<TABLE width=500>
# z" F- `9 D* L4 B+ j2 V<TBODY>( B! v& G0 I s: f6 E
<TR>. \" f6 d$ k8 n1 u- Q
<TD><PRE>Method 01
( A# @* V C9 k/ Z=========
0 `; V% F, _8 l& }
! `7 s2 X4 G6 `3 I3 mThis method of detection of SoftICE (as well as the following one) is9 l, K7 `& x! |9 B$ N0 j: z
used by the majority of packers/encryptors found on Internet. x$ d9 y- E! s C; H1 G5 S
It seeks the signature of BoundsChecker in SoftICE
: r w( e4 \. }: B& u @; M5 c# N1 n0 h0 [# w. e0 u! \* Q- B
mov ebp, 04243484Bh ; 'BCHK'
/ n! e2 X0 h( a; P6 X; A mov ax, 04h
0 j8 O" J+ h/ h# M* u: P. @/ t int 3 ; t! ^1 }) ]5 |# L& A$ d
cmp al,4 _) z. b2 ]* c0 B9 U" u7 V
jnz SoftICE_Detected8 X1 r) D4 i$ ~! {
+ A B) W! ]) c$ W___________________________________________________________________________# p) b' N: y; [8 N+ Z7 i/ x# c" O
, I. U, J6 r( w2 ]; DMethod 02
$ b( b! s! x7 x=========* I+ z( m7 B; H
- M. X5 Z8 W3 U! o! O
Still a method very much used (perhaps the most frequent one). It is used; Z1 p, ]/ ~. U5 R' m9 Q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* `" i5 K0 B3 p. f* W" m9 For execute SoftICE commands...* v4 n5 ?1 F+ o, z
It is also used to crash SoftICE and to force it to execute any commands' s9 |$ M4 Q- P3 E0 g! |% Z$ `
(HBOOT...) :-(( " A0 H4 o, e" m
$ J. B" ~4 F0 u' f7 a! n5 j8 nHere is a quick description:+ r# W! x8 e% V# R2 q& p7 B
-AX = 0910h (Display string in SIce windows)* k4 L$ r" V% V: j8 \
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. n- q( k, ~- @0 Y5 W-AX = 0912h (Get breakpoint infos)
6 T. Z) S' `( o% m4 S- k9 o-AX = 0913h (Set Sice breakpoints)2 u" }: q( }, ^3 C- M$ e# Y( w
-AX = 0914h (Remove SIce breakoints)
2 y7 k! F2 J+ ^
( b8 M) R! ?% S& W( b, N' NEach time you'll meet this trick, you'll see:* q7 f. H( u* R+ N. v
-SI = 4647h
0 O3 p. Q' a* G) L& u7 b4 s-DI = 4A4Dh; d2 C9 F' J! O# V" q6 L7 X
Which are the 'magic values' used by SoftIce.# y _! T9 t0 b( K& W
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 i) h! q% O, r
& O( d. C. W& I1 ^& b1 E
Here is one example from the file "Haspinst.exe" which is the dongle HASP3 h7 u7 ]) x5 R& U$ X$ e
Envelope utility use to protect DOS applications:" m3 d+ k8 m' w1 ^
: z: _% R2 h2 P" }8 Y* o' r* p, Z4 k$ Z+ o* X0 b6 e( H
4C19:0095 MOV AX,0911 ; execute command.; ~6 V2 @5 t2 |4 ]
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 G0 [% j9 F. l2 L; k7 o* l
4C19:009A MOV SI,4647 ; 1st magic value./ v6 s3 q6 U- k5 H3 B# E% E! F
4C19:009D MOV DI,4A4D ; 2nd magic value.1 o& M2 ~0 h7 d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: |# ]# d% y6 @% ^( D4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# d7 l; W% {& d% ?0 m
