<TABLE width=500>
- V- Q$ {% ?0 y( L% B* ^) M: x<TBODY>6 j+ C" O% `" ~9 `& `/ H
<TR>
Q1 X8 X( j; f+ N5 x7 y<TD><PRE>Method 01
A( I" Z/ n; x5 L x% v=========
9 g1 `: Y2 W0 L5 h4 [
' \- x5 O2 L5 q a0 [1 h- hThis method of detection of SoftICE (as well as the following one) is
5 X) Z+ a& A. p* \8 Q! v8 wused by the majority of packers/encryptors found on Internet.+ O2 C) o4 c k5 X, m
It seeks the signature of BoundsChecker in SoftICE; b: K. v [* Q; D$ \4 O, x# G: w. w
* f! n7 U* Q! e0 d1 q mov ebp, 04243484Bh ; 'BCHK'
( `: u/ j2 e+ X( U! W" _3 Y3 j# A mov ax, 04h
- z2 l7 D, ]' [. q- _ int 3
& q9 \1 v' J5 _& ?& j cmp al,4
. N0 ^" o7 [- ]' _, B jnz SoftICE_Detected
6 t0 N# m. Q8 X& x6 X& ~! Q/ h8 f9 J$ J. j4 _2 d4 V x
___________________________________________________________________________! k/ {9 \7 A3 l
. B& h9 U: \) v; E! ?Method 02$ e* h8 [% O% Y' `
=========- M# G7 O6 V2 t; k. T
. r }; J0 w7 g. k0 U; q
Still a method very much used (perhaps the most frequent one). It is used
* u& n8 ~; S. i+ ito get SoftICE 'Back Door commands' which gives infos on Breakpoints, A/ T( D& q4 J6 L
or execute SoftICE commands... d- w) L! _) C [2 z, [! j! s( f
It is also used to crash SoftICE and to force it to execute any commands L C" R1 a, `' l
(HBOOT...) :-((
) g! x# g+ ^: ]) K/ a2 u. g! X
5 k5 x8 h1 a* QHere is a quick description:6 g5 _$ T& R0 X4 z2 J
-AX = 0910h (Display string in SIce windows)
# K' }6 q0 u2 h-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 @/ Y* _3 h2 J
-AX = 0912h (Get breakpoint infos)+ y0 l: m. j5 [. \ |5 a
-AX = 0913h (Set Sice breakpoints)
$ H1 c6 U8 M n- V; ?-AX = 0914h (Remove SIce breakoints)
. u$ ~: Y c0 W. B2 E, J3 Z
0 y b" i! U* G3 ZEach time you'll meet this trick, you'll see:# l- `) C# L# z
-SI = 4647h
% a5 c$ Y* ?$ S; }5 p8 x9 I. @' N-DI = 4A4Dh
$ t+ F- k0 c$ c# {9 f# ~! }Which are the 'magic values' used by SoftIce.) B) M3 |0 Y/ z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* M5 i: s/ X+ L1 o
( L; Q, z6 d+ ?( C x( m, o% X
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ m2 D8 {. v; ^: `Envelope utility use to protect DOS applications:
; G* }$ i' n$ j: q/ i5 ^2 l4 x$ J) j' R2 s& N* O% l' s' E+ H
+ Y2 S% h: B: S
4C19:0095 MOV AX,0911 ; execute command.6 |2 @! B+ _. P; j7 H- h& ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 Z& S! R) L+ I" |1 W$ I' h4C19:009A MOV SI,4647 ; 1st magic value.: M8 j, f8 C3 F
4C19:009D MOV DI,4A4D ; 2nd magic value.- e4 g% b1 X+ v6 w+ w: Y' E
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ k$ j% r9 ]9 M3 e4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 K* P+ j; j8 x( |% Z% J3 G9 W0 A4C19:00A4 INC CX
$ R8 c2 _, P' _# w4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. j; s# a e8 s! C) B$ }8 h/ q6 _
4C19:00A8 JB 0095 ; 6 different commands.
