: K9 K) e% r. e/ @; R0 A" Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,! P3 T* F! {9 c {$ }- ~# ~
or execute SoftICE commands...
# Z0 ]' j Z3 o+ OIt is also used to crash SoftICE and to force it to execute any commands& B+ i' y0 z: y+ r+ J$ T
(HBOOT...) :-(( - Q) `* v; {/ ]: X/ \$ k
( k/ n7 O& S5 I$ k p# V
Here is a quick description:& g0 W$ P0 r5 H# k
-AX = 0910h (Display string in SIce windows)) [+ l8 P$ W8 p% E k0 _) \; {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 s$ |& G! j( y/ y: M
-AX = 0912h (Get breakpoint infos)2 F7 ]$ L- c4 }! }5 l6 |
-AX = 0913h (Set Sice breakpoints); I, m }' l6 H, y4 ?
-AX = 0914h (Remove SIce breakoints): M( s* z5 g! k# Q1 h
1 K G- f* l9 j) y8 b( V. C& I1 m$ aEach time you'll meet this trick, you'll see:
. C: B/ E% t' Z-SI = 4647h6 V& {2 T/ Z8 i V0 c+ o; ]
-DI = 4A4Dh/ ~9 C0 |( z: R+ b) P
Which are the 'magic values' used by SoftIce.
# M2 k% j5 \( k+ ^9 M# ^For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* D9 g4 s7 Y w% B, j, E& e# r! T
5 l$ i$ S# D- q4 UHere is one example from the file "Haspinst.exe" which is the dongle HASP, M: J' S6 Z9 \1 O
Envelope utility use to protect DOS applications:/ c" u1 Q- T1 r a# _- |! B
' P2 c# C4 R1 p3 N0 N# }
- `. e' [) T: a: c3 ]8 p" ~/ e
4C19:0095 MOV AX,0911 ; execute command.1 w l/ _/ X- o# D1 L
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 B, }/ s' Y3 l
4C19:009A MOV SI,4647 ; 1st magic value.
# q7 ~; m1 i* R+ `9 u4C19:009D MOV DI,4A4D ; 2nd magic value.
: b; O4 ?! S' {6 Y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 i9 o' ^; ?% D* o) U8 j5 }+ c2 V4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 R8 s5 A$ ]/ o0 }; N. P& F4C19:00A4 INC CX
/ p7 b4 {8 L$ Q( ~; [2 i4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, K6 [) o, U W2 i' s$ B" I" F4 m0 S4C19:00A8 JB 0095 ; 6 different commands.
) }' z I+ q: d! |2 b/ P, `- E+ u4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% d. F G) K$ I; \; z' `( K4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 A) Z4 ?4 F9 V6 p7 Q
8 m' @: B# c# ?/ x
The program will execute 6 different SIce commands located at ds:dx, which
7 ^5 M! {+ J" [7 z$ r5 X# |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 a# o2 F9 E' M
u1 _5 Z9 |' \$ r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 Q( X" a- O( H. F3 {4 A5 P3 i2 \ y+ U___________________________________________________________________________9 [) o( J# {5 q( B% @$ d
& W$ Z( Z/ b9 T- C4 i, G4 i' n
8 U4 P; Y8 c1 w* ^$ a. D1 I
Method 031 w9 T5 M8 t+ o5 \( I7 F9 s
=========
: Z9 }2 e' ~9 M" G7 T n6 h4 H; l4 P; x4 i3 O/ |# x' U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, R2 I0 H) B/ |+ M(API Get entry point)
6 e# P q! _6 n2 }
. p9 C+ G+ F) @( _* ?) E% f+ d/ t/ O/ F
xor di,di. p, ?" v( E9 P) h p9 [. M
mov es,di" q8 A$ J" S6 H7 a
mov ax, 1684h $ P* y7 g- r4 s q; f+ D3 G" A
mov bx, 0202h ; VxD ID of winice
: t# y: h; T5 W: M; Y! P int 2Fh
" j+ P. W% K) H- C, T2 k mov ax, es ; ES:DI -> VxD API entry point
