<TABLE width=500>
( e9 a2 v' p" T; P<TBODY>0 R( [, o* {& {4 f
<TR>
9 n( L3 W6 J* m& L0 g0 L# e<TD><PRE>Method 01
9 @) w. |- v+ r4 v, E=========
' I- x8 y" ~& t/ y' s5 m5 K6 {
( I; a' M+ N( M. t0 m) C GThis method of detection of SoftICE (as well as the following one) is
9 o [( |8 W1 P; n; I3 t: z* wused by the majority of packers/encryptors found on Internet.# V* \% T' l0 K. L# R3 F
It seeks the signature of BoundsChecker in SoftICE
6 h- H$ _8 s# ~! ^% Y6 Y2 x9 ?; r# X# T% d" {2 z0 y2 J( M z& a* g
mov ebp, 04243484Bh ; 'BCHK'
/ r$ z( ?2 ~- A3 ?- P mov ax, 04h
" A" K" \" \# C/ {+ L) A0 A int 3
1 ?. L% d/ K+ f2 B' c cmp al,4* Y5 O5 j, w1 p( t
jnz SoftICE_Detected2 h0 _$ Y9 H, O5 n0 h
/ |5 K. m5 W, I8 K! |4 U. L @# B
___________________________________________________________________________* }# F- Q3 N+ b. c7 B3 {4 y# w( o$ {, X
, \4 X3 T( ~( {" V9 U
Method 02$ s, p; ]' T* |8 L) M4 ^7 D
=========1 X+ C5 b4 J3 ]
7 k {, f' a3 B8 X% A
Still a method very much used (perhaps the most frequent one). It is used1 c4 c t, w' F2 t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 }3 q( i* }) J% I, \or execute SoftICE commands...+ ~2 F+ ]' N2 s$ f
It is also used to crash SoftICE and to force it to execute any commands. { c# s3 g {6 b/ u- i: X9 h
(HBOOT...) :-(( 0 ?+ B1 R0 k( d8 O
( z, t& R L G2 F
Here is a quick description:
# b1 T. `! O; y0 [- v+ O7 G/ j2 `. ]-AX = 0910h (Display string in SIce windows)5 Q8 i+ G# m3 d; u
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' ~& b! o# u) }3 G-AX = 0912h (Get breakpoint infos)
# G; X3 h, e0 K; b6 |4 O0 g) S-AX = 0913h (Set Sice breakpoints)
- D) O" I# y: H& p+ f- ]2 f& ]$ d-AX = 0914h (Remove SIce breakoints)
$ I8 e5 M% f' k( C6 C4 i
* v' f- Z! h% ?' H: v8 A/ t& f2 cEach time you'll meet this trick, you'll see:
( g9 [/ u1 t5 i) O-SI = 4647h Z V* s* }& F7 q8 a2 b
-DI = 4A4Dh
; a9 y5 y4 {5 P0 f) c0 I( m( I5 P- [Which are the 'magic values' used by SoftIce.
& B% i% K& c/ Z V) H- l7 cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 @- w2 y# s }0 O7 ~8 }1 j) Q- d, H/ K
1 M' S! D- L9 G9 Z1 Y7 zHere is one example from the file "Haspinst.exe" which is the dongle HASP3 e9 }0 @) k4 j
Envelope utility use to protect DOS applications:# l- D2 u& a0 S6 g
7 ^* ~8 r: X$ W: g9 L3 Z
1 @. S# F5 q) J) V2 d4C19:0095 MOV AX,0911 ; execute command.8 k3 }( O% Y1 O5 J# t
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% L, Y: z% Z) X# ^% b, S8 ]7 z
4C19:009A MOV SI,4647 ; 1st magic value.