8 R, V7 S! \9 z6 N& w" n$ B) ^4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: e" L+ L: Z( |2 F3 m4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# R9 v+ F# k$ E1 C) l6 O1 D5 `5 t
) }9 r1 `( G$ ^# W: @- D
The program will execute 6 different SIce commands located at ds:dx, which/ m' g" A1 l' M6 e
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 y) K7 t/ q* }: c' ]- w u* V, H! R g0 ^7 [: h. e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 B) Z2 K& u: f: O$ d, V
___________________________________________________________________________6 i, ?/ p9 g; Z5 j' Y) a
, z$ p& r* ?9 {! X& m) F
- y; S% ^' o3 l" y6 d }
Method 033 b8 f' p/ c1 h& a& Z' M
=========
" Q/ q9 k2 h4 I; `1 `$ S3 B+ P" E6 P( m9 M# x" Q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 v( d+ e4 `- c. Q0 r4 r) ^6 f(API Get entry point)
" c' ]& w) T; g) H: A& c9 m / S7 a5 ?* j6 {) q2 o9 w
; x4 ^( X' y8 t- s% O( A( L xor di,di) {& E8 k$ d$ |3 G$ r" b, ^) c
mov es,di
/ K2 r) D J2 ]6 a, p' G) T) Z mov ax, 1684h ) I |7 W$ q6 L+ } k$ s
mov bx, 0202h ; VxD ID of winice
6 @$ U, @2 O: H: y0 v int 2Fh
) o# K6 P, o; l ^2 J mov ax, es ; ES:DI -> VxD API entry point+ C' }; b( Q6 d- N' Z6 s! T
add ax, di
( V7 `# D* Q' u- Q3 j test ax,ax
( |2 h5 x" ^3 {$ A jnz SoftICE_Detected
- A. D8 C; T) x0 @
: }/ _: @/ x5 ^% y) H7 I8 V___________________________________________________________________________
3 l0 F2 h# o" X* }0 |- d0 i: j5 X1 l7 d& G5 v0 u7 x
Method 04, e. U/ S! |! t) g$ N; r
=========* h z" V- u6 q) p
6 j2 M* l5 P' Q, oMethod identical to the preceding one except that it seeks the ID of SoftICE3 d# |" P$ X3 Q) A& s/ j1 S
GFX VxD.
+ |1 ^; r4 a# _- v' A [/ g. G; h' k+ p$ [3 y2 J1 G0 t8 H8 Y
xor di,di# |- R1 w0 x) c( O
mov es,di$ a. n6 L9 r3 V. |1 V# g
mov ax, 1684h - U! O9 c, u2 ]5 E9 e* k0 X8 S+ S( u
mov bx, 7a5Fh ; VxD ID of SIWVID" Y$ h4 ^2 {* I5 ~2 j& r
int 2fh
& S( f1 k# ]) O( M) l* P& O5 D mov ax, es ; ES:DI -> VxD API entry point: U" E' Y: _7 K2 U0 b
add ax, di
% T6 y6 A, T& W2 n5 p test ax,ax
7 I, x6 E. a; W) _ jnz SoftICE_Detected* G& G5 g" L v9 z7 Q
- `' O$ f2 c! D0 e! @__________________________________________________________________________
E6 X' f# l3 i
6 s- v+ l- a4 r
# n: i8 h- W; x" g+ H8 {Method 05
7 K& }$ o f2 ^! J& z=========
' x! |0 U4 \9 X# V- E9 [
$ K5 Y6 B1 H) A* eMethod seeking the 'magic number' 0F386h returned (in ax) by all system
& @2 \7 W" T# p! A1 E/ o" b0 sdebugger. It calls the int 41h, function 4Fh.7 i2 M6 U( x8 D8 \; @; K( O
There are several alternatives.
