<TABLE width=500># ~) W5 E0 l$ D, B; _5 o) }. s
<TBODY>
7 z9 i: ]! G' \# W. ^<TR>
1 |7 X$ i" B# z7 _: I<TD><PRE>Method 01
& @7 r B) H+ B: h d=========
' L) h* V4 w: j
1 Y# n5 F" u# `# g: o2 l3 G" tThis method of detection of SoftICE (as well as the following one) is
]9 i9 G/ n, n: yused by the majority of packers/encryptors found on Internet., c5 A0 r( t! {/ I j/ q) V1 p
It seeks the signature of BoundsChecker in SoftICE3 {% p$ ?$ {; {1 {
1 K9 X1 H2 l, ]1 a' C! | mov ebp, 04243484Bh ; 'BCHK'+ z% k+ h- W# Z! z3 [( L
mov ax, 04h% j' o( n" T. R6 \: v
int 3
8 X0 L1 e; Q" ~ cmp al,48 w- r; T4 A) L3 R
jnz SoftICE_Detected5 z2 e+ T& T8 f$ L: {( \5 q
, h4 ^: l7 @# ~! l2 x0 f5 D3 g* u
___________________________________________________________________________
! {7 E3 w, }3 r9 p/ u
* ^! P' C/ H/ E5 {& D0 QMethod 02 O9 _5 |' V: w4 c
=========/ a, m: I# _7 ~8 v
" Z( k) f8 i5 k
Still a method very much used (perhaps the most frequent one). It is used
% G7 C/ L7 u( b! G- q- Z0 _to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 O) v4 \4 |. @' v+ mor execute SoftICE commands...
& V' g; e3 B6 z' WIt is also used to crash SoftICE and to force it to execute any commands
- b1 y) V( L; r: L(HBOOT...) :-((
9 o5 S* h0 W$ q3 \7 Z) y, }0 ^/ F: z) K
Here is a quick description:
1 c9 X" }' I1 ]+ w5 \' @-AX = 0910h (Display string in SIce windows)3 m* T* `. f6 _# ~1 ^
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 k J" w I+ z1 A3 |2 A% M& v4 f9 q-AX = 0912h (Get breakpoint infos)
% F6 Z* m+ d3 g% l* `- a4 l-AX = 0913h (Set Sice breakpoints)2 |" i1 | W; Y5 {+ y
-AX = 0914h (Remove SIce breakoints)
+ v1 W, P5 N- y; | Q8 q
* A. }9 l! |" F6 SEach time you'll meet this trick, you'll see:
0 R8 K; r7 R6 A" K5 @; Y-SI = 4647h* n+ X- h, Y; r3 k! z! S
-DI = 4A4Dh
6 ?: M3 d& z; ~Which are the 'magic values' used by SoftIce.! @7 i$ |( k7 o* {
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.. M( f+ d- T* u
( h4 X$ X7 b( x V: I3 n6 OHere is one example from the file "Haspinst.exe" which is the dongle HASP# K1 M$ ]6 `6 E( R
Envelope utility use to protect DOS applications:
# e5 h8 O+ L' l" }. d. _ R
6 @. ^9 ^/ k0 a; h4 T. b; W$ c( D5 P0 y# N8 D
4C19:0095 MOV AX,0911 ; execute command.& J; p/ n$ n7 e0 H' v
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* x$ ]3 l$ d) E4C19:009A MOV SI,4647 ; 1st magic value.
