<TABLE width=500>
: S; r( N: f I$ v$ u1 ~<TBODY>
$ k _4 j3 b1 T& V- C<TR> m2 w. R$ x4 i8 W, d, S
<TD><PRE>Method 01
2 W) i: \+ b6 U, n* o2 N# V=========
# Z4 r1 s* {4 n7 }. ^8 J" C& P3 b
% ]( Y7 J7 a& K; l. G0 AThis method of detection of SoftICE (as well as the following one) is( d1 d& f2 F3 f* |
used by the majority of packers/encryptors found on Internet.
& k. U9 _1 o; U% u; V; xIt seeks the signature of BoundsChecker in SoftICE/ o. W* t7 g: T, G$ c- H* Z
4 ~6 s: F0 o7 w
mov ebp, 04243484Bh ; 'BCHK'
6 E, K" z, N: Y: j mov ax, 04h
" h# E( Q% m7 B B' a X int 3
( H1 ?) J2 T3 `$ y cmp al,4
8 \; P1 D4 N0 ? ?1 v6 ^* J2 H' { jnz SoftICE_Detected
: E) |& P& X% F _- C& c) {2 w$ a6 k; b' X7 D W0 A
___________________________________________________________________________
0 e+ O5 U: b! N; W2 ~8 S7 Z% i# Z! K9 _: K$ s
Method 02! D8 F- U% h( _ _4 E
=========
4 c$ v( E. ?1 k& ?* x4 U- [, S$ }) @+ k/ s# L
Still a method very much used (perhaps the most frequent one). It is used
) v( \; X ^( Q! [5 x9 |to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% P2 G- l( m1 G6 j& o
or execute SoftICE commands...
& {9 O3 Z( X/ O! \2 {1 QIt is also used to crash SoftICE and to force it to execute any commands# `7 |0 I) d. \/ j3 M r
(HBOOT...) :-((
* i: i- A* E8 _+ i3 P4 }# a4 D, D# W" b$ p
3 a3 x0 U- h: a0 ]5 dHere is a quick description:
/ l& k* L1 D9 J0 |0 y8 B& e-AX = 0910h (Display string in SIce windows)$ M7 A5 q: m" [! { a# U
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 l1 o, m9 o9 L6 d+ Q* J( p
-AX = 0912h (Get breakpoint infos)
* W$ d9 @# |, O-AX = 0913h (Set Sice breakpoints)0 Q/ V8 ~$ @ Q) D: n
-AX = 0914h (Remove SIce breakoints)% \1 P7 F' u) s+ a/ T
0 J+ O8 |5 N; U" v: m! l. c9 v. j
Each time you'll meet this trick, you'll see:
; \ k, Q. x' f-SI = 4647h! h7 p+ @6 J$ a3 I
-DI = 4A4Dh
6 f: A* Q* G" y+ i7 H* c6 R* i& lWhich are the 'magic values' used by SoftIce.) z: K! }4 F5 O! I5 m9 ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ [% C7 `8 _/ _; @. I# i
* q# G% F1 l) ?
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ f4 N( n& [6 }3 G
Envelope utility use to protect DOS applications:9 p$ R1 r! q y* S) }1 p; ?' n
8 u! {; a& @- l3 ?
: V8 t5 y0 x7 l! V
4C19:0095 MOV AX,0911 ; execute command.3 H$ f& E |8 `1 x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. n, ^( ~/ ]7 m& O* C; U$ V
4C19:009A MOV SI,4647 ; 1st magic value.1 r1 K2 h' e, ]) f# s$ u
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 E8 d6 V' D# A) r3 @4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): a3 a9 a0 G" H0 W7 x1 R0 ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( g* r' e' f+ m6 ?4 t. y
4C19:00A4 INC CX
7 Q, F& {) \* C4 U4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" H! D o) Q. i! b* C r4C19:00A8 JB 0095 ; 6 different commands.