0 U; E' f- k3 o8 s7 N
9 d( Z0 {4 C! F0 ^0 OThe following one is the simplest:! ^3 ]9 q# f: N+ g
3 O# X% N) |% t! o mov ax,4fh3 o/ p6 Y9 _0 F5 R* B: z, {
int 41h
* ^0 h' @2 ~6 {+ N cmp ax, 0F386
' b, q! _+ x/ G8 y# E+ Y- c7 n jz SoftICE_detected9 _1 K0 z9 j8 U, a
' `) n' q5 p ?4 d
& \# v- i% z3 HNext method as well as the following one are 2 examples from Stone's
2 V. K8 K! i6 L5 p( i"stn-wid.zip" (www.cracking.net):
7 d; Q* s/ g8 W
5 m7 i: e+ x+ @8 s$ m0 W* y3 Y9 P, T mov bx, cs" l2 \" j8 C2 D' u! c% i( P
lea dx, int41handler2
6 x+ d- ]! P3 i1 U xchg dx, es:[41h*4]
7 l3 e: m+ }7 h; f xchg bx, es:[41h*4+2]3 C& [8 t4 L ?3 a1 a
mov ax,4fh" L1 U. a7 X) R8 d
int 41h' O4 b$ U- L/ K6 M9 `* k0 w8 q5 a
xchg dx, es:[41h*4]
9 O& E3 e! P4 B. f$ \6 Y xchg bx, es:[41h*4+2]
4 t* J& ^ O& G8 t cmp ax, 0f386h
2 |; j' l0 b& V; | jz SoftICE_detected7 c# L8 f/ F) G7 X
$ D$ N$ s& N( H, F6 i: U
int41handler2 PROC
) q9 m0 e- C3 @ iret
0 C$ g! ~! [. r+ `% Bint41handler2 ENDP4 c2 w @9 C8 ?0 u0 Q
7 U3 m4 p# [+ S" b6 I; @3 ]
( @' j# k/ V! J, V6 v/ C1 V_________________________________________________________________________
7 Q- {8 s9 V' b9 F1 i2 I& y, j7 N
$ L) @- O$ t+ j9 O) S9 r0 Z, L
$ l* t# q$ u, d( b& U: @Method 06
3 n) E# s5 l( S/ \=========- T& y1 a J& ?2 a! z0 V7 F
$ V/ w" x3 ~4 g, e/ R( I! G
" V0 h% V) V6 `+ T. s1 {2nd method similar to the preceding one but more difficult to detect:, o0 Z1 Z, S$ } C8 a% h
' ?8 L( P6 F* B4 F. m0 y5 E) |
9 [7 b7 ]- r8 L0 ~int41handler PROC8 {& m9 d, Q' y1 F& j, S- \
mov cl,al P" u% s5 `$ Q# F6 e, i
iret9 X6 n! V: O' M& \; L# S" w4 G
int41handler ENDP q8 }& |/ X' E! U6 Y
. M' K3 s( K1 e) x; t3 n9 [9 |4 w" U$ k3 w: [ }! y& d, J8 U7 p
xor ax,ax
: d! r/ U! Y6 p mov es,ax( i* A) ^; r7 T6 p( D
mov bx, cs+ ^9 `1 G. o! \3 U4 b3 h
lea dx, int41handler9 F( A/ J q- ]7 r/ ^
xchg dx, es:[41h*4]
$ R0 q8 l) O9 i) L7 D v xchg bx, es:[41h*4+2]2 V8 U' }& e+ o: [
in al, 40h
6 o6 d4 @3 r0 L xor cx,cx: w/ O @9 V- [, J& x, i7 Q+ h
int 41h" K4 C. i5 J. l2 Q- X
xchg dx, es:[41h*4]1 s( D U3 g- G3 I Y8 G# O0 w7 Q
xchg bx, es:[41h*4+2]+ K: k( X3 W9 A) o5 p& @: W/ K' M/ ~
cmp cl,al
* N/ F9 ?( v0 i2 } z0 M9 c jnz SoftICE_detected' m" |! X( |/ g+ z. _8 w% p$ {
3 t. G! p6 W0 X
_________________________________________________________________________
5 A2 q, q d( [, R, O& T8 }: o% ~
@4 `2 C& W8 K0 \9 [( rMethod 074 n6 g) Y6 B& u1 ^# K! r
=========
4 Q9 Q% t% y: r# H e+ F( r9 v: S8 N# J. V, [" n# l; W- `
