<TABLE width=500>
5 f6 A+ q* Q& Z+ D<TBODY>
5 N4 y2 N4 ]0 E1 F9 J! |<TR>
. H9 j l2 w. o! N3 y1 h<TD><PRE>Method 01
1 B! J) q# T: Q0 `=========: {! c- w$ t4 d# A. E- |% Y
( z- v* I# O5 Z5 dThis method of detection of SoftICE (as well as the following one) is
7 j9 Q, h: \* g! d0 V$ o- e6 N0 {) jused by the majority of packers/encryptors found on Internet.9 A. M5 i0 @. e4 U. t! s- V
It seeks the signature of BoundsChecker in SoftICE' M G o9 w4 B1 ~$ Z8 ?
' A5 u- z5 K) {6 \- n
mov ebp, 04243484Bh ; 'BCHK'( V+ b* x" X9 b$ R8 a
mov ax, 04h
3 h" X7 ~4 u; f int 3
- H; R$ B3 Q7 n" b/ ~2 K cmp al,4# _$ F6 Y. c1 i. V3 b! A1 E0 {
jnz SoftICE_Detected' t. h" @. y, ~
" \" D, R) N6 f g# s b4 m& C
___________________________________________________________________________
& a! l+ I6 V R4 o% S' h$ W0 w2 H. ]8 ~* }
Method 02* O4 D. y/ M3 A
=========
. c0 I0 Y1 p% n4 [1 x! @8 f0 W! v n; d' u1 Q
Still a method very much used (perhaps the most frequent one). It is used4 T( ?( p8 j8 X; O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; U1 }7 l8 M. ^' V
or execute SoftICE commands...* W2 }2 r- Q8 q* T: D4 K( V, r
It is also used to crash SoftICE and to force it to execute any commands; S2 _1 v5 @* c4 N5 i% L$ [" V
(HBOOT...) :-((
& u- o7 z' u0 ^7 `; j1 u+ {/ m6 K5 H' ^) Y( L: D% S! m
Here is a quick description: o1 K5 x$ H0 r( [5 g; I' k* h
-AX = 0910h (Display string in SIce windows): Z$ Q1 [" [6 S b
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 o1 g- Y5 ]5 M( t2 K-AX = 0912h (Get breakpoint infos)6 M" _1 ?# m2 K
-AX = 0913h (Set Sice breakpoints)+ L: ], R4 M- H3 u5 D0 Y* J; ]
-AX = 0914h (Remove SIce breakoints)
^" X0 K3 P8 w) {0 _- e! f
3 T' t9 y2 X8 J7 rEach time you'll meet this trick, you'll see:/ p: N% s* o5 S0 S8 ?* I* K
-SI = 4647h
& C# L7 v3 D- }5 J-DI = 4A4Dh
4 e8 l9 j# c! z# } MWhich are the 'magic values' used by SoftIce." t$ m; C, I/ k; [* f3 H4 C
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 T1 _+ {9 W/ C7 ?2 U: K+ {' u
" k' \1 q, K9 U" K1 K! ~% o) bHere is one example from the file "Haspinst.exe" which is the dongle HASP
1 N e% H3 ?3 p: o$ G5 LEnvelope utility use to protect DOS applications:0 `$ W5 ^( X3 V! M B
- G0 o5 k) b. }+ N1 H7 {9 @$ H$ T- \ s/ x* v6 r% h
4C19:0095 MOV AX,0911 ; execute command.
$ [: z: V3 M8 _2 l% Q+ H$ `4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 }& w( u9 |! ?, t# x* @; k
4C19:009A MOV SI,4647 ; 1st magic value.
) r M } R: D. t& g7 D4C19:009D MOV DI,4A4D ; 2nd magic value.: H- S9 _+ m' l2 I; L) m( i
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 q; c, X" t* n9 c+ q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* S) c' i+ E) X4 L, o$ H2 T
4C19:00A4 INC CX
6 h2 h p& J2 D4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 m6 ^9 Q( A& |- F( z9 N
4C19:00A8 JB 0095 ; 6 different commands.