+ Y, ]8 H* t& h0 D& w4C19:009D MOV DI,4A4D ; 2nd magic value. K* v q4 R" k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( J; M1 x- k5 N/ i4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 F/ Z- F/ S: i0 x5 V3 }
4C19:00A4 INC CX
- ~$ B# @) ^. I5 B7 i0 ?4 a4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, W4 G D7 E) j
4C19:00A8 JB 0095 ; 6 different commands.1 @' j* O9 I- l6 A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 ^" K6 |1 E2 E* P4C19:00AD MOV BX,SP ; Good_Guy go ahead :); _! k- d9 t2 L" Y# ?2 L* W$ W% `
3 B' E- X8 b: z, g3 l. m# eThe program will execute 6 different SIce commands located at ds:dx, which3 ~4 V; P, N( b' j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ L5 `$ E- C0 n v- y _: k5 u
0 N, c) s0 e9 P0 K0 |8 U8 G* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. D9 R# L$ d# r+ R
___________________________________________________________________________+ p5 c9 u+ s/ Z9 ?% @8 W
# M+ R4 J7 a6 P9 m5 ]: L& y& B
6 L# h7 C9 C6 b5 w! OMethod 03
& U" ?' z9 T( u# @=========8 T/ M8 V* S2 q0 ]3 G4 o( J3 W3 F
0 a. v; G: a* ^( l' r+ |' _5 ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! d/ {. _( w& M9 t- S: ?(API Get entry point)
9 z. d1 @7 K$ D
& L+ [9 ^# s0 A6 ]* }
u: C _9 s5 @2 V. h xor di,di
3 p# C* w* h; t! v3 w3 x& a3 \ mov es,di
' ?; N1 Z7 x- \ s4 E$ U( U mov ax, 1684h . `( U, E# F+ U+ n0 U( r
mov bx, 0202h ; VxD ID of winice
& n E1 x3 S4 t0 t) D* w) @ int 2Fh
, }, N T4 N* U% A# o4 W$ | w mov ax, es ; ES:DI -> VxD API entry point$ k) N8 y t. `
add ax, di
, c/ {- R3 s. G: u, B) O+ r' w test ax,ax- K7 q# _0 Q( i( ?, G1 E' Y$ m, \3 w) `
jnz SoftICE_Detected
. N$ w0 o( K; T/ l
1 |2 t( ^8 }5 ~/ ?___________________________________________________________________________
- O; t3 U& t, S1 j' i1 Y1 V- h& H6 a. L& g) x% _, O7 L
Method 04
! D& Z& T4 j( C" K=========$ }* K2 K( ?. k1 a$ u9 I- K
0 k* ~# D, n0 N* q( E$ Y- z9 U2 m6 CMethod identical to the preceding one except that it seeks the ID of SoftICE: c1 B5 i# K+ J/ k ?8 r
GFX VxD.0 {3 o9 k: J/ o$ y2 N
8 L# `; \& S) G4 K* d+ ?9 L
xor di,di9 l# X8 N! s; L* e# ^' S6 d
mov es,di8 L, K, v8 s1 H( I' F$ q( W+ B v4 ?; t
mov ax, 1684h
. L0 ^9 J6 y! t& g mov bx, 7a5Fh ; VxD ID of SIWVID$ Z, _; _ n& p5 @
int 2fh! A) m/ b$ J; v- |) ]5 R/ k, z
mov ax, es ; ES:DI -> VxD API entry point# Q, w0 W* @1 L2 H5 N
add ax, di
' l7 z# B& U5 d* ~4 D test ax,ax
) B8 `% y7 x# N1 k, }6 K, P" k( N jnz SoftICE_Detected# j [' d% {# j3 w4 H/ }$ Y
/ ?% e# e. r( J0 \) q
__________________________________________________________________________% |/ ?, }: z! k4 L
! C7 Y* O. p6 {4 }7 D) p' d" ~% l' j2 b4 j+ [: Z
Method 05! Y( Q4 w, P0 H! X4 G, \3 G* c
=========% Y- _! v$ U8 L" ]
) A' _) t1 W$ g: iMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 b, ^& o' O' o0 @( L) K: [( z1 ?, u