Method of detection of the WinICE handler in the int68h (V86)
/ i+ K3 S$ M) x( y0 u2 y1 z3 ?& c* m, [) ^ I
mov ah,43h
# [; S5 m1 z8 ^- N* I4 z2 i9 S int 68h) D0 ?* m3 e. A" W; L* W
cmp ax,0F386h
8 A4 z! c& ^" F1 n3 u8 c6 G8 ?% J jz SoftICE_Detected
* n- X Z$ f. L+ g8 W9 T6 T A; u/ @4 i* x# m: v
3 S) K( I- U. C- \% i=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 Z' m; p' I/ K, Y# l, k! c app like this:8 y/ l( Q% T' @* R& i% d* f
$ D( K$ Y4 Y Y+ A# V- N BPX exec_int if ax==68
; E. ]8 _* v5 Y4 F1 d: F$ ?4 \4 A (function called is located at byte ptr [ebp+1Dh] and client eip is
5 [$ C, Y% b0 k/ [5 P+ J8 `& O located at [ebp+48h] for 32Bit apps)& n9 V1 P) |3 s t7 o0 l
__________________________________________________________________________
2 t3 |5 w# r- C& v U% Q$ L
) X. D$ m: q0 [! p/ p6 @+ a' D( w6 h0 ^6 t+ g# Q4 _( L0 }
Method 08: ]6 q" n3 p2 W0 c. V- v4 X. `% M
=========
" m# w: n8 S& r) y, a; q; D* t7 X: D8 e, S0 l: C
It is not a method of detection of SoftICE but a possibility to crash the, i6 l8 Z3 T& |+ g
system by intercepting int 01h and int 03h and redirecting them to another% N5 J8 a$ V# D! e; S5 f+ ?
routine.8 j1 R% G6 L! ~8 }$ E
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 c' }# x0 ^( J& N' P" j8 u1 Fto the new routine to execute (hangs computer...)+ t0 v7 ?# t/ @/ T
+ H) g2 |: @. P% Y q
mov ah, 25h9 ]- q" C, N2 e/ D1 a) [6 Z1 u2 W
mov al, Int_Number (01h or 03h)4 X/ a- o/ \2 f- _3 Q
mov dx, offset New_Int_Routine* p* m% W& z, A% w8 T
int 21h$ E9 ~8 O- o. Q+ F" T+ x4 @
3 L6 }2 S0 b: g# p9 z__________________________________________________________________________) T5 I- }# e% a* @2 E
* g. Y8 V2 `: z- B, {" ~# `! QMethod 09
( {$ g# h7 M" u8 }6 D8 y" T) y: v=========, d$ c4 u( z+ G# s2 ^* z+ p V
1 z) c5 k1 W- P4 O4 j* L" H3 G: g" ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ }' a# P% Y5 Z! E
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 j( W1 x8 M O# X7 D/ ~+ `The Get_DDB service is used to determine whether or not a VxD is installed# O) h% w1 ]- I# G
for the specified device and returns a Device Description Block (in ecx) for
4 ~1 R' j: d8 i& rthat device if it is installed.3 J; W/ _. m o, L$ h5 b
9 e- ^/ c# f3 @# V. J' X: d' k4 a# C; t
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ @ m. |; V2 y# t4 V# l ?6 n+ i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" }% _, N* S. s5 x
VMMCall Get_DDB
6 H: | ]( F: w8 x2 x3 _ V mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ O o* S: `# V7 W1 x2 f7 N x3 M: E$ x5 h$ M! t