& ~2 `2 u7 K! _- [8 o; m& p2 y4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 N1 s! u# j6 C8 B! D
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ q( ?$ q: o, l; ? c& |. Y& W: r7 S3 t! q7 I8 u. w
The program will execute 6 different SIce commands located at ds:dx, which
/ H' ` `% A7 u9 f2 _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( w1 M) D. H0 J
5 z* h3 B5 [/ p S% a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" H8 Y1 R/ R) g# a9 u3 I___________________________________________________________________________
- m0 U, g1 {# K4 `+ t P" M, C2 r2 h+ _- W6 F/ K4 M$ ]& C$ G
2 z4 y. E4 T L2 c+ K8 d9 d* B( f
Method 03" U! ~$ v: C; x* m& x
=========
4 x8 v5 R% L. V8 A' d i5 m
! I5 m; x4 w2 X: Q' ~( DLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) |8 f9 p' {8 k* t) l5 N
(API Get entry point)
/ p: f/ n/ J; `% B. F6 y
* B7 b4 Z0 b; z* u1 v! ]. d3 `. D. b0 O. c9 {8 w8 s# ]# m4 B
xor di,di
9 m1 i4 n9 B2 L+ C mov es,di
1 }8 F- X' }, Q5 {6 }; B mov ax, 1684h
- s7 Y/ h( g! X1 j7 D mov bx, 0202h ; VxD ID of winice7 h+ S q k( N' }$ a; u* s% S
int 2Fh0 {( x' y3 ]: y' j D
mov ax, es ; ES:DI -> VxD API entry point
2 m6 l. y; Q0 L7 K) s6 u3 M add ax, di% `0 t1 Z; u+ A. ^0 j
test ax,ax' d. U* K5 P6 P/ ?' j
jnz SoftICE_Detected
0 Q5 \5 c+ ~& J' j8 a% r$ K4 W1 M5 s# A' J* j8 G
___________________________________________________________________________
7 t. }' U' @) C7 i* y
' L) H* Y: [" q! }0 AMethod 040 w8 B- v& s6 f' @0 c$ y o
=========9 l! \! d) o0 C' B' |% z9 w
" z1 x( x/ ~+ W9 ^Method identical to the preceding one except that it seeks the ID of SoftICE
0 n6 G+ I q- \& w: M a/ \/ eGFX VxD.' }+ P/ R1 l' Y: ~$ z. {
* H# G5 D- J9 n xor di,di
! e* N6 l( T, A, y mov es,di
- r* b p! t$ h' E9 [2 `$ I mov ax, 1684h
; q7 p- `1 F, e }6 p" I mov bx, 7a5Fh ; VxD ID of SIWVID
" Y) v' n7 ^5 x- { P2 ] int 2fh+ D* c; Q# B/ _* T& K
mov ax, es ; ES:DI -> VxD API entry point
+ v: G$ g6 Q) s( |" y add ax, di
2 D3 f+ n$ {* B- S+ x- j- F( n. r test ax,ax J; b# n0 X* f5 Q X
jnz SoftICE_Detected
8 g' H' U9 q* E% o# ]( H( F9 K. C) b9 Q8 W
__________________________________________________________________________
0 Y5 r& k" h+ z8 l7 A8 @: D x
$ W% B/ F2 @; }1 G/ [- D8 H/ w0 r5 f, M2 K; c8 I8 s4 B) a
Method 05
# p G0 k9 `$ q; m+ D. N=========; O4 Q% L6 ^$ Z3 L
% U. Y8 J/ o! d4 e% G8 H9 rMethod seeking the 'magic number' 0F386h returned (in ax) by all system: d' ]7 b' O, K- w/ i K B* m
debugger. It calls the int 41h, function 4Fh.( \1 ]0 r% ^! z& M7 R0 w
There are several alternatives.