4C19:00A4 INC CX% I( {4 v6 r* L" I8 s4 \( M
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 B r$ g. K7 V4C19:00A8 JB 0095 ; 6 different commands.: N- t2 x$ Y3 ^7 b1 y8 E
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 o$ @- c9 `$ i; P. a# ^4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 E8 ^0 f7 c8 `
! c/ c7 e: Q QThe program will execute 6 different SIce commands located at ds:dx, which
% Z/ H: \, a0 o6 ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 z8 P v0 f6 Y5 c
0 {: p& c* P( t# Q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. B5 B) m: M: U" U; k- u
___________________________________________________________________________
3 r1 J( O+ p+ [# F7 s$ e2 U" {" V" U. Z7 g
, O" e4 V- q+ Q) n5 BMethod 039 ~9 T; r0 C' K
=========8 Q8 i; P4 Q! r. V b
: }$ t% k6 J5 ]Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 h' q6 {9 g; ?# n( y! V
(API Get entry point)
+ |8 a! R; c1 [9 D! W7 ?& I& b" O t
/ P, N+ g& e% q$ @3 P! |9 v. s. X, n' e! N0 o5 E! N
xor di,di
6 E+ U$ m2 g5 e9 Q! v: |* W& L mov es,di; u3 K% Z4 D& Q$ U. P3 |4 P
mov ax, 1684h , x: J; [& d/ b4 d$ k% y
mov bx, 0202h ; VxD ID of winice
9 D4 F+ N3 F% y& r1 f3 x8 U int 2Fh
6 g# N. [5 N- Q: I mov ax, es ; ES:DI -> VxD API entry point
% d' F5 l' L* n add ax, di! f& a' e* P B v
test ax,ax
& O( U g- P+ h5 ~+ _2 o+ T2 K jnz SoftICE_Detected
) O& q3 |# n# J* U2 m7 O6 n; |- B) s8 X! b2 k; |
___________________________________________________________________________
: _% \6 Z5 X& a) t2 p9 ]$ M/ v/ z3 @* y" Q0 m% c
Method 041 o/ a: q- x/ h; K8 Y; h
=========% T) {$ y! y, v8 Y$ H
* B% p+ B4 L) S, [( k
Method identical to the preceding one except that it seeks the ID of SoftICE' \4 P( J: f* f+ k+ x, L- {) B' A
GFX VxD.9 \! e( A: T! G1 Z+ `
4 n) K& y9 C( c7 p @: \ xor di,di
- ]' J# D- a1 q mov es,di1 g: x: p8 l. l9 d* I
mov ax, 1684h
* m% w5 J, z6 \# @% d mov bx, 7a5Fh ; VxD ID of SIWVID+ ^, R( ~2 ] N( T/ c0 ^6 [
int 2fh
6 s# v" V- Q5 j2 e' [ mov ax, es ; ES:DI -> VxD API entry point
4 x6 R5 ^. X7 j: d( c add ax, di
6 b6 i2 m, o7 V- B. A2 [: i8 T( Z test ax,ax5 \# u3 ]- f- D) i' P( w1 f
jnz SoftICE_Detected
6 `1 i ^# N5 d2 X6 e* y; g! d
5 _( z; ]& R0 Z1 X__________________________________________________________________________
3 G/ X: n8 y `" V6 n7 w: i I% U" \: w
3 w6 W1 n! B. g; r. s* o$ r1 g# p
Method 05
0 l3 P# C+ ^+ k% }; p& x=========1 @6 v: s% ^ _# O
; ?5 l; P' Q3 _
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ k, ?: |- b/ r" M
debugger. It calls the int 41h, function 4Fh.& o3 T" y M% R3 ~& Y
There are several alternatives.