Note as well that you can easily detect this method with SoftICE:
( R4 i( ?, \- F! c, k) b# h6 S/ b bpx Get_DDB if ax==0202 || ax==7a5fh
2 N: w0 j9 \* }
' s' r R( Y5 r__________________________________________________________________________' O9 Y6 r9 f6 z) c6 K
7 O7 I; K4 O* o) h9 S0 n- S
Method 10
8 P* p- @) b/ u9 G! O- U=========( d5 j5 U3 e: G( z5 L5 |
. ~% s* z: ~' T6 b, F
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* A8 e3 f' v4 z1 Q9 O5 o SoftICE while the option is enable!!% v4 W' v2 P2 t: l
/ T* @* K+ f0 |; D$ y" d/ d! m7 MThis trick is very efficient:4 e+ E. h; f, K8 \) w) o
by checking the Debug Registers, you can detect if SoftICE is loaded0 r: g7 D& @- O- @) Z' R2 v' |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 ~" M) P% x0 @1 G
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% R( A; Q3 q) K/ }value (in ring0 only). Values can be manipulated and or changed as well7 O/ u" F$ w/ X" I3 V
(clearing BPMs for instance)
6 S" G) b( Q! W$ h$ z
; F3 k9 @. e7 |3 L& @" C+ x__________________________________________________________________________9 d* Y% Y! ^. F
6 z+ A- U6 H- I5 Q7 q- V, m
Method 11
# u6 ^$ s# p3 f! A- f=========/ ~ Y+ ~+ P2 d6 [' c$ g6 Q, l
2 N- g% t( C' x7 Z4 J& a
This method is most known as 'MeltICE' because it has been freely distributed& m$ Z/ h& s& }& Y! I
via www.winfiles.com. However it was first used by NuMega people to allow
. J4 X/ v8 _. l0 W5 ASymbol Loader to check if SoftICE was active or not (the code is located+ T0 }+ N+ b' W0 T V
inside nmtrans.dll).
( q4 A4 L: E3 k. `3 q) G, W( m
, X5 A3 H+ j' f5 k) PThe way it works is very simple:, l. \' v8 ]! b; a, ]: P! {
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 @0 B! T* Q* {8 @! N( dWinNT) with the CreateFileA API.
/ v; m( \( }8 P% h9 ?4 b8 ^4 f* B7 N5 d2 @$ z7 y% J Z
Here is a sample (checking for 'SICE'):
) O5 P1 c. c& e2 J5 h3 d
. ]; `7 }7 I [9 l+ u" b. IBOOL IsSoftIce95Loaded()6 Z, z* p: _/ I/ f) b0 ?9 A& U# g
{8 J" ]5 {3 P+ ?# d
HANDLE hFile;
@; m. c& K# s3 ?+ b8 E hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( x2 s. ?& u) d1 g1 H' B FILE_SHARE_READ | FILE_SHARE_WRITE,
( e7 W6 G9 I( i8 c. H/ V NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 Z4 Z+ A& j7 i if( hFile != INVALID_HANDLE_VALUE )1 Z4 J% ]6 b9 {4 O+ q+ F
{
) x" @& t, _! \8 E- J CloseHandle(hFile);' q2 V3 o% G& @$ L9 H; D9 A) G
return TRUE;
2 u; @) @7 ^' u$ M. @ }1 j$ ]9 G& u# }8 n# W
return FALSE;