6 C5 X: ~1 B6 U$ Y6 a; t4 B: d# ] D: e; i8 c
The following one is the simplest:
$ v2 p4 U0 D; n7 A) u* P( m4 L9 O# C2 x) ^8 J0 J2 S
mov ax,4fh
8 j/ D: F0 M! M0 \2 x1 L1 w int 41h
% `+ D' K2 s: i) V cmp ax, 0F386
\" P1 ^4 H6 V/ p' W! ~1 | jz SoftICE_detected6 V9 D* F5 o0 c# G- ]
7 Q5 K7 K/ P! ]: E: C( m
' {$ W: o1 _' l. T! K- L' FNext method as well as the following one are 2 examples from Stone's
9 W$ {# B7 s Q4 z7 _6 S"stn-wid.zip" (www.cracking.net):4 U& P) V4 {9 ]" H
4 S0 t, |; P. G+ l9 Q `0 o
mov bx, cs
& g, h, N# K. ^ lea dx, int41handler2$ p& n v, E' a3 E/ M, i
xchg dx, es:[41h*4]
2 T$ ^7 U; K/ w( G) R( u xchg bx, es:[41h*4+2]% }. D! ]! K5 Y% ^6 j! {; u' Z
mov ax,4fh1 {) J3 @* f& T( ^9 |( y) @
int 41h
. O6 d8 ^1 b* ~7 m" O: Y" q& N7 ] xchg dx, es:[41h*4]: P. L* t1 L9 }9 G3 @: V: ^
xchg bx, es:[41h*4+2]6 v: g2 p; y8 I
cmp ax, 0f386h
% p7 X6 |8 g& j# y jz SoftICE_detected$ F! M# K! Q" b6 t$ X* N
/ |; Z- I `/ s, ^6 a# v' x
int41handler2 PROC& M4 p1 v5 h C0 _8 M" I
iret5 ^7 f* Y, f; E1 [
int41handler2 ENDP: F. Q, b3 J9 }1 U0 W; @! o
! O+ I6 P% D: W6 ?% b
3 r% s, S5 O2 U) r: ~
_________________________________________________________________________
+ U/ r6 x- n9 O3 u; \) \6 z q( Y& K5 I
+ ?7 @, r; m- f6 Q- L$ W/ P9 x; Y$ k* |Method 06
) r. Z" E% V" a4 b; O=========* B9 _) W3 W7 _# R( X# b
4 ^' e8 U" c6 q2 v* z* P$ k: M) O( v" j
7 p, w4 Q9 C6 }6 s2nd method similar to the preceding one but more difficult to detect:( |& R* V* s( \3 v7 z. {
* |7 n9 V% k: @+ O& q9 f# B! A. f
" Y( t2 Z/ I4 z% U: |% {" Yint41handler PROC
2 j) n0 a3 U8 l/ q+ k: G& J5 T' [0 w0 E mov cl,al* E- M! @0 q0 m
iret
2 O! `- p6 X( f Tint41handler ENDP' F2 P4 L7 Q- b6 r( N
% o) L2 _! J) Y0 T# g. x' R+ v1 |6 U& J2 m7 {+ t
xor ax,ax
5 P+ _* R/ }# D: E, O0 P mov es,ax, M- \+ Z0 Q" Y$ Z3 B
mov bx, cs
* B4 b% |: t% i5 D; y% g lea dx, int41handler5 e( ^, g% m* N* S. S* M5 `1 r
xchg dx, es:[41h*4]$ C# V0 [ s! K( [3 t
xchg bx, es:[41h*4+2]
1 w2 x$ X+ ^# M1 x- c in al, 40h; ^/ ^7 k8 @, f9 _: \, Q
xor cx,cx. Z2 V& I: J- A1 G: d1 L
int 41h3 [) Z! @7 p/ I5 _* F* w% g
xchg dx, es:[41h*4]6 Y/ W! T" q; h' I
xchg bx, es:[41h*4+2]2 |! ]& U% g* U! _2 e* h, ^" \$ |" r
cmp cl,al
, H7 ^' P1 e" T: k2 k* @0 c7 v jnz SoftICE_detected1 j! Y5 A& j, ?4 C D
" V6 U1 ^, ^% X; ?* L1 _, N; E