debugger. It calls the int 41h, function 4Fh./ e# j3 @3 C, Q4 I" `
There are several alternatives. 7 y- k. i) F- h
2 W6 x0 W( t! c8 E" x: U4 K
The following one is the simplest:, w8 D6 C1 g' C6 l+ ?/ u
) ~$ h/ I2 e' s7 u mov ax,4fh
3 L J1 A4 ], v& N6 z int 41h
7 S% f/ l d5 u cmp ax, 0F3861 y p' q7 T0 E E
jz SoftICE_detected
& Z T1 J, X% D* m# \- G! K, {4 l: N/ R7 j6 I2 N, b( j
4 a$ A' ]4 O5 B0 ?+ E, K. x- }
Next method as well as the following one are 2 examples from Stone's
1 N8 V- Z- Q+ j3 s/ y& Q1 X"stn-wid.zip" (www.cracking.net):
, T. B" {; b/ |) Y I
3 Q$ z& ~4 H9 x1 O. T, I mov bx, cs+ H9 S8 |* _: N7 s- e$ q
lea dx, int41handler2
8 \( H5 Y7 x* N% D$ k xchg dx, es:[41h*4]
9 B( V2 n# r) V+ [, P+ k xchg bx, es:[41h*4+2]' C" J! B+ Q0 i) N4 D
mov ax,4fh
7 w7 `% Y4 y: Q) e3 d0 @8 \/ l3 j int 41h
& v( W7 ~: D z: E+ M3 h8 x& Z xchg dx, es:[41h*4]
4 {: b( p) p8 Y* x* S8 F xchg bx, es:[41h*4+2]( I6 I. p4 G+ S, {
cmp ax, 0f386h
+ O5 L6 S* e. \6 W jz SoftICE_detected: F6 e- n0 y0 P
) Z, A8 M: [) V1 I% R3 k& T
int41handler2 PROC
) u0 ]* ]) Q, t8 |# Q& _0 X# ^/ D iret
, `5 ?% }2 J6 A2 _/ N* yint41handler2 ENDP
0 \- F6 J& J/ U3 A1 p' W; m- @3 ]1 R" N7 q8 ]) ?
6 o$ b( {# o2 t1 Q4 Z% O
_________________________________________________________________________* x- M" M9 k; i p9 A6 Y) H+ F9 b) J
% P) {7 a1 ~5 T' y+ @6 ?. x
* y8 O) {- y) v8 o- r2 ]
Method 06
2 U" ]: P" T: q$ ]$ }# J1 l=========# Q1 N' a* M# h1 u; j
& i7 o: s9 I; n' I; |$ q( F9 ~
0 j- z) Y( e6 w' v
2nd method similar to the preceding one but more difficult to detect:3 T' t- [) M) U( Z
) f8 t! k* A6 _: I7 A
A9 I" F, c7 h, G' o: x2 y+ Gint41handler PROC& }2 Z' c5 r2 H* L! A. Z
mov cl,al" X; N# d# `5 \( g
iret- y3 r* y$ q, D+ c
int41handler ENDP% \" ~7 E4 q" l+ P$ W$ o* J
9 w1 S/ L: R+ \: r( B- S4 T. Y0 @1 f' Z& f* P# \
xor ax,ax- Y1 q: e5 v# J; i
mov es,ax; V* K1 h9 G' R& s
mov bx, cs
& b) J; t" `+ {3 U$ K" k( } lea dx, int41handler& K: K! \' Z" d8 t @- m- Z
xchg dx, es:[41h*4]4 J0 W8 o% s9 u! T) T
xchg bx, es:[41h*4+2]
, w7 Y" k$ D% }% f2 i* n( N in al, 40h
; |) F! |4 B7 X/ b& d( U1 j. [ xor cx,cx
1 n5 G6 ~2 j# U; ~& n7 g1 \/ i5 K int 41h
* n& g2 @9 l t, [7 L& X4 t xchg dx, es:[41h*4]
; Z9 n$ k! [- q% U( N4 i xchg bx, es:[41h*4+2]% ?6 v8 S) Y" j' L* X Y
cmp cl,al
& ~9 B$ B5 u, @! J( k jnz SoftICE_detected" Y u' z, s3 M8 U
% |! `4 z) J9 i+ S) O3 P
_________________________________________________________________________
' L% }6 C5 d( E! m0 ]. b* w4 H0 L7 Q' S, f* j: x
Method 07
0 d: ]( T* e9 S: W3 ~- D! h$ Y# d0 Y=========
8 {# ~0 o$ n1 {, G& l7 @4 n3 [3 X7 ^7 `8 [
Method of detection of the WinICE handler in the int68h (V86)/ `/ r7 e0 `" @9 Q1 \
, i) k* t; @/ ~; M) g& B! k! \
mov ah,43h$ `! H6 A. M- }1 q6 g _
int 68h
% f$ m! }2 h: c# C& } G cmp ax,0F386h/ J4 v7 r @5 T8 Y# M