0 Z! f: o; F. D
8 R/ X! [6 h+ _- \" |! cThe following one is the simplest:
+ U! C0 s0 Y/ L9 ^, T. G. x. n8 U4 C
( B1 \) O2 ]- ?+ H$ n1 p mov ax,4fh
% d( \- {9 Y+ X. D8 }* { int 41h6 G+ f+ q. F; M* ]2 e4 O, o+ F1 c
cmp ax, 0F386
2 m# H8 z& T- a6 y( B5 t1 R3 c* n jz SoftICE_detected
' Q' [3 W; a: D5 X! i) y3 A
7 a3 u# i+ E- |8 G6 Q
" W1 n/ K0 r% R$ e6 ~) B& K+ tNext method as well as the following one are 2 examples from Stone's
8 D. S. V+ O5 \. b. }$ n! k b. B) h"stn-wid.zip" (www.cracking.net):
# i$ ?" o! E+ m9 F
% Y# Q+ K6 G$ a' J' u" R mov bx, cs
& o1 M$ J- t3 R: ?% V* Q; q/ H lea dx, int41handler2
4 {7 c; \% y4 k: }$ U5 Q1 J xchg dx, es:[41h*4]* ~; ]' i- Z) c5 g5 k
xchg bx, es:[41h*4+2]2 c4 J! j0 j6 G- z
mov ax,4fh$ D5 P) z6 `, F. n" N& ?
int 41h
3 q ]2 z9 j% W8 @6 A. Y' C xchg dx, es:[41h*4]
* E! A/ M- S+ x. W7 s4 d; k. d9 Z xchg bx, es:[41h*4+2]
4 p$ G4 a7 [9 R% ^7 C% I5 }) } cmp ax, 0f386h
+ z Q" a1 o8 C2 f9 D: }3 G" R2 l jz SoftICE_detected6 I6 J# s5 T$ Z, a! H
# W1 [0 A( q1 X% l' d) o- |int41handler2 PROC
9 B4 Q% @5 r& k* m4 y0 p! B iret
9 B H& ]+ A& X) \, r6 @& B' r1 nint41handler2 ENDP
; Q2 P5 x, D; j( Z* F
3 S/ i, T' I8 z/ W5 n; z5 T* w" b/ p, z D P, i" S0 v/ e7 }( L& I' M
_________________________________________________________________________
w! |/ Q$ X; _6 S) M2 x8 M3 b2 o
- A" U. ~' c$ U3 ?/ X
! r- f' _6 R* M) L0 I2 xMethod 06: j* p" T% H+ Y/ v" C
=========
/ B7 D7 m+ x: `& B' w5 y$ N6 d( Y0 v6 M" G
4 l* I+ e6 G0 v [
2nd method similar to the preceding one but more difficult to detect:2 T" i( R* X2 X! r4 x5 r
- T5 I1 N+ e) j, f1 U5 v$ }
, M/ w) W8 M0 _) N( Lint41handler PROC: w8 ^6 p( Y+ b
mov cl,al
9 Q7 E. g- S! ^: [ [" n iret: w. X) J, }& `
int41handler ENDP
8 _9 |; C9 t; m& _" u: b
. M& I1 R! n- {7 G! L, v& }) I7 N0 \% N- `+ V) i
xor ax,ax
- X P5 a% G& X$ D, q0 ?5 N mov es,ax4 c3 q- K2 v4 ^2 M
mov bx, cs% ^4 h1 P' A) o7 R; X7 Z1 x
lea dx, int41handler5 |1 o0 S. _& H0 w) x1 |
xchg dx, es:[41h*4], p- U/ x5 X8 u9 i) L7 U
xchg bx, es:[41h*4+2]# R8 r8 E: V) b$ R+ A1 P
in al, 40h
7 p2 J4 a+ S% M! o6 O8 k xor cx,cx
b" S1 Y2 e( A, C o V! c# m& d int 41h
! g3 J! M j+ _' E' v xchg dx, es:[41h*4]
+ R; U( x$ B( D$ [, S xchg bx, es:[41h*4+2]+ Y7 w0 r' @# `! l/ s" Y1 c$ _/ ?