_________________________________________________________________________
+ t$ L; J6 P y0 G# L# W! `9 u+ F( x% V- i
Method 07
: i# s" ?( _+ H' [' \- y. a=========8 n& K8 P# ]8 w6 ?/ V5 W( \
! |7 ~: G3 M9 \; \$ }5 k1 ^7 t
Method of detection of the WinICE handler in the int68h (V86)
% L+ p. A9 I1 e0 m7 P% s4 n+ Q- E" W
$ c* ?* ]/ a5 |1 L4 u4 s% ` mov ah,43h$ L2 Z0 O5 Z" `% x! E! Q9 C
int 68h5 i: z' \$ u1 S
cmp ax,0F386h
5 M/ D. Y/ E0 R" f( K$ B2 x( `0 f L. L jz SoftICE_Detected
! s& L/ Y% `$ A% }
" l/ W2 |4 l. G! D8 N
( D# L# \6 J6 T9 U: j$ ~7 Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 j! m5 [3 T1 \0 Y. F
app like this:6 }8 z# g0 t$ g7 x: ~
+ q* a! h0 k8 l BPX exec_int if ax==68: J ~+ `/ u* c! b; }. a2 F T E
(function called is located at byte ptr [ebp+1Dh] and client eip is( Q2 w5 Q; P0 E, I- W; v
located at [ebp+48h] for 32Bit apps)# j6 C' ^; N: l$ @: m
__________________________________________________________________________, y6 H2 Y9 E8 e8 m4 i+ `5 f
K; Z5 c/ | O' E# ]! `
3 ?% Z+ y5 r/ g- { j0 s: v, S
Method 08
6 _9 o. W7 U. T=========. p) S3 m {& Q
' y2 c' N0 ^0 b# e$ Z! e
It is not a method of detection of SoftICE but a possibility to crash the
2 S: K% [' N2 i0 t' S# X3 {( ksystem by intercepting int 01h and int 03h and redirecting them to another
5 z# N" w" M' nroutine.
1 M* c$ e( C& E7 M. @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 [1 q' y6 Z. I( ^% w6 [6 Y8 U
to the new routine to execute (hangs computer...)9 O. P( n+ G! z- {; ~+ M& @
! B. u' ~7 C% t% r/ r$ l. { mov ah, 25h
$ B8 C8 l- i! L" ~5 ^6 l# N mov al, Int_Number (01h or 03h)
: x* C9 ~; v+ K7 Y/ I mov dx, offset New_Int_Routine$ h0 L" ^3 Z% W$ u
int 21h
$ Q- ]4 w% k' ~; F7 d) a9 a3 e: _, C: g* s8 m. { ^
__________________________________________________________________________( k/ I" H6 G) e }! Y E
7 P; l) P7 s4 p; X! i
Method 09
! V# M# F8 A! E4 y/ S3 Q$ |1 g$ |0 i=========
1 h+ G$ Q, ]& O7 K9 W& n0 O X
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 L$ T5 Q. {! Y$ z6 t% W% w
performed in ring0 (VxD or a ring3 app using the VxdCall).* V4 w; E" i7 t( k- ^( c4 m1 R
The Get_DDB service is used to determine whether or not a VxD is installed
& S0 e' K( J h6 i$ r: C/ lfor the specified device and returns a Device Description Block (in ecx) for