jz SoftICE_Detected
+ {0 ?! i( E4 t& h0 U% b. Q1 v7 e* w
2 T- O! ~: p+ D, n# X4 h6 C% n, f. ~
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit y+ F; j C8 Z7 {" r$ B* `3 a2 L
app like this:5 R) v. K/ X/ M. I6 Q6 M' h; r
% h5 @- _7 [2 _0 ~; o d BPX exec_int if ax==686 ]% @) ^' J6 M- J7 A5 L
(function called is located at byte ptr [ebp+1Dh] and client eip is6 K0 w; q- t& c( M# _( [$ I6 h
located at [ebp+48h] for 32Bit apps)2 m% ]$ Q2 e) m
__________________________________________________________________________
6 T- Z3 x- Q8 z2 i# X
8 g1 |, l: ~7 N# x7 a
$ y, ?" `' _, CMethod 08* \2 Q% u# I5 s: {4 q
=========
* m7 b; t4 X9 ^3 j6 Y2 q, T% G, N! N
It is not a method of detection of SoftICE but a possibility to crash the$ J+ K: y3 k+ `! O. ?4 v+ b
system by intercepting int 01h and int 03h and redirecting them to another
. |; n5 Q+ W, Droutine.
( K/ m0 R- g0 _5 o' |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- p$ Q0 h% s$ W1 \0 T
to the new routine to execute (hangs computer...)
& u+ B' P4 D8 p
) s- e1 Y' w# d( e9 Z9 {! H, M mov ah, 25h. K' f. z0 w9 t% \
mov al, Int_Number (01h or 03h)
0 v% I: N: k6 S- U+ M4 F6 m% R# V9 x2 \7 a mov dx, offset New_Int_Routine
& t$ q6 T4 L) x1 y9 E5 I int 21h
8 F; I, r( `9 x/ P2 |/ `9 u( B. M1 r; E( |* _- c# W
__________________________________________________________________________
; c" ]# x+ {1 y/ P7 J2 f
8 ~% Q) q' h8 Y$ U5 z6 E2 T/ pMethod 09. [' I3 a( Q L! u$ l% [3 O% V; D
=========8 _0 \4 ?' H5 ^9 W6 S& W8 @" t6 U
; y7 [* S& s0 o6 B& R8 {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
e, ?. N- N3 O1 J$ kperformed in ring0 (VxD or a ring3 app using the VxdCall).+ b( B' Z1 I3 E! u1 W
The Get_DDB service is used to determine whether or not a VxD is installed
) t# T! n/ |- O8 Qfor the specified device and returns a Device Description Block (in ecx) for2 Q* i0 ^8 z& n
that device if it is installed.. s! x. ? S) a P% r1 [
. ^3 U; { ?8 W; D. p mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. r/ A' L# f) }, S2 Y. g4 w mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 ^" q& k/ I3 J9 }, [* P0 g# K/ S VMMCall Get_DDB
1 j5 [& N& J5 \8 d4 r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 G+ S3 T( ]3 b( N7 q+ q; R1 f
0 u/ L( T5 m2 u3 ?5 X. }Note as well that you can easily detect this method with SoftICE:
* ^ a1 U$ `6 u/ D bpx Get_DDB if ax==0202 || ax==7a5fh
* H% l2 I" i/ \; N% I5 D
' ?& {8 f8 \7 y N7 _. X. s3 v__________________________________________________________________________
6 P; R7 G4 Y/ m, J% G9 c3 ]! t3 T7 K& D" P1 j0 X$ B
Method 10
! M$ @! K+ s9 l; _; c=========
2 P$ u, ]7 k: \4 T4 u
+ h9 c/ }! D& i=>Disable or clear breakpoints before using this feature. DO NOT trace with3 p8 i: w& ~/ @* S
SoftICE while the option is enable!!. ~# q7 P2 a% t7 Z8 k; h" [- ?