cmp cl,al/ K1 h" j, v& f
jnz SoftICE_detected. m- E, a( L: a, f' s6 h- Q
7 J& ]+ t# t4 V: I( b
_________________________________________________________________________/ ^* I- ]/ ]% S) N$ @$ u$ L4 k) s
2 F/ G1 S& q) V9 q1 n) o3 A; v0 r, F8 zMethod 07
# n9 e/ S+ C" }: M1 c" z- @+ n% Q=========, {& \! W7 P" u) t0 b5 _7 @0 H
! `& \& M8 [1 GMethod of detection of the WinICE handler in the int68h (V86)- h( R' m& s; H+ l' n* A: q6 G
1 s7 B3 ?7 G9 q) k
mov ah,43h
0 P% F/ c0 c9 Y" X9 L! e$ I int 68h B5 {6 O7 T$ a4 F0 T1 @& {, D" z
cmp ax,0F386h
6 B! F' o" @2 \/ z jz SoftICE_Detected" `/ J) U6 a H0 T& |1 t# H' j
G: U) w5 Y. V# Y( d- Y/ c, A, e9 N% I) D
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- b! r+ K; Y: M; q8 r
app like this:$ M1 l% x. x+ P4 z4 J
8 G6 C4 _( W a# h BPX exec_int if ax==686 w. L3 `% W1 y5 m9 x5 ]! F
(function called is located at byte ptr [ebp+1Dh] and client eip is
, b( Y2 K4 L; `% c0 o, g$ W* r; S1 f7 B located at [ebp+48h] for 32Bit apps)
' R- _! I9 \# D; l2 y o__________________________________________________________________________5 H* x9 H( c& E) l: ^! M$ p
! K: i9 L5 q1 f& [. F" Y
& W; J! {. t8 h1 z
Method 08
3 H: o* E; h8 I+ [=========
/ ^ ^- H+ l4 e7 R8 i
I% U8 [5 `; Y! g! wIt is not a method of detection of SoftICE but a possibility to crash the/ W: `5 r; C- }
system by intercepting int 01h and int 03h and redirecting them to another
/ \1 l( M1 ?/ ~; c# l) @4 G8 Droutine.
; j4 d, t: O7 o0 E0 V% p+ a& C/ bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. w# X/ h7 P5 ~
to the new routine to execute (hangs computer...)
2 ^3 }0 n: ~/ o# e" v; K/ X+ Q
! p& j# p5 T$ e+ u' p mov ah, 25h/ D# r9 r# \4 b. Y4 ]& }4 M |4 o
mov al, Int_Number (01h or 03h)$ U. r1 f& g( ]# p3 w
mov dx, offset New_Int_Routine
: u- [ g d, q int 21h. a" q+ D! ~# u R3 D9 U$ X: W& S
* g, c6 q, L; B5 C0 T4 Y, I; B
__________________________________________________________________________
: l9 |) O+ u) V: L. D6 l- W, c7 S
Method 09; a$ C, {7 }) l! n% K, A( f
=========' G' W0 N' A$ `; X
6 f# O4 }2 I9 Z1 `; N" wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 w! J6 A" v) Q! ^7 ?0 V
performed in ring0 (VxD or a ring3 app using the VxdCall).) J' t t" R3 \! w
The Get_DDB service is used to determine whether or not a VxD is installed
* f; R5 |1 u+ Y; qfor the specified device and returns a Device Description Block (in ecx) for1 K i. ?3 v7 Z
that device if it is installed.
. ?# W% l2 L9 @+ j1 m/ @2 r0 F8 n4 L1 X" O5 ^# t' q8 o4 _* N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID Z6 ~) T) f( t6 A3 x5 V+ v/ ?
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& T- F0 M+ d- l2 J5 c VMMCall Get_DDB
8 O$ w9 P5 {. N/ E" d, p, Z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& y/ ?0 G: Q# |5 ?
; b' S N$ }" r7 d- B8 M
Note as well that you can easily detect this method with SoftICE:
2 k( M0 m$ ? d bpx Get_DDB if ax==0202 || ax==7a5fh
. ]# f7 u7 k7 s! A+ {& K! K
7 ^& S2 N) _* b& I__________________________________________________________________________! d* R% R* b q" d
8 H9 B: Z( D# LMethod 10
2 D7 F4 A; h8 f=========
3 L/ B0 C5 d" k+ l8 ^% z
% C7 |5 `9 S- B) h& U3 B7 A=>Disable or clear breakpoints before using this feature. DO NOT trace with0 { h2 r$ o$ C* M, e9 N
SoftICE while the option is enable!!