6 T: r. u/ x' M, F! z0 Nthat device if it is installed.
4 E/ R, ^+ |9 b0 L, d" N) Y3 D( |* D: Q* @* o0 w5 b- c
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( @& Y# J0 ~% i. E! y% p& o' u mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# H; D& e X- Z1 M7 Z
VMMCall Get_DDB
: g; n/ J3 h% y7 ^' D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; R* Z' c# j3 D, V) M: i5 |% }! D- `5 w1 r" h
Note as well that you can easily detect this method with SoftICE: K* x$ k# w4 _& I: }
bpx Get_DDB if ax==0202 || ax==7a5fh
) q6 Q, h7 L5 ~, h, L- A3 O2 J# F- n' O& r+ V4 |; x) v; f7 o
__________________________________________________________________________
" v* n0 a% S" D' x9 D! m$ B2 G% m* g; w8 j {* x9 a
Method 10
2 v# @& h3 m f+ t& F' h# m: W=========9 Q- i, r" b/ W9 I$ [& p) }
: \- o8 L! u. b9 @4 E. @* K=>Disable or clear breakpoints before using this feature. DO NOT trace with
( g, V1 X( t" Y- T5 Q$ [% k; l, s SoftICE while the option is enable!!* U" I8 P/ a2 ?. d) ^
* O; i) ~2 `0 H6 M! ]' T4 |: l
This trick is very efficient:0 P2 `+ f. ^! d; K6 D, |( L
by checking the Debug Registers, you can detect if SoftICE is loaded6 h- _2 u* ]: B: R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- ^1 u( J, ^- k6 A
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 V& k7 n% |& p4 a3 cvalue (in ring0 only). Values can be manipulated and or changed as well
2 ~! _- R0 _$ H# ^, Y(clearing BPMs for instance)* W+ J! O/ ^/ ^( ^6 f" o
8 l+ l1 X: X$ J; [+ C1 ?0 p
__________________________________________________________________________- ?2 t& B2 @: q
9 @ a0 W) H3 \( v" b
Method 119 k% @# _, r9 T K3 t
=========/ y# S5 M2 j( q/ E9 T
7 G8 ^+ _) h5 v3 \: b2 B9 S( F8 gThis method is most known as 'MeltICE' because it has been freely distributed2 _* T7 m0 S* L" U+ T h" q5 ]
via www.winfiles.com. However it was first used by NuMega people to allow
0 h7 J0 |. l7 V( m& C2 a4 U5 ~: w) @Symbol Loader to check if SoftICE was active or not (the code is located
7 Z; ^. W& y4 T" s8 D& jinside nmtrans.dll).1 U7 y7 P d+ L2 q+ ^
# \3 m. @# a( A. v& Z. l, QThe way it works is very simple:# Y3 N' H' c! [% B+ e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' R* Q* y5 R( r1 F5 KWinNT) with the CreateFileA API.
$ m8 A8 k$ M' M2 P. c4 L9 ^/ A0 _( X u
Here is a sample (checking for 'SICE'):
9 C; c1 Y% W6 G# c J1 W: h9 L/ K! z# w5 K/ [4 {% w$ z3 b
BOOL IsSoftIce95Loaded()
/ R- U/ ]5 b+ \1 p& r2 p{( L) w1 J9 @$ L5 V" L4 ~8 `
HANDLE hFile;
* L0 j% I9 o4 H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
u" Q: N' j9 L& Z9 K% C: X+ q FILE_SHARE_READ | FILE_SHARE_WRITE,8 l/ G }- D$ ?, h4 h& P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 D( K4 S6 c8 \9 l) u
if( hFile != INVALID_HANDLE_VALUE )
& A8 l! ?' d! u* C: v+ b {
& z" {" b: m" ^2 X# `! c CloseHandle(hFile);
, [4 y$ o( G7 ~( h8 X( ` return TRUE;
; J) }% H5 F3 i9 F/ Y }. |3 g- L. R0 p$ Q& g+ t
return FALSE;
2 v7 `. K( b; G/ n' v# v9 w2 j}5 h# |9 h& c! l# \3 m2 J
* g0 e/ u3 _4 H5 ^( f% rAlthough this trick calls the CreateFileA function, don't even expect to be
- P. B! q C. ~/ h \; m; a ^able to intercept it by installing a IFS hook: it will not work, no way!- }& P* N! |0 @ H) }2 ^( Y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# i( s% ~7 {; M k9 v5 i* ]- J5 N! m+ y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 ^% E" E2 D3 M
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( @ u7 E' Q1 b& P
field.( S4 f* q3 \; t- T- Y
In fact, its purpose is not to load/unload VxDs but only to send a ! y$ U* m" j0 I* l; I E p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ z0 o* ]+ S! ^0 {, u' Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 R; a9 x5 T, t( kto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 B3 X, n ?6 ?& FIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 t! d( F" i3 @' g6 X' g( n2 Oits handle to be opened and then, will be detected., r! T% v6 a* L' R1 j
You can check that simply by hooking Winice.exe control proc entry point
V" L. K! \) X2 r+ r twhile running MeltICE.