7 W. s- G; N$ _9 T6 q4 b, I- v' N add ax, di
6 X, J7 }7 Z) `$ T) o test ax,ax2 b, c& F) f* G: n) r1 Q
jnz SoftICE_Detected
/ F2 v3 p! S. g2 \; A/ r& g3 G' }; N- \+ W+ E
___________________________________________________________________________$ {7 `# \) {+ q4 y
( x. v$ d1 y+ m/ g( {2 m4 V
Method 04
. B# o) D0 G- Z! H. Q=========
9 ^$ W/ q4 G, J/ Z6 U! t/ k+ D/ ]! }4 L( K% N
Method identical to the preceding one except that it seeks the ID of SoftICE
' @6 s# U4 R! g [! b2 @- N" V: sGFX VxD.2 ?# b: w3 ^ \0 H* Y2 b
, L1 c) m5 Z+ w2 {1 I8 B xor di,di, O; a: ]5 |3 o9 C9 X
mov es,di, p0 g" w& t n# i/ `
mov ax, 1684h / y! d6 l5 ?* w; |, i3 }0 s
mov bx, 7a5Fh ; VxD ID of SIWVID
7 Q2 i: D; H8 A6 x int 2fh& E3 _+ B! O: d, p
mov ax, es ; ES:DI -> VxD API entry point
1 \0 s( y) ~+ A; w" D2 G9 R) v! h add ax, di
0 H) z6 C* P# \* R) y test ax,ax: W, X# t( b' J. D
jnz SoftICE_Detected
- i% d6 \2 d" ~6 l7 g& h! K
0 D# t# d+ Z2 E$ \( I$ i__________________________________________________________________________+ O! Z9 H+ K# {) A/ B
2 x7 m( |2 z5 }7 @( B8 K
/ x4 A0 P2 t8 B0 k" a# E) m: R
Method 05
+ b* k9 [" W7 s3 B+ i# c n5 {=========$ {" |. i: z* O l n: {
( a6 V7 V4 S6 ^! A. lMethod seeking the 'magic number' 0F386h returned (in ax) by all system* s d" D+ O6 p1 T: S
debugger. It calls the int 41h, function 4Fh.9 S6 H) g7 V8 |) _. s: ^2 P
There are several alternatives. & I: S# u4 N* z6 }* Q
N5 \, d1 f8 [; t) M
The following one is the simplest:$ F% b! l5 l, B" l$ m; F: c+ k& F
; J8 j8 N5 l, c/ G* g- a2 _ mov ax,4fh
' b9 z6 W& B6 P5 l2 Q int 41h3 P* L: O' H0 L5 Q
cmp ax, 0F386
& I' N6 K8 e) O& P, Z jz SoftICE_detected; Z: ?. w9 F: M
& U; ^. a8 t z' ]2 P/ d" v
+ w3 v' ~/ V4 E2 O9 E4 a9 ENext method as well as the following one are 2 examples from Stone's
9 H6 `2 ]. T" F$ x"stn-wid.zip" (www.cracking.net):+ H% h/ P# o6 R. t
0 G0 V- N- p; G4 o" R mov bx, cs
- d; J3 W4 r6 J0 } G lea dx, int41handler2
! D) H5 O) h6 i& R xchg dx, es:[41h*4]3 E% b# T* k0 ] q y; g; |
xchg bx, es:[41h*4+2]& `6 H1 j$ [( o( v9 x
mov ax,4fh+ ~3 \* p* E5 l) e4 a
int 41h
& w% q, F' |+ }0 g xchg dx, es:[41h*4]
3 U0 Z7 _% }- p$ m" c0 v$ y xchg bx, es:[41h*4+2]; P; C$ M+ t$ c& V8 }
cmp ax, 0f386h
" }& H- L" o7 Q" b jz SoftICE_detected
7 J- \ T& a8 T+ _- b2 }: G8 q$ v. E* h4 o& C
int41handler2 PROC
4 b/ h, U. `. q" r iret4 k' a( C' s1 A, b0 w5 j7 l' O
int41handler2 ENDP
@- B& y7 n0 y8 l8 b+ K, J' C, _
. ?0 _6 x( W' x+ ~ Q; p# [: _; V+ o, c1 P1 \2 Z9 h
_________________________________________________________________________
/ a2 _% ?3 }+ U( O8 @
, [* \+ v8 t6 D, d/ e# {8 Y- z0 g( [$ P5 N3 [& B7 [; C5 v s
Method 06" _4 C: h% ^5 M+ U# r% [
=========4 H7 k; E2 i7 B% g$ m7 ], N
% C2 ?6 i& I; }: M
* p" P6 [' V7 ], A2nd method similar to the preceding one but more difficult to detect:0 E$ M( [# [( n6 Z
; A9 L3 X! I8 N$ R7 L1 V
2 \* y) L( Z( ] H; _$ Zint41handler PROC. I1 m5 Z* A; ?9 j4 l2 m2 V
mov cl,al
8 A8 p% u% d1 Z- S" Q iret