( ]" K/ l7 K# O m, t. e8 S* {4C19:009D MOV DI,4A4D ; 2nd magic value.5 k2 I# j& l$ P) W
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% U4 \8 ?9 j& X" t$ @% e$ l4 g. ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' U, Y3 J! e$ m8 G5 L/ u0 l
4C19:00A4 INC CX) T/ z- M! g, K
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ b- v0 m: ~: \; z
4C19:00A8 JB 0095 ; 6 different commands.9 {) f7 H6 [8 Y3 U! w7 Z8 W
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& N4 s) b5 L, Z: l5 y4C19:00AD MOV BX,SP ; Good_Guy go ahead :), Z+ P4 h$ @* F* F
/ O7 d C1 N$ B) ~! `( u0 p- v4 `/ bThe program will execute 6 different SIce commands located at ds:dx, which X) ?( R8 R X1 A/ j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- l8 _4 v V6 a2 |
9 c y' J" L+ U2 s w6 l9 s3 [' C) j( M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) c" X/ \! o! r: C6 A
___________________________________________________________________________5 o4 X" ]; Y* V* e) I* W
" i; C) q( R: g m5 Y
( F/ p; F+ g. ^
Method 03/ R# K9 o) q2 U: K) g
=========
& p) @( I$ V( ~, |/ X
3 a# d5 A' n/ r! ~+ V' VLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' a I x; G6 g4 {8 p
(API Get entry point)0 r; W% w! ] |8 G
' B o I* D) x, M. g* A: y! B+ s
' I* X: k* P8 F/ {3 F* J+ r' d
xor di,di1 a8 `' U1 Z# `+ j- _( h6 u
mov es,di
2 I1 I5 V- X s mov ax, 1684h + }3 d: V c/ v. B+ R
mov bx, 0202h ; VxD ID of winice
, H, |- c8 |1 T/ K0 k int 2Fh s- `$ ?3 i" c8 T+ A3 j5 U# ]$ l5 G
mov ax, es ; ES:DI -> VxD API entry point
0 H9 `( l: g6 I) L add ax, di' t0 \. q5 H( j$ {. y
test ax,ax6 U! @! s- v" w
jnz SoftICE_Detected, o+ P/ e5 q* v2 }6 k+ B! t4 u
0 q* c0 T j. N* c6 x8 y
___________________________________________________________________________) D$ r7 V# w3 y; R
- ?1 w% y* z# J/ c' i
Method 04
' {% b: }8 B" b! Q) o5 D=========% J4 z; i& q) C3 p
9 Y4 S% l% h$ w/ d' E& C- D% xMethod identical to the preceding one except that it seeks the ID of SoftICE2 A3 F: @5 } N0 z1 X
GFX VxD.3 J+ I0 }& F, `. k
0 N; n- _% t+ E* [( |8 Q
xor di,di3 X3 }" F [* A1 c
mov es,di, K1 Y1 n1 s- ]: m. ?
mov ax, 1684h
6 C- t: `/ R" U- ` mov bx, 7a5Fh ; VxD ID of SIWVID. v% ]) t& k$ ^3 p& r8 ]+ O
int 2fh! O7 C% V8 k# P! o3 S
mov ax, es ; ES:DI -> VxD API entry point1 f$ v4 f6 N# a5 W8 {" t5 D2 M3 c; M
add ax, di
2 _: }* e9 M+ U" V test ax,ax0 Q' H; E9 d2 r2 n- [0 j! Z) D2 V
jnz SoftICE_Detected
3 `* i9 U( U; y' w2 K( A( t8 t% j# q9 b: z" R- Q$ }
__________________________________________________________________________
+ D* o. d) m% l% u1 `, t5 R" a5 J1 g; N7 ]5 I& G
% x, j5 [+ ?9 R4 |, f
Method 05: Q$ ]% D* O( E, a- \8 J) f
=========
4 h9 v* A' Y. X+ i( A& l8 N3 K4 s8 R1 Q* r( a/ W
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 F% p8 Q* h/ _5 w7 c
debugger. It calls the int 41h, function 4Fh.
/ @5 M. z& k' y6 u2 ~7 bThere are several alternatives.