N. W0 O( y* x. _8 X1 Q z
* e1 Y7 I J) {0 ]5 y( q# C, _3 f( j' d) y; r$ f- {
00401067: push 00402025 ; \\.\SICE
( T8 e! M" ?6 j6 L- G" Z7 _) W 0040106C: call CreateFileA
1 Y# q; N4 x$ x* z$ A8 R% t) c3 A 00401071: cmp eax,-001
% Q1 q: Y; y3 o& N 00401074: je 00401091
$ @4 d1 I# H5 j
) z8 j( |8 Y, c6 b8 O/ `, G) |. U& v: Q2 R. _
There could be hundreds of BPX you could use to detect this trick.
- {) a* {) A4 i- ^* ?+ ]0 [, I-The most classical one is:$ g, _' N+ c7 i+ X6 ^5 A: t. e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' f! f1 e1 y& a: U, I7 z/ I. U *(esp->4+4)=='NTIC'
8 s% G. W0 [6 O5 x' v/ h8 W: \# h" w; o) ^
-The most exotic ones (could be very slooooow :-(1 L ]% X, t% r! d# w
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) h* V0 h. t$ w! Z$ Y9 N( K
;will break 3 times :-(
+ s) ?4 D) _! k/ W5 ^( ]
' p, P7 F( c/ M7 @# U% R0 Z1 m-or (a bit) faster: 3 u) W& J2 k; s# C' k) M
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* s2 `5 {3 I$ w+ U' I& Z
u4 w2 y9 o* @ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , a b Z. S B$ D7 o0 y
;will break 3 times :-(# g- B2 m7 ?: Z5 Q @* p7 Q
' d) s4 Y& ], _% t& I) W-Much faster:
' I- l( N, J- e BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ g( X' r5 e- p" X+ k+ n! J! G( A# U5 i. U$ k
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 V$ g; T7 V1 r! zfunction to do the same job:7 s" k' b, P% o% p9 F
' N; u- o/ R# O8 X! i9 F2 y
push 00 ; OF_READ
$ T) o& D( c- I5 ^+ m mov eax,[00656634] ; '\\.\SICE',0
, d6 K: L' V$ d" W0 }" ? push eax
* ]. V* A: M- K3 I call KERNEL32!_lopen7 V5 I9 B2 X. W v0 q) o
inc eax
$ j. D3 }& w. I' x5 f9 I3 G( S4 J jnz 00650589 ; detected( O! f/ e2 ^+ u1 d/ e
push 00 ; OF_READ
& f5 p2 V( _' f! R" d mov eax,[00656638] ; '\\.\SICE'
# {: x6 g, ]1 B* B+ `; Z* T push eax$ M3 _% _5 j3 o7 K: N9 W
call KERNEL32!_lopen) G" v2 R4 z, |4 H% Z
inc eax
) ^' T8 I2 Z3 y3 g w; h jz 006505ae ; not detected
: X& g) ]* x' E
" e' K) S, d6 Z- ?