: C! C7 v0 i$ \int41handler ENDP
8 w4 }5 U+ q: ^1 T3 T: i8 l0 ?- I
0 F: l* ~& ]' D" Y' J2 w; ^; }4 M/ q% M7 n, t3 x
xor ax,ax
; p" X9 Q; M ]. E3 i) Q) Y. h mov es,ax
' C6 |3 C8 m g3 ^! S mov bx, cs; o# i' A. e3 s/ Q
lea dx, int41handler
. K" e. F4 ~$ S( P0 d xchg dx, es:[41h*4]8 d, x+ y* f8 ` [
xchg bx, es:[41h*4+2]! _0 a! f% W7 O* U
in al, 40h# d7 N" S" p% h4 B: k7 U
xor cx,cx
, Z( ^4 E: M6 { int 41h1 Z7 O$ K' C# M) E3 N8 v
xchg dx, es:[41h*4]5 V9 n* l0 l7 H3 M4 K! n- D
xchg bx, es:[41h*4+2]
3 q5 q# @- g' a k3 j5 r6 _, Z cmp cl,al
* x4 S* p5 {& N4 l2 K# K jnz SoftICE_detected, U2 l$ L' a, g* Q; O
" Y! [; Y. ]. f# ?8 g
_________________________________________________________________________
$ w* ^) p3 b5 V" J* O$ P% v% B6 L5 r' K
Method 07
/ A! f& r" o/ c3 h$ ^- e=========
R, j" o; z0 |$ F" }6 D
4 q6 y S5 Q; F0 x# uMethod of detection of the WinICE handler in the int68h (V86)
1 F$ D: f' ^2 X" S( H( J; X, ]7 R" m( X# G" H/ A8 m
mov ah,43h& R7 b m4 d9 W: c( K' ~
int 68h# ^9 \, c+ K. o$ z) `% d8 z. M6 |
cmp ax,0F386h) T* @2 O2 D- t ^: x
jz SoftICE_Detected& s6 \& F7 ~, X
2 u8 a; N4 }- T# C% S6 ]. d% Z6 k ^! Y: w6 q5 l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# S+ ~5 S8 X' N- A' P app like this:
0 B b: q5 t2 Q! P' _' p4 k) W9 B0 o5 M8 v) i% E3 y+ Q
BPX exec_int if ax==68
' w6 p1 Q4 x* q (function called is located at byte ptr [ebp+1Dh] and client eip is! Q' I9 C7 k2 Q
located at [ebp+48h] for 32Bit apps)- Y+ z; o, R7 ]; |- m$ `
__________________________________________________________________________
3 S* l# x4 S5 M! L4 K" ?+ M' G6 g6 ^4 C
9 F4 \8 B$ p! h# r* v* g! aMethod 08
4 }* x1 l' i$ ^5 z- j=========* L' x( Z2 Z4 M: b5 Z4 a/ A
& s5 J- x u* }( m+ |1 G; CIt is not a method of detection of SoftICE but a possibility to crash the6 W7 C1 N& ^6 D
system by intercepting int 01h and int 03h and redirecting them to another
' ~& T. ?& y' r3 X3 M" i+ D' ^routine.
% s5 G% ^) b" qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
f' ?; q/ M# \; V4 e: x. @, U7 F6 q/ j- ^6 Gto the new routine to execute (hangs computer...)6 d5 R' M9 |- y, ]1 y8 J0 ]3 l; ~
( g$ ^+ P( G7 L, j0 m, K; {
mov ah, 25h
; w% @4 O% r3 G# r9 g, j7 L3 [ mov al, Int_Number (01h or 03h): A# G9 U) r* d& u, z
mov dx, offset New_Int_Routine6 M+ ^1 n. G9 k9 F& x9 I, g- E
int 21h6 _' _- V6 N$ G) ]. r, Z0 Z
- ]7 v0 Y: P- R" t' C
__________________________________________________________________________/ s3 ^; h5 E1 C. D! h
$ g! c% M: ^% P. G
Method 09$ O7 P0 `9 y3 S9 F1 Y
=========2 |: M \% I4 {1 s& C* ^5 z2 D
; P3 f# U- c, xThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' i; F( `! e4 o# lperformed in ring0 (VxD or a ring3 app using the VxdCall).5 g/ d# S( G* f. D! g& Y$ p# H
The Get_DDB service is used to determine whether or not a VxD is installed" p( G0 S% p# J% |4 ]2 Z/ ?* p
for the specified device and returns a Device Description Block (in ecx) for
* Z; i2 t1 k, |2 a' C" d% qthat device if it is installed.