" G2 T& j: v& e0 ~& E I3 V7 K! S4 C1 Z7 D9 N& ]
The following one is the simplest:$ \0 e) q) ]2 \- {; e
; o& x; R# p. a# p5 e- ~7 f mov ax,4fh& E8 Q7 \; [ L
int 41h
{5 V* K, p# y1 g; e# @8 ?, _ cmp ax, 0F3869 B( k3 }1 [- `% {7 x: A& ^
jz SoftICE_detected: o. `' z. O- }2 _# r& A2 u
. t+ q! Z" b8 F& G5 i- ~
- f- q: X/ G/ P$ {6 P9 gNext method as well as the following one are 2 examples from Stone's ; K: K5 w. o/ X0 ^2 `' W
"stn-wid.zip" (www.cracking.net):
1 N1 e; o# _4 p; U; e: I6 @. R. y+ h8 ~) _) p
mov bx, cs
8 o) p7 m7 O0 I- e lea dx, int41handler2# T! ^: \% r/ Q6 |2 I
xchg dx, es:[41h*4]
! f- _; r' ]5 X* w7 h( _' l xchg bx, es:[41h*4+2]
E. ^* u7 i" u mov ax,4fh
; O6 |( b" Z- C5 d& h int 41h, L7 a5 y j Y" n8 C# o& Z# L
xchg dx, es:[41h*4]
5 X4 S. L, S0 n9 k9 B* ~8 G xchg bx, es:[41h*4+2]' v/ v( n, r$ R) @$ C9 U
cmp ax, 0f386h
. O' g; G) g9 h8 F jz SoftICE_detected
; \" k k) A( ^8 \1 Z6 x$ u3 w6 S2 k2 |
int41handler2 PROC
& ]% A% ~& z! n iret# p; ]) i- {- j4 c/ R
int41handler2 ENDP9 d/ U. x' p5 s0 {3 O7 X0 l, }( k
0 G# e' l3 l" E! F9 ~; Z* o# f
5 Z5 _" h- p# q0 F' p% y0 C& T5 ~
_________________________________________________________________________
: A* O) E1 x2 w# d0 Z3 t' A* O: e" Q7 ~0 J2 |3 V9 H" K
8 C# | n3 s5 ~; \# t& x
Method 061 o4 V% k# w: Y3 Q! W) M
=========
0 J- w1 N1 c7 {2 I
! j" i# e1 e* O- c/ \7 i! }( T) F
( F# W) I0 V. y3 ?) \7 s# v2nd method similar to the preceding one but more difficult to detect:7 Q9 b/ T U# Y4 v
) ]4 Z4 Y9 G+ @2 `6 ?" ?
0 P' @' P | iint41handler PROC
+ T1 j) H7 y' w: Z; Z+ r/ n3 S+ X. [ mov cl,al/ N: F* E3 G6 s1 {9 l1 X: `( w( n( Q
iret
9 y+ Y* L0 X3 \int41handler ENDP
1 g- P5 c) e) y% y( F2 u8 e- S1 T8 ?