* z; R; ]. e' R8 W9 u* ?
! f9 b9 }- h0 E8 V3 d4 b' Y0 K) VThis trick is very efficient:
4 j$ x$ ^6 n% X. Fby checking the Debug Registers, you can detect if SoftICE is loaded
' @6 ?. U3 p4 j& j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% a8 P) N4 y6 A F4 ~) A1 pthere are some memory breakpoints set (dr0 to dr3) simply by reading their' x5 |0 t7 z6 Q; i
value (in ring0 only). Values can be manipulated and or changed as well
* k+ u9 F5 {; h* h8 o(clearing BPMs for instance)9 b+ D5 n. m# n; a0 r- J- C* y
: z+ S0 w0 v: J* N, G2 J__________________________________________________________________________' b6 u9 Z2 |) l( }) d
5 {2 Q% |4 K E$ ]. H" q, zMethod 11
: n# h" K/ D/ A, @6 ^- t( y=========+ Q) `0 p: L! h9 ^& U5 p9 O, l
. l2 L" `) x4 _1 e: K1 Y
This method is most known as 'MeltICE' because it has been freely distributed
* z% c1 Z1 w4 V% A2 j9 i7 l( \via www.winfiles.com. However it was first used by NuMega people to allow
! ?: C. p$ ~; a# N4 e& o/ @- D1 E- X4 {8 NSymbol Loader to check if SoftICE was active or not (the code is located6 k$ b; Z3 P: ]5 g
inside nmtrans.dll).1 `( c0 U$ F! ^1 C8 n- m) H" ]
# Y, o" _/ X. V2 ^$ j6 F8 UThe way it works is very simple:
6 R9 j, B. X3 e: ~! OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
V+ T7 w5 y; q v7 \WinNT) with the CreateFileA API.
- k+ J' H2 T# x" j
9 Q9 i) f9 ?$ e) i: F2 U! m- i5 _- ~Here is a sample (checking for 'SICE'):) Q$ u. T" _) J6 r% v4 d
8 X& f6 {# r2 {, l H3 k5 dBOOL IsSoftIce95Loaded()
H% R5 e6 H1 p{; m' u4 _ Y9 r! f. Q
HANDLE hFile;
/ u5 e1 o0 k" ] _" s1 X hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: C5 @- F) x& E( Y( ?
FILE_SHARE_READ | FILE_SHARE_WRITE,
* ?% ]( C7 k. p& |3 n NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( h- {# f/ _5 F9 M# g
if( hFile != INVALID_HANDLE_VALUE )" } b- {: O4 O/ R& l4 K( h f
{
% B8 G( h: J4 ]2 E0 l) F( ? CloseHandle(hFile);8 z1 z" i8 l" @3 e
return TRUE;: i: p) y+ Y. M1 h. k
}
2 ?1 _& o# H5 C9 {* c! @3 ^( T8 u) O/ c return FALSE;
C8 U3 H' F; Z}
2 e0 r1 Y- {' \' U$ V" Y8 m# }2 J1 F" F$ D4 d5 S1 W. j: o4 `
Although this trick calls the CreateFileA function, don't even expect to be
' B& A1 V0 }# t0 p+ P6 h% Mable to intercept it by installing a IFS hook: it will not work, no way!4 S Z) {" _0 G; l
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% F% t: ^+ y, g2 l) B: E; iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 |% C1 K6 S) Z( D* N
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
Y& t! J: T/ O* i1 W" K( C3 ffield.! F% v, \$ B9 z3 F# p
In fact, its purpose is not to load/unload VxDs but only to send a
2 A0 H5 Q+ V5 B' [2 p! Z2 B/ @, GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ Y ^, H/ u4 q9 dto the VxD Control_Dispatch proc (how the hell a shareware soft could try/ e8 N# \0 [5 h; v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' a( v: z! i v2 l2 iIf the VxD is loaded, it will always clear eax and the Carry flag to allow3 c; j- E2 E2 i3 k0 `3 P0 X
its handle to be opened and then, will be detected.