8 w8 ]- _* S, S- u' o: kThis trick is very efficient:/ f Q. v, X v) p
by checking the Debug Registers, you can detect if SoftICE is loaded7 R* A0 b3 J, a- g+ j9 s. P" ?
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) @7 [: x, R4 {/ r, R+ [2 |( y( @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% c# Q- F# e. q" f; jvalue (in ring0 only). Values can be manipulated and or changed as well) W5 @3 {( w- D9 G; W
(clearing BPMs for instance)! K6 u& k' V' i) [* I7 u- l2 ]
$ F, d" Z# J. M__________________________________________________________________________
/ B1 V5 u* G, A& S. \
4 d7 h9 p$ }' ]# E& F5 P( ~3 e6 y0 TMethod 11 a* O; i5 a3 Z/ B* }
========= v2 M# k0 ]+ X6 X' W' ?# `& ^4 x
, n+ w- D* M* l% b) Z% m7 AThis method is most known as 'MeltICE' because it has been freely distributed6 I/ B) c$ s! |- I. y
via www.winfiles.com. However it was first used by NuMega people to allow$ V& a5 v4 W% j4 `3 w0 k2 D
Symbol Loader to check if SoftICE was active or not (the code is located
2 S' C# A- x( Ainside nmtrans.dll).
1 L5 _( J4 {5 h' s: B G, _6 |# @8 T- I3 t3 E% v# ?" e
The way it works is very simple:
$ E1 S" N* P6 v jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 a1 r% y/ R3 ?# |4 F- G- y& G
WinNT) with the CreateFileA API.- W6 S4 I& w6 o1 X* B; j/ B( j
" r( x. |- {, M9 h) B2 `4 A
Here is a sample (checking for 'SICE'):
/ ? W" x! L6 M9 V
8 L% Z, K5 H+ K: A" qBOOL IsSoftIce95Loaded()
7 _+ A( X a) h$ @{
2 d" ~, l( t# L& \4 D; U6 s HANDLE hFile; " B- p6 {# ?# |. S
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, B7 X3 Z7 O6 [* Y% f& o
FILE_SHARE_READ | FILE_SHARE_WRITE,, s7 o% _0 z3 u E* r9 t. [, T
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 j% ]1 \+ T9 p7 C
if( hFile != INVALID_HANDLE_VALUE ) V; N2 X, B1 k* {" n2 e' ^
{% g8 X! l7 n5 A4 U& u# M
CloseHandle(hFile);# M" F% J$ x7 n5 n3 b; h$ w+ O8 W0 T
return TRUE;
) U# J" ]5 k! B7 U1 y. C }
7 U# W) V" i' c" g: r return FALSE;- @; c* S8 b) p8 c
}
1 I9 x& M1 q& E9 g" [) c. ^ a4 V& y1 v$ Y* R3 S2 x( ?3 w
Although this trick calls the CreateFileA function, don't even expect to be7 l' a4 o! `3 h3 F _) x1 x1 P
able to intercept it by installing a IFS hook: it will not work, no way!0 S6 }" ]* X3 v: s4 q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: I o2 j" `4 f( k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* ?5 m6 d2 h: `, z3 W3 M$ I
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 g8 }$ X" A. n: w5 n- V: Gfield." _5 L4 y6 j3 \! Z4 ~; x4 I
In fact, its purpose is not to load/unload VxDs but only to send a A% ?4 b8 @2 g) r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 @# L. K+ x J1 u* G1 I: U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 I5 t8 x5 l8 c4 ?$ F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# R" V( L1 Y$ j. c1 D4 I$ ~If the VxD is loaded, it will always clear eax and the Carry flag to allow