! Y* W9 Y9 N' j6 R; R9 x xor ax,ax5 r5 _- ^ z2 r# Z6 ^) D
mov es,ax8 R' q' g! A$ A* H! a, e% w7 [/ J, R
mov bx, cs1 N+ Z9 G$ |) R$ v
lea dx, int41handler
$ J$ i1 l3 t, u, L X) l8 Q5 ]2 a @- n xchg dx, es:[41h*4]1 H5 X! Z- [, ^( o0 o7 U/ W
xchg bx, es:[41h*4+2]
7 u' V' p. a4 R. U/ e8 F$ p in al, 40h
M5 V) E0 W' p3 L5 N- \ xor cx,cx* Y3 W5 d9 C X3 k4 l' R9 I
int 41h9 L6 y' I! A$ o/ F: ?- @6 c% e
xchg dx, es:[41h*4]
5 w5 Q) X) ?+ Q! } xchg bx, es:[41h*4+2]
# o8 G* p0 @, {; ?1 m7 N cmp cl,al
- n3 p8 Q: e2 K' q jnz SoftICE_detected9 m8 p0 |4 q/ r6 l' U
. v& u7 Z9 s# P
_________________________________________________________________________5 C: E( A5 y; g1 e' @0 {
. I6 b. s" z; w# F6 dMethod 07
& j p1 }; B/ Y1 L3 M- b=========
9 V& t5 V% J! Z/ O) ~- M3 _/ O6 L# Z8 z+ U. q' a5 v
Method of detection of the WinICE handler in the int68h (V86)
& h! f% Z. c. ?6 q. R
; ]) A1 e7 N5 |) Y# k2 y0 b( i mov ah,43h, ~+ z u: s3 Z* [
int 68h
5 S9 s8 _( }5 ~/ j# x$ G3 q cmp ax,0F386h
3 f: ?. i6 n! j; P0 v' ?& H$ v jz SoftICE_Detected' s9 i6 n' F, S: G) ?: Y7 g+ Q
$ O; \$ o0 F# `! J" [& w. L
$ W( `2 @" [7 O9 Q& l=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, [& z' t9 x9 b2 o3 J- E% @
app like this:
: l( B3 Q" C: j" N
. l4 |7 v3 a5 ~5 p8 U; h BPX exec_int if ax==680 e2 \1 W' t& C
(function called is located at byte ptr [ebp+1Dh] and client eip is7 [5 ^ v+ o9 n
located at [ebp+48h] for 32Bit apps)
) e7 H* R/ h, m2 X) Q__________________________________________________________________________
2 R# H; ^7 L9 j3 W0 L+ H5 N% m: M; J B) A5 @$ A0 b( a. E% n
3 ~, K" O7 f0 G$ o, x) }
Method 08
o& R4 ^7 ^( T q: g1 g/ F=========* \- F5 m8 _' G1 b H
$ \$ J" i% S+ {( }$ Y& N i. f. nIt is not a method of detection of SoftICE but a possibility to crash the& z* o/ Z2 j; j# ~/ I) H, y
system by intercepting int 01h and int 03h and redirecting them to another
* d# A/ Q4 f" ]5 F9 c0 Wroutine.
2 C2 H) x: e7 Z0 ?/ I7 U- x- W! R5 W; _3 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 Z/ m* V' T& h5 [: D8 p# m b" _
to the new routine to execute (hangs computer...)
( H5 k! `" O* x1 D# J$ J9 D& o8 t K6 Q6 i
mov ah, 25h
& ^6 c* v. {' h( ^; A0 A: y mov al, Int_Number (01h or 03h)- Y$ `/ C, \& M6 o( _
mov dx, offset New_Int_Routine3 y2 P6 q; [- x4 T2 `
int 21h
: T2 L9 M) C6 X6 o$ l" l* j
; u$ I. ?+ `' |+ F$ F+ V# K__________________________________________________________________________ ?& s5 k% @" @9 m
: W9 H) r( V( N
Method 09
$ a# u* S# I6 e! G=========
0 V+ I: G5 A# G6 V4 [
, y- B4 n! X( Q' n7 d+ R+ uThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# V' z! i$ s* V; p/ `" y ^performed in ring0 (VxD or a ring3 app using the VxdCall).: I& ]7 n! N* O* j
The Get_DDB service is used to determine whether or not a VxD is installed+ u, k6 n8 Q% s3 N4 T- a
for the specified device and returns a Device Description Block (in ecx) for3 Q4 b) o* h" T' n0 @' Y( r
that device if it is installed.) m; {( Y. c% ?2 z2 ?- o
# }# ~. `0 H3 p' {9 P
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# u& t2 U: S7 j, q' }5 } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 Q+ H6 |2 S8 i1 R# r% G( O) x z& @ VMMCall Get_DDB- F P0 f4 K4 J; R! ?5 O