4 \( L" F; Y+ N, E, e4 Z
/ |6 b/ I6 I; _ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 r: F5 a9 n- G* Z/ t. N) X/ ` O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 C+ V$ z% x& V. K% {" y( m
VMMCall Get_DDB
; `4 O- [# W* Y) ~& J mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ e8 u f2 c, P c0 \
9 K* G: m6 w/ l$ n+ {, I. k0 NNote as well that you can easily detect this method with SoftICE:
) h( x# h! N9 R. G0 c bpx Get_DDB if ax==0202 || ax==7a5fh5 p) K4 u |( k" O; Q2 `
$ t" v5 ]8 N1 `0 A9 q
__________________________________________________________________________
& g! m' C1 G# ? L! l
5 F$ M* Q4 \( fMethod 10' q, S5 ]. ?/ I
=========$ `$ m$ [" D; \+ Q& Y9 V; B
: ]# V2 c) u t0 O5 A0 c- G
=>Disable or clear breakpoints before using this feature. DO NOT trace with A! A+ a) s% s' D$ ^/ e
SoftICE while the option is enable!!7 ~4 l$ [; @7 A7 F
2 ^9 Q$ R( B5 pThis trick is very efficient:
& E2 k# X. e; J3 aby checking the Debug Registers, you can detect if SoftICE is loaded
! e8 A1 F: k+ h4 t. r. i& I1 u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& A( v$ S! L# v4 X$ {
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( e% W+ k# Z6 _, E& Q0 hvalue (in ring0 only). Values can be manipulated and or changed as well
, I: |3 D) l! y' S* J4 i& n' [2 U7 d(clearing BPMs for instance)
: u5 @* T: ~ h. Z* ]1 b2 G) H# M: g% J" _8 t
__________________________________________________________________________
" s, C" @3 i" n6 T! o8 P& X; P$ `
: l. r* T/ D' @- }# AMethod 11: q% v( s* A% ~8 ]. O' B" R7 R7 t
=========
B) h) n. z: h) V9 N
- B" U8 B2 p6 D4 m3 Y/ i' \6 TThis method is most known as 'MeltICE' because it has been freely distributed' j9 B* s2 [+ {, l& M
via www.winfiles.com. However it was first used by NuMega people to allow/ s( j( j- ^3 W* H8 }/ O
Symbol Loader to check if SoftICE was active or not (the code is located
8 L3 Q: ^! U5 T; z7 \7 _inside nmtrans.dll).
0 x3 }5 F; k4 u% U4 q `2 L, q
$ n& X- N) d: M2 G9 E2 A5 {The way it works is very simple:0 x+ q; K4 N- c/ z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ {( v* _5 t8 A' i/ J$ U/ pWinNT) with the CreateFileA API.