8 b u" s& j' o__________________________________________________________________________
8 L, D- A# M0 Y; F, B w' g0 ?' P& U6 T! O l% b/ h8 |
Method 12
0 B: T4 P5 ?& j1 J=========
" |8 d" M- e9 w3 m) b8 n5 k
! k0 c( H# S6 Q9 EThis trick is similar to int41h/4fh Debugger installation check (code 05
* n1 _) e0 c! T3 f( K& 06) but very limited because it's only available for Win95/98 (not NT)
- h) @' M2 t1 [8 {& {. H1 {) cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& g% K4 g: m% _1 _' _1 M& f* d+ U7 h5 T$ {- |+ R
push 0000004fh ; function 4fh
6 n$ k, b! V) Y: h% h* V$ C, l1 S% q push 002a002ah ; high word specifies which VxD (VWIN32)
8 J! w+ |& W" X5 v3 L* a ; low word specifies which service
! Q+ R! v( m8 Q T$ Q4 e' d7 _ (VWIN32_Int41Dispatch): F: [5 @3 h/ ~9 \
call Kernel32!ORD_001 ; VxdCall. [' k9 Y8 Q# G# f
cmp ax, 0f386h ; magic number returned by system debuggers
* a- W0 ~: S- y, S6 S" c" } jz SoftICE_detected
0 t& B' k8 q) Z: \8 M9 P z6 A: Q1 Q/ m
Here again, several ways to detect it:
: A9 d" r' ]3 |8 R+ @
6 }" d% I1 l" I/ K5 {4 A: F7 Q BPINT 41 if ax==4f
8 Q0 V, g/ r( I7 m' J/ R' t1 F" ]& S; a4 R5 l. y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; v Y. j: d% x3 j2 ?0 l. s0 W5 c* S6 }
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 s* f! s/ K+ x, f7 d" U3 W2 u& F+ j9 i0 L6 I6 @. k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- F$ M% s0 t1 I
" w1 n7 j# q" t+ o+ w
__________________________________________________________________________
3 K/ K r8 F+ U+ G! u: E/ [! M2 Y( c2 g) @1 _
Method 13
5 n' ~' d1 X8 |3 C9 E( \( J* b=========
* f. V2 Y8 g" F: f
9 R& j8 @# N# @3 t7 ENot a real method of detection, but a good way to know if SoftICE is3 f: x% T# H( `" E0 i% \
installed on a computer and to locate its installation directory.
, e3 z( |1 @0 eIt is used by few softs which access the following registry keys (usually #2) :4 G# N: g* i5 A+ q
$ C) S% J8 w0 I& C0 S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# S: `+ q! D/ Y8 ]
\Uninstall\SoftICE
2 N5 C( i) p3 S& x! h I e D/ {2 K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& T% ?- a% y. G* ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 H* f5 s3 q5 a* l9 n
\App Paths\Loader32.Exe2 s/ M/ W1 h5 O% {, _# f* W7 O
0 _! S+ f! k2 d* \! w' u
: Z$ C6 [/ ]* Y- S1 p7 f9 ~
Note that some nasty apps could then erase all files from SoftICE directory3 [% \. Q9 c; H" ~
(I faced that once :-(
9 }2 t8 L8 X2 D; A9 \& a9 r0 y8 V" C. c
Useful breakpoint to detect it:
4 y6 h. C/ ? z2 m. p6 c9 E0 r" }2 w. A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* o; J1 h' a- @& G( Y
4 w4 ~2 N1 J) Y m/ u* H
__________________________________________________________________________
- |9 m. a5 O9 y8 ]4 G9 M* y/ p7 Z8 j7 a9 w: w; E: w o
& n# ]+ Z1 p) } i0 Z4 z
Method 14
9 J+ \& m' N g6 X- s=========1 Q9 G* h9 D6 _6 l: |
# h- u1 t4 f0 ~7 JA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, J1 J" H' H# R b; b! [" }0 A
is to determines whether a debugger is running on your system (ring0 only).
2 u$ }2 d z& t7 l: o: w$ K& v: T! g& a T8 N$ A
VMMCall Test_Debug_Installed
: m& z6 t7 b7 t" J. X$ c. r6 O# {; p je not_installed4 `) ?8 q2 _4 T) \2 I
9 J/ r' F0 x: A' ~- \# f1 F5 GThis service just checks a flag.! R i E9 e$ v) J& s
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