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 r* N9 g! |) t6 H6 l8 Z E: B1 U6 ?5 }9 ~6 V# [2 V! W
Note as well that you can easily detect this method with SoftICE:
! w+ n. G0 f' X. |) X) [ p# f bpx Get_DDB if ax==0202 || ax==7a5fh
1 C% W1 Y( @5 v7 Q- k: j
d1 d9 `: I& r% D1 `: x7 s8 E__________________________________________________________________________
2 c) h% w+ z/ Z( I+ V
2 i9 S1 \( h. l, j. r) BMethod 10' Z3 I4 T1 y' `2 k5 e% r6 F" b/ r: H
=========" P0 j: S, P( m" d% k: M
/ u R' v. g2 `8 l4 Y3 y' _=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ i3 a$ w( O! z" h' K7 y- T SoftICE while the option is enable!!7 f# A6 Q, O% d+ j
1 H x7 N7 {( D1 i
This trick is very efficient:
1 L6 m# m9 a: fby checking the Debug Registers, you can detect if SoftICE is loaded: p$ |# a8 H% D! u3 {% K8 s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& D, @) _' P0 ?1 B A2 p/ M! F5 H
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 T7 u. o: K! z. P+ ovalue (in ring0 only). Values can be manipulated and or changed as well
?+ o, v Z. V( X: k(clearing BPMs for instance)
" A1 Q0 W, ]0 n% m8 g- p' B6 o2 s2 C) g6 D5 `
__________________________________________________________________________
' |7 C6 D. e: z6 i
5 w0 c+ t x% \0 X- Z% {Method 11
4 Y" ?% r/ c. v4 a=========5 l. A+ a# j v D; D L
' L+ L0 R' U7 q8 D9 Y" T
This method is most known as 'MeltICE' because it has been freely distributed
' X( G# b* } O, Z- l% B; Y3 l/ mvia www.winfiles.com. However it was first used by NuMega people to allow* ~/ V4 g2 A. }0 d. G# c! c
Symbol Loader to check if SoftICE was active or not (the code is located9 Y L# h9 t( ?% r9 U- }; H
inside nmtrans.dll).
- t Y; C6 |% }3 ?9 A m. t
. w `$ j, R7 c$ D+ M( FThe way it works is very simple:" D9 R% ~5 a5 R" g3 x$ x+ E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 X% w ?$ R( ~2 ^
WinNT) with the CreateFileA API.3 O0 ~( a' B# a
/ L! y7 @. Z/ _4 ^4 W! }# X3 LHere is a sample (checking for 'SICE'):
) m. |. F( y7 C" ]2 z' k1 \9 O2 k4 K; U0 X: L) y
BOOL IsSoftIce95Loaded()# O8 k7 O0 k* ^# P* _2 A
{
* G! a5 }( F m& Y HANDLE hFile;
- o$ j) [. n. Z/ h, l0 ^& Y L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 E4 L0 L* ]" s0 l FILE_SHARE_READ | FILE_SHARE_WRITE,
0 M' o1 b7 x* {* v, @' T NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& s( W9 g. y4 T1 G& P2 j$ p if( hFile != INVALID_HANDLE_VALUE )
$ C: ?- L) e; c- i% h* ~; q; w {7 ], b; Q7 O) |. A0 L8 ~7 E) c
CloseHandle(hFile);5 ?% j8 c5 F. m. X
return TRUE;
% }" w- r2 X4 a5 D* B }
3 \, W* H% m/ A2 ?# R return FALSE;8 o D: u* J* q+ ]
}
; B* Y0 C' a! ~9 `8 G: g) R: v( f; `$ P
Although this trick calls the CreateFileA function, don't even expect to be
/ ~8 F' C+ F# H, Cable to intercept it by installing a IFS hook: it will not work, no way!
& u9 V* P- b- V1 tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: {. x6 l* M) `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); o: K# C4 F) v2 x ?+ t" N' Z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 k# K0 a0 Z8 {) m3 v: o
field.