, c2 n8 k! M4 ~) s% bits handle to be opened and then, will be detected.% _+ m: L4 W% Q3 i
You can check that simply by hooking Winice.exe control proc entry point) k) k, \) Q( [- Y
while running MeltICE.: \) X& f% b1 y9 b6 V. Y; Y% C
. ^, g& {( L0 z
3 D+ v' u+ u; Q/ m+ N9 D9 i 00401067: push 00402025 ; \\.\SICE
* k; J$ J) a- s4 r( R% f 0040106C: call CreateFileA
: r( j' _* S9 M2 e 00401071: cmp eax,-001
5 F: r" g6 q& z2 j/ B 00401074: je 00401091
& i; N1 e6 x" j+ O8 J0 h, Z( {; @
/ @- T! `( M2 C9 D& |& C+ d- S' r ^$ e4 Z0 ^) K
There could be hundreds of BPX you could use to detect this trick.
( @/ P- `6 b6 f3 U2 M-The most classical one is:2 Y1 X5 r/ ?2 m
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" V; v) Q' ^4 } *(esp->4+4)=='NTIC' e$ l6 @2 [0 @7 W' F. B7 J; B8 ~3 g- q
9 J$ ]8 Q& L5 k/ ^: X8 k
-The most exotic ones (could be very slooooow :-($ S7 @" ]3 Y4 T) h' H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % |! E/ P; x7 U" _
;will break 3 times :-(* g7 o$ d& k) J( H z; |3 K
+ m0 A. ], c7 b% h-or (a bit) faster:
. ], f4 x( D+ Q5 i BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* @/ q, y0 {% i- C9 ~6 G
2 O# e% C9 ~8 D( ~$ M5 s* k& _ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 n7 Z' k+ F( @' j. R
;will break 3 times :-(& I/ U/ ~9 Z9 J0 K. Y
: d" [" x6 ] G$ j-Much faster:2 r# v9 L1 S3 N* m1 L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': m7 |% {' ?& E& p* n* J. y
/ R3 N$ I5 F4 I D& ?6 d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" `9 o( @ K9 D" V
function to do the same job:
: H0 o- G2 Y* c) N! k/ T& k( Y) s
( [! `/ n# Q9 k: q- A, A push 00 ; OF_READ. B/ B$ _3 V; X0 `
mov eax,[00656634] ; '\\.\SICE',09 j* u+ y$ N+ [: E
push eax
- M2 l% H8 y" n" U1 k call KERNEL32!_lopen
; _: f) }% P4 ] inc eax# f7 x. w0 O7 }6 m) y9 j! h$ D
jnz 00650589 ; detected* _2 L5 s7 T" ?; N# w+ e! G
push 00 ; OF_READ
- A' {& c; o. x) a; d% F mov eax,[00656638] ; '\\.\SICE', Q0 ^2 C# e8 f1 g8 ]! A+ q$ W/ N
push eax( Q# ?( i) |% a' B6 |
call KERNEL32!_lopen% Q' l+ r2 H& R
inc eax/ _+ k8 s4 R! l0 i
jz 006505ae ; not detected; \) J8 F% K7 u
- p3 N0 k+ Q; h F
/ R, G/ y% U/ u) }% W& R7 d
__________________________________________________________________________
. E+ i; j. V5 N# \
1 b) O# V5 d8 PMethod 12# N- f% I8 E' U+ S+ h3 I
=========
: R" X* [3 ?9 x6 x" I1 Q
1 F- v. }" o P( m |; y i% g. IThis trick is similar to int41h/4fh Debugger installation check (code 05
9 i9 h+ Q w) H; u& 06) but very limited because it's only available for Win95/98 (not NT); A1 t9 N1 q$ {. g- F- b5 F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* w% _) O/ b6 `1 ?4 R2 _
, d5 y" f z$ `1 J push 0000004fh ; function 4fh- G: c/ Z& ?4 m2 Y0 D+ U( V( Z