/ `3 ^( d" |) j/ s9 n) U
& i0 ?2 ]1 h* ZHere is a sample (checking for 'SICE'):
8 ~3 G7 m2 R! R8 S- }. {7 n/ V0 x$ c1 m* P0 ?& h$ K
BOOL IsSoftIce95Loaded()9 T; r+ g1 G: Q& k# Z
{
) O- C1 f1 d0 m6 u1 |1 v6 r/ T HANDLE hFile;
& X% Z* }+ N* M9 h# M5 u9 J$ A$ v/ w3 M7 E hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* L, T1 p; p& D5 m+ R9 a/ N! I
FILE_SHARE_READ | FILE_SHARE_WRITE,( U7 _$ i, l" ]1 x- l4 z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* |& e1 q0 r9 L- Z# n2 Q
if( hFile != INVALID_HANDLE_VALUE )
& ^1 \& G3 @* T4 E {1 P. A" Z! R3 }+ |
CloseHandle(hFile);
0 i) n( c$ b& S) C return TRUE;/ L( l& E2 @: ^( a6 }2 ~
}
, c3 I: I, b5 e# v3 V return FALSE;* n# F% u3 q, d% s
}) I- @1 Y) E( d% a p; {" o
& Z# E% T/ j& R! }& g1 U" j7 DAlthough this trick calls the CreateFileA function, don't even expect to be
" E) r8 x/ C+ P+ |able to intercept it by installing a IFS hook: it will not work, no way!% d/ r( W1 H3 i9 j- i
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' y/ v/ y! \$ }+ lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! s$ Q" d/ F: f6 R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ ~% r: E9 n( ?' @1 m
field.! |5 F6 F1 \3 f. a
In fact, its purpose is not to load/unload VxDs but only to send a 1 q- ~: B* B) H6 h9 ? |* c% N
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- p. y$ F3 j: o0 S- B9 v! f7 r; Oto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ O8 n1 h; R4 T, @
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& C: g; J) X6 U2 T! h5 m
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, A @5 t+ I# h" t' `. Eits handle to be opened and then, will be detected.7 A4 s" c3 Z: N: u {- n
You can check that simply by hooking Winice.exe control proc entry point1 v' _/ P. k( q) \- O6 g
while running MeltICE.9 z; ~* ]9 z; k8 V( J/ m
+ s& N; v1 P" w0 n4 j
+ E0 K: z- m9 b5 G) u
00401067: push 00402025 ; \\.\SICE
; y/ J$ p/ y+ }3 q4 ^' e6 e6 G 0040106C: call CreateFileA5 ]' Y4 {7 v: p' d
00401071: cmp eax,-001& r4 s& V- F; {! e4 N/ z6 O! b
00401074: je 00401091( A% t8 [( j- s' T4 o# T
1 a" J$ P: Y& Q+ D. F
( ?' g8 j9 W/ T8 cThere could be hundreds of BPX you could use to detect this trick.( h3 v4 g! t9 K' H. p/ {! }4 ]# _
-The most classical one is:
0 v. U6 s2 b8 j. V8 E# c! p8 j' b- s BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 G3 |$ }2 i% h, m. t *(esp->4+4)=='NTIC'
1 N- @% M% M( j- v2 @2 P# v& G% l
-The most exotic ones (could be very slooooow :-(
' }9 ?- t5 l# u' @ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . L, ?# i) a: C4 }
;will break 3 times :-(6 I; [' Y: V- Y& ^
; h; l9 i& c- V4 S' o& T/ {-or (a bit) faster: 8 \. T, E8 o* o6 d: R! G
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) M5 o# w8 Z5 W7 f/ G2 o
% y! q+ v5 Q% X3 n BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' I+ { v9 Z" }, K3 | O ;will break 3 times :-(
, l) A1 _. [8 F' M
, D3 E* `( p: ]9 w5 z& _-Much faster:0 Z* r% a+ _$ Y$ k5 u
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, _+ ] i% N$ X+ S) x9 J9 l6 y. B* F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 \6 y* Q- \9 P8 T! T% Kfunction to do the same job:3 N* c, u. i; v4 V7 O3 s
3 |$ B5 n& D7 _+ Q* g push 00 ; OF_READ. V- ]8 X% @5 T' W1 D4 O- E
mov eax,[00656634] ; '\\.\SICE',0
) i% w! t/ t6 j1 r8 g" L+ ` push eax2 ]! A S3 k, q& E K
call KERNEL32!_lopen
+ `% G. Y. _) k5 ^8 \ inc eax- j9 T4 O5 n% U! C @
jnz 00650589 ; detected# H" O0 l0 H8 ]2 d9 P- D( p1 [; S
push 00 ; OF_READ0 i& v; k! B! O$ S
mov eax,[00656638] ; '\\.\SICE'2 ^. H( S+ H" K& ?3 P7 s$ [; e
push eax