2 t- G0 {1 R8 ^5 {2 F/ rIn fact, its purpose is not to load/unload VxDs but only to send a
! J2 r# C% Q$ i7 w/ PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" Q9 D4 \# o# @4 G4 T3 pto the VxD Control_Dispatch proc (how the hell a shareware soft could try# N0 C, u2 i' h6 ^2 G v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 E! h. ? a- h$ p- K% `If the VxD is loaded, it will always clear eax and the Carry flag to allow
) D6 j2 m0 S: x* ? s) Q z6 Uits handle to be opened and then, will be detected.
- L- o; Y$ b o* {9 {You can check that simply by hooking Winice.exe control proc entry point' g4 C6 E7 O9 {2 n
while running MeltICE.0 i% G. Q: \" I2 ~ @
5 _( \3 a; A7 Z' y8 w% I, G; {" G6 x4 y3 G( @# Q
00401067: push 00402025 ; \\.\SICE: A. I9 N& d' l/ ]7 t! o) }
0040106C: call CreateFileA
' g/ V7 W% w( @' J9 J 00401071: cmp eax,-0011 V( P6 B; B4 X' N
00401074: je 00401091- p$ F6 u. i: v& B1 q# W
; s& R- u4 U% V
: e( G, {* ~+ p! pThere could be hundreds of BPX you could use to detect this trick.
2 k1 E" R$ {* j6 T" t- k8 j! V-The most classical one is:& m+ f, E0 @3 c+ v' Q( f' I0 f {
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' j' E. ]# a; Y! {# Q
*(esp->4+4)=='NTIC') F6 V0 k2 R9 O, a& _
- F5 h4 h. L! f4 R7 |1 N) M& V-The most exotic ones (could be very slooooow :-(
' G% @4 K' @( o9 F* v BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, l: x: ^8 s. \ |% ~8 T ;will break 3 times :-(
2 E, Y' F# E2 q7 S6 U+ ?7 r% {* l& `
-or (a bit) faster: U3 b! }* Z2 Y) @3 ]% T/ B$ `
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( O, i) n' K7 u1 f: b+ W3 } Z
L% p& l3 O2 j8 k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 _' W/ J8 E6 B; i6 I8 s ;will break 3 times :-(
& N/ N0 j, F8 }# {! O s
. I2 J5 p6 T; ^, q-Much faster:
. g, T P7 z; A- U; `& \0 y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 v2 i! g6 w# k3 T+ O7 B J3 M& X# B' b8 U, M' g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& e3 `5 z1 |$ I( B/ M: }function to do the same job:
+ [1 i2 L/ u2 y; `4 S* U n
( @9 v- p2 |& q# N' B6 `& {1 o+ l5 B, M push 00 ; OF_READ
o6 }7 W. P( k5 E' i, i( ~ mov eax,[00656634] ; '\\.\SICE',0
, a" V: u& e* ^$ T: E1 n' |5 M) T push eax0 v" d) J4 t8 Z
call KERNEL32!_lopen, m, V3 @! j4 i1 |% P
inc eax% q+ d; S2 N3 Y
jnz 00650589 ; detected
7 w I$ Q9 S+ O) d- b; I5 L push 00 ; OF_READ
- X1 ~2 {. x5 x) k. ? mov eax,[00656638] ; '\\.\SICE'
, Y) T% z6 p, d3 c push eax/ n, x0 `! Q7 P0 i \* r3 e; g
call KERNEL32!_lopen
4 a6 ~% E/ G# r# H3 G9 i inc eax
5 X9 H# n% o8 D2 K0 c jz 006505ae ; not detected
1 K4 | q* {6 d# T6 n8 d2 l6 X. L5 s1 m' c9 ?3 M0 D# O
! J; ?9 f2 c1 p& c; t8 u! Q( m2 ~6 i__________________________________________________________________________" r2 D1 f. I3 [3 `
( R# V$ h4 L7 n6 Z. {4 \* M
Method 12+ E3 Z9 E" k8 h# N! o
=========
1 {. z$ x: F7 t# F) G
( t- f) E8 I9 m. ^+ H) fThis trick is similar to int41h/4fh Debugger installation check (code 059 Z3 @. A6 `1 K9 s' U