% W2 t3 f: I/ J5 l6 i+ `# cYou can check that simply by hooking Winice.exe control proc entry point8 h+ e$ j8 t5 H4 v- P ^
while running MeltICE.
3 p, {; R. w; L, P5 _# E# A# W" U. \1 q) O: f$ V3 w$ F8 L' [7 ]
# u6 b# W2 v- S3 a2 f 00401067: push 00402025 ; \\.\SICE# W- [) Y% C: W
0040106C: call CreateFileA
( _. D6 c) f, F% U2 c" m 00401071: cmp eax,-001
* F6 d8 K9 V/ V: u 00401074: je 00401091
9 E- i. G0 y! [& _: `
+ O J3 G8 x# B1 B5 }+ ]! Y; U7 C# x6 P- y4 P3 i+ I& ]
There could be hundreds of BPX you could use to detect this trick.
6 n( _$ N0 I: x6 k$ k9 k-The most classical one is:( O$ r- z. j4 I. B$ y. ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 L+ H& D' X9 Y$ v' Q2 d8 M" K. I
*(esp->4+4)=='NTIC'4 ]$ I. Y, n0 e V# s
4 S0 P6 R; `2 \+ `0 l-The most exotic ones (could be very slooooow :-(7 F0 B& j5 ~4 B# E4 w
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* Z* `- U# L, f ;will break 3 times :-(
0 f' }0 f- k' }2 M
4 J3 R* v1 B# w \! x9 c' }2 y-or (a bit) faster: 8 L ^$ M6 e f0 y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 h$ ~! v9 }+ L8 y& e# ]
( X* R! z) [" K, F% z7 X1 b- j+ e% T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( Z' ?2 H9 @- ~- X; ]( p( h ;will break 3 times :-(0 u* p ^8 {5 c* R" Q3 h* t0 ]' Z
5 D6 I- Y/ A f: k$ K
-Much faster:
5 ~+ P: X1 m1 A% n BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# q) z1 D' ]! [
& r! O/ P( `- k. z2 _' X+ x5 X) f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% y1 e- D/ A4 Z
function to do the same job:2 v& c2 Y, e7 Z# |
/ q4 o! q% C& R3 r push 00 ; OF_READ
$ q6 \% _$ O* }( q% g# l, ~ mov eax,[00656634] ; '\\.\SICE',03 V( N) k* C" L$ ?6 {
push eax
% |+ q: ~, P) B! W5 K# I call KERNEL32!_lopen
& y" z+ h9 b. T$ j. M0 e: g inc eax; L' S' ]# }( A) {5 X
jnz 00650589 ; detected0 n# y+ z5 Y# w [& U
push 00 ; OF_READ
8 y% [, u6 |4 N1 } mov eax,[00656638] ; '\\.\SICE'& _# ?4 a1 \& q. v0 G
push eax
* m- @' E' ` H: q8 ^5 ?8 ^; j call KERNEL32!_lopen# K0 Q4 G' h8 J4 I
inc eax
, r S* Q9 {; a/ }3 m& w jz 006505ae ; not detected
2 Q7 o- ]" M2 a8 w/ r# ^
l' X/ F- e2 O+ F% z, q. N
0 T9 t7 c+ [- v. ]# ?__________________________________________________________________________1 Y) `% |. B6 r: m8 ^. N
8 Z e* s1 z+ {( a& }. K% Z* o7 EMethod 12
2 C6 `8 t0 J" I3 R=========! @* o+ M( y' c9 Z8 g
, ]$ q2 l9 p4 G; KThis trick is similar to int41h/4fh Debugger installation check (code 058 Q8 N! m$ S' w" }& s
& 06) but very limited because it's only available for Win95/98 (not NT)8 P( k. e1 z, p* }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 l: e% ^% L _& |4 |5 }3 r4 ]1 E9 W
push 0000004fh ; function 4fh! _& p4 E- e6 b5 ?/ _/ F: W6 Q$ N+ ]! ?