push 002a002ah ; high word specifies which VxD (VWIN32)& ?2 p. x; H7 V: A* M! E
; low word specifies which service5 A0 U; i G* l( s) C% E' s9 O
(VWIN32_Int41Dispatch)
+ U/ X4 W0 o( c call Kernel32!ORD_001 ; VxdCall# Q, C5 [9 O* p
cmp ax, 0f386h ; magic number returned by system debuggers
$ r; j: B' l6 _) I' n4 Q0 x" h jz SoftICE_detected
, h* k3 j0 _ i2 r( b4 s
7 C8 Y+ c4 _3 ~1 q. ^4 B# fHere again, several ways to detect it:
- m: H: Q$ } W& {( g0 j# s+ j5 g/ y: R' Q& d2 n& ^+ l$ X3 w
BPINT 41 if ax==4f2 _/ ~/ e. E$ ]: X$ j1 s9 U
. t& J; n) B; z4 |5 V6 [3 A
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. ^5 i/ g# g) B5 l$ e/ s! ?5 T% N) \4 h; J1 p4 f
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& n+ A9 d0 A1 N- I! l/ ^& U; H" F
5 i- l1 x, f0 p: n2 b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 D; Z6 Y$ i9 J
1 s( O8 X6 C& o* a& `! z- }# D__________________________________________________________________________
9 v D2 x) }1 x) Q- y- E% Q7 R+ t) _8 z
Method 13% J O+ K) ?1 W8 K* { a/ m3 X
=========' f. a$ U, ~6 {9 ^- H8 g) t. E
4 \5 g `1 [, K& d, L
Not a real method of detection, but a good way to know if SoftICE is( S7 F6 @5 R7 Y$ a) J" q$ Z0 J" \7 Q
installed on a computer and to locate its installation directory.9 u) `3 p( o+ a9 P6 `/ ]
It is used by few softs which access the following registry keys (usually #2) :
2 y' X# F# P( N( S2 z3 T9 x) y/ q* U$ x: m
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 o- \, x: f4 p3 l6 u0 N' v
\Uninstall\SoftICE
6 A( M4 \: I* S1 M' y$ n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ H1 f) e7 D- r# W1 P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 c# `5 G% T: Y
\App Paths\Loader32.Exe
; N# \, K6 U. X
( x L- w/ U' n
% @' c5 m) O, N9 RNote that some nasty apps could then erase all files from SoftICE directory
) E4 P' x: i8 ]$ V G* _ B u H( r% K(I faced that once :-(6 D$ G) k7 I9 G6 V+ x( I' g
: {. p8 k/ {7 h7 [6 u& [Useful breakpoint to detect it:
4 m( X! @4 Q" d* n( Z: U& q7 Z# l* c* z% P* K5 b! f
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- [# A; F- d# r# \* d9 j( K: L. ` @" n5 b, o2 d# c
__________________________________________________________________________9 f r" a6 V/ s, {
, Z g+ _( o4 Q3 u8 X' t
6 u2 B, |4 P8 y2 t, q1 d% J, |' a6 ?Method 14
' k: i4 o+ K% ~ E0 Z2 |" ^2 L=========
4 @8 E+ l- _# c4 j8 g. ]# c% h% ^3 H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! d! [8 _4 k @$ E4 X0 [& D8 C
is to determines whether a debugger is running on your system (ring0 only)." H; w8 n. v3 q1 @
) k9 U3 x' l$ c! \
VMMCall Test_Debug_Installed( J% }6 V* H- [2 \
je not_installed
) R0 X& Z- ]0 y. y# u/ k
; B$ {* a2 \- B# n, P2 PThis service just checks a flag.
) _& g: P8 ~1 M- W$ v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