& 06) but very limited because it's only available for Win95/98 (not NT)
3 ?5 s' t0 |; p5 @; m* x& K& J. d& kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 D! p' c) k9 {
9 m# g0 K& V: b; X/ K
push 0000004fh ; function 4fh
0 W5 x, b T0 d ?+ ] push 002a002ah ; high word specifies which VxD (VWIN32)7 ^/ b" s" m4 O2 i7 E. l& x6 m6 Q
; low word specifies which service8 D$ b+ j9 R# o. y
(VWIN32_Int41Dispatch)
) b E$ R5 F& P- A call Kernel32!ORD_001 ; VxdCall+ |; R; O7 f8 }
cmp ax, 0f386h ; magic number returned by system debuggers% s, Y4 T2 t$ s3 h" T- c0 k% y1 P
jz SoftICE_detected
5 w6 q' K V) n- t# a
! c! m& d% N `: {- `Here again, several ways to detect it:0 t4 F9 q- q. W9 u3 p
8 G, s$ ^, J/ ? BPINT 41 if ax==4f3 O/ m% P1 x5 ?3 a
8 M- l/ E" w' F6 Q. g6 g' I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% a& c i' F- e0 ]% t! z6 f
1 ?* l+ O6 W2 i3 X
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- R9 x$ N9 G& s# X" N- b
3 @& @1 g9 m8 G. g& _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! a1 |' y9 ]3 H) V: ]4 `4 A
9 h- }9 Y7 A# Q( G3 ]/ m: l8 {__________________________________________________________________________
# B) M+ \5 ?3 E9 T1 s1 t
E( l/ Y' m. `Method 13) x0 b1 D. J3 T+ Y
=========
3 i+ Q( H# V' F
0 `3 H% g; ^3 k S/ P* s wNot a real method of detection, but a good way to know if SoftICE is* J8 W0 G: } L2 \
installed on a computer and to locate its installation directory.* f. z* O8 Y7 [: G k
It is used by few softs which access the following registry keys (usually #2) :( t( z' ]3 s0 }9 [6 n
3 F4 m( z: V2 w* [( D8 A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- y3 n; a& s0 H3 I# t# ^
\Uninstall\SoftICE J% l! h. r* n/ U+ g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 l6 N) T; `6 q ~( h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. f0 t7 H! C: l9 R4 f$ t7 A1 b1 A
\App Paths\Loader32.Exe
# S2 n+ d# N0 v( C6 f! I1 C
! |% B& ]. G7 X2 l& N4 u/ U* s7 _# j$ Y* H2 b7 b' C" r$ s
Note that some nasty apps could then erase all files from SoftICE directory
3 D0 r T6 ~" y: ~(I faced that once :-(5 {: d T$ E( ~6 O
0 Y' B7 V6 D6 q" M l
Useful breakpoint to detect it:
. l/ n k: R( E4 Z8 }/ B3 m7 V F: D* s( z0 J
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- D T9 U* u0 ^4 I3 L& Z/ q& D0 M8 G4 h" \9 X! Q
__________________________________________________________________________4 l7 J+ n6 W5 o, I; x
, T& R/ _" f% ^# v3 m
5 [( w# e0 O$ l- {1 {
Method 14
2 N: @# P7 c/ h8 [+ g z=========" C% Q# w( Z# B. C
]1 ]% r: e. \. C0 [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ _) R; ?& b; O9 v/ wis to determines whether a debugger is running on your system (ring0 only)." @! @* Z% ]: v, `) @7 U# x) G/ V
1 }( W5 N' _5 G" J+ n0 u: m
VMMCall Test_Debug_Installed8 t4 f% T; y1 B4 w( `
je not_installed' p5 t8 f% ]) _# }: y7 k: ]
4 O2 m2 H7 B! j/ lThis service just checks a flag.
- i1 x3 ]' b0 N5 i0 g) D, X% ]</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