push 002a002ah ; high word specifies which VxD (VWIN32)& D7 L9 t( Q! t! B
; low word specifies which service
8 F9 r3 E$ D8 W+ e (VWIN32_Int41Dispatch)
6 O8 |7 \5 x) x" H# `, k+ v0 e; ? call Kernel32!ORD_001 ; VxdCall$ c5 i# T, Z' C9 s: U" @. X
cmp ax, 0f386h ; magic number returned by system debuggers; Q1 q1 D, k: m! r5 h8 B8 X F
jz SoftICE_detected
9 c; g+ m/ f! m4 o& `5 V0 j. {" X6 N
Here again, several ways to detect it:
/ \# }: V" k. G' P
4 n) Q1 }$ D# Z0 G- U7 w- D4 e BPINT 41 if ax==4f
& X4 Y0 v- N$ L+ I7 |$ F0 |% \* U/ v2 y1 s6 `- P
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
~/ C0 j+ U* I" x* @: \" n6 w G
+ S; {3 m0 p" O$ q! n8 p BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 P& G. @2 ?7 d# H1 s4 O' W5 y D6 w
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
J0 C( z; P. H& v' S; w- o6 [& c" v. ?( i
__________________________________________________________________________& i1 A# q) f* ^1 P& J
9 D+ F8 B' L9 q( p" w7 J" r! c
Method 13' Q9 N3 [2 C$ u4 Q% V3 W
=========
4 H3 P: ?" @- M7 X( U' p
; f4 V8 W# S1 }, Q0 GNot a real method of detection, but a good way to know if SoftICE is* _3 y+ M" j3 @; B2 a9 k7 v
installed on a computer and to locate its installation directory.. b$ _2 C( r$ ~2 @! G' n" J8 a
It is used by few softs which access the following registry keys (usually #2) : {, W6 c8 u" I7 v7 g
9 x1 b' E( m0 ?8 `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 V( x7 H% @! T( o
\Uninstall\SoftICE9 l( q9 k1 ^" y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; T5 |* U4 T1 U; O: G: R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 @. K2 N: R! t! A9 q\App Paths\Loader32.Exe
+ M6 b3 q& H# x& y( Q0 \' U4 B; b& H& s/ s6 W
d, [4 X5 u8 j7 Q. _5 ]Note that some nasty apps could then erase all files from SoftICE directory
, ~+ ?0 L e8 O8 q(I faced that once :-($ k0 G& H0 r% O8 D
: [1 q/ k4 X8 g3 wUseful breakpoint to detect it:
6 L) S( C" p: S5 s
8 E6 O8 x4 H5 G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 i- \2 |- r4 x( r; \* X, V, k* U- Z' p) R3 E8 N! A% [
__________________________________________________________________________0 `( r" |% E( M8 P
# I. e: o. {8 X6 {7 `1 \3 D
3 J ^5 v8 i* R
Method 14
; t9 ^0 k2 R0 d" P% r; s, K=========
/ f7 l0 T4 R, F0 d5 K B u# K8 T: E0 X2 K' S5 X* r/ U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& O k% l; l0 I
is to determines whether a debugger is running on your system (ring0 only).
8 x1 t h" D) [, G! g$ ^; a0 `- A& U0 [6 z
VMMCall Test_Debug_Installed
# o& E0 ~0 [4 X3 h) b je not_installed* G0 A7 q9 q% p
6 k8 m" v; c, f& l5 x% u
This service just checks a flag.! v5 W9 ?3 G" j$ O6 n% O1 I9 P8 q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