4 s! a- R& z2 Z7 W* m* }) ` call KERNEL32!_lopen2 E2 d S' j- ^+ Q; M
inc eax% j4 O4 v5 j4 Z v p& z, a
jz 006505ae ; not detected7 e# w" J0 n% `6 n& w2 W% @
% w- f" |, g5 A+ G# t7 \
2 @" b: B9 B$ I) @$ u* m__________________________________________________________________________
3 r6 J* S9 l; w% B/ N
& T/ n3 z L6 C" f" d* b9 b4 {Method 12
# \4 J$ C0 ]) A9 U* p' E5 @ }=========
/ ~3 b1 H5 c2 i3 ?9 r8 O# S& u! ?2 w# Y( [/ h( Q/ i1 Z
This trick is similar to int41h/4fh Debugger installation check (code 058 @9 H& @3 ^/ Y3 G* c8 N: ^& w8 p; v
& 06) but very limited because it's only available for Win95/98 (not NT)0 @7 H! h4 U7 e! E) Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ t3 @3 X- _& L9 `, i- u7 b0 i
, J; L/ e% F% P* [3 o- `! V; e1 y( x; | push 0000004fh ; function 4fh0 D/ s/ l7 ?7 r- h" u9 N! ^: f9 j3 A
push 002a002ah ; high word specifies which VxD (VWIN32)( \* }4 a2 p5 k
; low word specifies which service8 I3 q9 P% I S% ~9 [1 Q- J* k
(VWIN32_Int41Dispatch)/ M, E4 A/ \$ \) h3 j: r
call Kernel32!ORD_001 ; VxdCall
6 w3 \+ i* J: z0 x' u% ]( u3 o cmp ax, 0f386h ; magic number returned by system debuggers
9 j5 p3 h; ]) d3 O, \+ T jz SoftICE_detected
0 f( Z9 ^5 I0 c3 w& z' o: ]3 D" Z/ l+ E% U* P) ?: Q# j7 u
Here again, several ways to detect it:! z. g6 U0 e* J0 I$ a
2 L. O" u3 X. N. N BPINT 41 if ax==4f1 e/ |' T6 Z: Z
8 o0 n0 R3 Z' v& I$ ^# |) H+ t BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# o/ n% C' i! F, R8 \: C1 Q( H1 p0 n, c! S$ a
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 N- w* |% f, f: Z0 L4 N0 D+ [/ e
: j+ f7 o2 c1 r* G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" X# Y7 k* B: M, g7 o. u2 T( F* N& u& }$ M" f# g7 D
__________________________________________________________________________ D: K) E" l7 P" V/ Y
" I5 d1 k- j' C I7 |
Method 139 V5 g' F% N& Z3 k
=========
2 C6 l' F4 z' j/ q
/ W% j+ h9 H0 x: SNot a real method of detection, but a good way to know if SoftICE is
4 k4 c& P- Q( @/ A( a9 [9 Qinstalled on a computer and to locate its installation directory.1 a& [( I6 J- [# M! a
It is used by few softs which access the following registry keys (usually #2) :
: O x1 W2 Z! Q( x
! h! z$ c4 \% c- i- n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 S# Y/ M% J- P. D# i\Uninstall\SoftICE- O' k! | V1 Y/ g! j1 E+ H2 C$ `' q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& K9 h& |- N, _8 `; _
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ [ i3 B8 r. e9 ^7 g' [ |! M\App Paths\Loader32.Exe
* t& I# w: A; j! r& ^) W
/ J6 l1 k. N5 E: \0 U$ C @
* O. \7 y5 W' y- B, o* V9 s# PNote that some nasty apps could then erase all files from SoftICE directory
O( i8 ]0 U( I1 r( M9 U1 X+ O(I faced that once :-(
( _$ {8 U2 Y- i% K
: N9 S A; w% J, o$ xUseful breakpoint to detect it:7 P. p# z; n0 C3 |5 `, t( i" ?
6 X, _$ a) W5 d; l3 U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% D- Z1 v4 M% Y+ O0 x: ]/ S
8 w! ]3 H( _/ b3 V" h) o; |__________________________________________________________________________
7 B. s$ j! H4 d, j+ K
2 y. f) x* @% V g8 K" ~( V
' i, u$ f/ _' ]5 MMethod 14 9 M- k: l2 A+ t' h) {/ N2 u
=========8 B4 k3 I; D$ G# p8 m! ^6 u
5 n' ~7 A7 |/ WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 t+ V; t: b# `; E; }/ I, ?is to determines whether a debugger is running on your system (ring0 only). m6 h K; U$ h% `9 Z
3 w# x) K( t7 b/ J+ o$ [
VMMCall Test_Debug_Installed
D( y8 O' ~8 a* P5 n$ m9 X je not_installed
6 s* l8 d; l' v5 N* o0 S+ n9 [% w `2 G; Y" g/ [
This service just checks a flag.: g. _6 E0 y& ~: I! Z
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