6 X/ d0 R" C' k# v3 `0 m: [/ F}% w( E( s+ U6 f# u5 a
, f" p3 G( h0 X0 @5 J: P7 z4 U# b
Although this trick calls the CreateFileA function, don't even expect to be
2 J1 O/ d. y& m) c5 {# \# X% F! nable to intercept it by installing a IFS hook: it will not work, no way!
3 j" N# @& f0 g/ [, fIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ f# f& [7 S+ V5 ^% g# ]- c, Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 ]- j) E; c7 x5 s
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ \" G8 R( G. R5 e2 }
field.* O, |) t$ E% P
In fact, its purpose is not to load/unload VxDs but only to send a
. t- a- a. b( z9 b/ g- K9 ZW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 v/ U, o+ F' n9 Y3 c6 ato the VxD Control_Dispatch proc (how the hell a shareware soft could try) v) s2 ]/ |3 m7 i
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# H; q3 n4 v1 W' k
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- F5 K2 n7 M2 E! \2 W, o5 K" j* gits handle to be opened and then, will be detected.3 q- i& A0 ^7 m& N f2 q3 @. g
You can check that simply by hooking Winice.exe control proc entry point4 W: @( u/ s& L. j9 t( l
while running MeltICE.+ M6 F/ H& J) u& k+ J
& A: V r$ R. h
5 g: e1 O2 _, B5 Y 00401067: push 00402025 ; \\.\SICE" T# k: c( J( M+ p" |% T5 u
0040106C: call CreateFileA
" Q5 k7 V& x7 Z: @2 v! \ 00401071: cmp eax,-001
3 W( X, W; r ^5 ]( ? 00401074: je 00401091
2 F4 Q; F6 e! [3 `6 W2 @$ c' G2 i& a( P* ?% ~: i
6 c9 O5 E/ M7 Q4 Y7 | V; H, u# g
There could be hundreds of BPX you could use to detect this trick.
$ t$ r0 D: c5 \ b5 _) N- R' e-The most classical one is:1 I) n" i; ~! X7 d1 @- }6 K
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( p9 V8 n5 m4 ~% h, I1 d. R. R *(esp->4+4)=='NTIC'
" W$ S9 M1 f. R3 X6 c& C8 `' w. k0 G7 ?3 f6 N; k- y, a
-The most exotic ones (could be very slooooow :-(
. [( Q. ~' |1 P$ _7 J2 K BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 K/ {3 b! e: Y. a8 l8 _# T5 w ;will break 3 times :-(
$ F* j+ G0 A6 v4 T, N. h- ?, l" o7 e7 c3 Z0 v. l% b- p3 _2 c
-or (a bit) faster:
" W7 b! V6 `% t% A" C! S) V BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 E2 _& k) h- a
& i) v4 `9 Z6 O6 s# b BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 ]% m; G5 y; E( X ;will break 3 times :-(
1 S8 D* }% u% L8 n4 Z4 N, G. S, i1 H0 O1 X% ^
-Much faster:
9 r. B9 J- w; ~: N$ w BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& W7 X" N- n4 x- X
; p+ l2 a- I1 m1 `2 l( a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: p3 K* | D% s. H$ ?4 {% Pfunction to do the same job:
& S8 O3 ]6 J' l0 t3 d- h
9 U+ l; B4 A& K/ E: t& { push 00 ; OF_READ4 A0 ^2 f1 }; D
mov eax,[00656634] ; '\\.\SICE',01 {4 L( y( S! r# _2 ^3 U3 P
push eax- G/ S% |8 K( s/ v4 |* T9 Y6 }
call KERNEL32!_lopen: z, L: w0 r! P8 r# O
inc eax7 I1 Z- r& T/ ^# J: c
jnz 00650589 ; detected
4 H) x, w1 V; H, A( _ push 00 ; OF_READ
7 v6 \- y5 c5 I4 g mov eax,[00656638] ; '\\.\SICE'3 J# s, M& m" G; }4 ~0 I7 r
push eax
' \8 y* y$ e" R call KERNEL32!_lopen" V& G! {* l/ ?7 I6 I
inc eax
( C( M- D8 x* Q jz 006505ae ; not detected) J. F t, e6 {
# x: T& n6 e3 s+ t1 L# ?
a$ y" l1 h: e( M7 c, Q__________________________________________________________________________; X o( I. {/ H1 ~3 ?% \
$ f8 t7 a( ^1 z& V1 o' Q( q0 r4 I
Method 12/ W! o2 |. x! a* g$ z9 L
=========0 S4 I/ h2 R: ]& d
/ @. y2 C: [* `This trick is similar to int41h/4fh Debugger installation check (code 05
$ I7 k6 O" z+ H& 06) but very limited because it's only available for Win95/98 (not NT)
1 t! ` u; i4 ~( h- Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.( [" Q& y" Q! X5 B7 ^. W D
3 l2 ~2 t! m6 S) K
push 0000004fh ; function 4fh" H4 N+ n. y6 B* w+ q' [
push 002a002ah ; high word specifies which VxD (VWIN32); L9 i3 T# m* e
; low word specifies which service
% F/ M! n: D9 Z" K- T, A0 x% ~' B (VWIN32_Int41Dispatch)1 {- O( x* j/ a F) L
call Kernel32!ORD_001 ; VxdCall# H* e; [: Y$ N# H& l7 M1 p
cmp ax, 0f386h ; magic number returned by system debuggers
1 u+ o D1 @+ y. u jz SoftICE_detected2 j5 h4 K) x* V* ]$ f6 a, S+ |
; t4 ]7 A8 Q1 W w4 J
Here again, several ways to detect it:6 u; C5 p# k" z% |0 D6 @5 X( J
( W$ m K) ?& s; [
BPINT 41 if ax==4f* j; Q2 O9 S0 N2 R4 h
2 A( i j9 C. t! Q! N% p BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% O8 V5 i+ l, e! S2 [, }) |' W! R6 P- t8 s, S
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( H7 A5 z3 H& m5 M" m D. y/ X" f
* S. `1 D- e* ]* ^7 Z" Y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
O* A/ ?) n3 I, z/ b2 _( o( ?
3 b) P7 U5 L4 G% v3 p__________________________________________________________________________
. A$ F- A" C9 e$ u6 X/ m9 @3 m. ?0 J3 w, | D+ n
Method 136 i0 P$ D& N: F/ x- M% e
=========4 v7 u2 b! a( v f- I) s+ [2 |
% j4 O3 l2 g7 \7 d4 e3 mNot a real method of detection, but a good way to know if SoftICE is3 m* Y3 V: W# S, V9 p
installed on a computer and to locate its installation directory.8 d! _$ W( r+ ]# U; w, f
It is used by few softs which access the following registry keys (usually #2) :
' y2 N; `' j4 e4 u& `$ o* p5 J: V
: D! Q+ g y! M+ i( _6 a! V! e" ?-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion b3 l1 F0 A b. a! ^! E
\Uninstall\SoftICE
' i" W/ b0 u1 Q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 g/ {9 Q4 [9 q$ F- f7 t0 R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. l0 S- s1 y3 ~2 y\App Paths\Loader32.Exe
- _; Z7 {9 P& {
& l0 _, A: z1 n& [# N% Y
9 R1 W3 C- s0 H* O9 W# h- ]Note that some nasty apps could then erase all files from SoftICE directory
' d6 X2 u# ]3 k# {) _. k: ]4 ?& i(I faced that once :-(
1 i8 k7 P7 K* k4 @" b; F t! y
' C: e, K! G0 @5 t4 J& B# yUseful breakpoint to detect it:+ I) p9 C! F$ {8 |$ S4 z, \, w
7 N+ ~0 j0 p, E3 v% O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ f0 j* A# k' ?+ I
) ^2 B2 T2 p$ I& i' I# q B__________________________________________________________________________) y0 O' S0 k3 `
1 P1 ]% h& r+ h" Z: O! x5 D$ L7 v" ]( v) Z( v3 l+ h
Method 14
- m ~ Q; U4 S% y w=========
5 g5 p; @3 H$ B: q* ~, n( o
5 o, m% O; ^: j7 U# BA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* W: x$ o4 ^, D
is to determines whether a debugger is running on your system (ring0 only).. I: C) N3 Y9 g
y# n, d) F9 _- I; Z) i* B VMMCall Test_Debug_Installed
7 e1 R" @" y4 o! `. T je not_installed! W* g! N4 w4 q, x6 \$ ?8 ^
5 p% o! ^ T n% M. q) D' ]* NThis service just checks a flag.# ^2 X! M$ i2 h* a$ v1 Q& A3 g
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