8 e/ W0 @9 d* L4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, ^; E$ s, p4 l( p9 H4C19:00AD MOV BX,SP ; Good_Guy go ahead :); I) `1 P# a. ]4 g& p# B2 o- x
& a5 k! U( ^8 g G( [, u
The program will execute 6 different SIce commands located at ds:dx, which
: M9 k# u/ [( }4 S. n0 kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' R& w: D) X. t$ \) J* q1 W# m* y" a2 I; S) a6 x
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ I, ]* j5 [5 B1 N1 x
___________________________________________________________________________( R6 B* Y6 T; `0 S2 Y$ Y0 v( l
) m! `! C: \$ W: ?. G
4 V, }; G, K2 N- W8 [9 gMethod 03
. M' Z5 N/ N7 c2 O1 x& W=========$ E( S% p# j P( `0 k F E$ T
* u2 C. [/ s. w* B
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ {+ k& v2 ~* o(API Get entry point)6 H, |. b2 L* ~6 S! g. H
% v8 o& @$ H2 t0 B
& t+ v9 B: W0 G xor di,di4 O! n# G% k9 @) D) L0 ^
mov es,di
( N, K7 W) x4 g9 O: W, }: n8 n- { mov ax, 1684h
' T' q5 c. n4 o4 a C. [ mov bx, 0202h ; VxD ID of winice
) @3 B0 Y8 {8 n0 i& Z5 ]+ Q1 K! j int 2Fh' Y+ g* q: v5 ~5 w) `) U* I$ F
mov ax, es ; ES:DI -> VxD API entry point1 q4 m& E3 I2 k* h7 A7 m2 m2 {
add ax, di
5 k: X. a2 \8 l+ e$ P# O test ax,ax5 E, Y/ M; e7 t7 U2 P0 `# g
jnz SoftICE_Detected$ j1 ]0 f8 T" s$ v e6 r
$ K6 i6 L- l& D5 {$ c: o
___________________________________________________________________________
4 t! f% u) l H% _9 U- F8 x9 I9 m; n n
Method 04. w$ N' V3 o. `" U7 b
=========
2 L! w( B8 v) ?7 W; ~4 m# h7 Y6 w
Method identical to the preceding one except that it seeks the ID of SoftICE* O' O2 ?, f1 Q& h+ S" t' c, O \
GFX VxD.; o# J4 X( z8 d. a/ h
: d3 g3 r# L8 \- o; K xor di,di
: i" h1 k2 H2 B7 h5 v mov es,di8 T2 z3 c# s3 f6 p
mov ax, 1684h
5 m. }' O/ Q5 _& Y$ i- G mov bx, 7a5Fh ; VxD ID of SIWVID' C' q$ Y- ~' M& H) A" @
int 2fh9 G% y1 F; M8 Y' W
mov ax, es ; ES:DI -> VxD API entry point' c8 k" b& s% _; `
add ax, di9 x$ O, T# i8 |! m& K2 c
test ax,ax
$ ~) I# K( _/ p" q" S6 o7 \ jnz SoftICE_Detected
) S% V( o% F: j3 A
/ Z0 J9 x7 P* Z1 ]- n0 Y__________________________________________________________________________" c: T% J6 r8 J( W9 F
; s+ n- M y. h% F/ z, X, }
* `. u' v2 N7 Y! E# O. \# kMethod 056 K% [# p+ @1 k' _$ g6 Q3 K
=========
) M) `& A5 t! h; c! ?1 `* M' w2 s! B1 S. W" ?" L
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 M0 N# Y8 f4 p3 Z: ]/ P! [) ^+ ?# u
debugger. It calls the int 41h, function 4Fh.8 w u, H& z6 f
There are several alternatives.
$ z( C y, G9 M( } L2 \1 W t1 P$ L3 q, i' U
The following one is the simplest:5 \# v3 E. T+ w! O( N/ u
- s. i8 N2 V) r; w- [$ h! k mov ax,4fh6 c/ I7 @% C! ^5 w1 R q
int 41h5 f5 J3 c% W# s/ }9 j9 O5 ]
cmp ax, 0F386
$ D! r, I4 e8 L) q h D jz SoftICE_detected
4 ^% W- @) _" F2 o0 A% ]
1 k, f1 Z% ]. y# i4 v9 d8 s% L$ Q0 P" f$ O* a/ m5 {' J( H
Next method as well as the following one are 2 examples from Stone's
' ^( u6 ~2 @! Z$ |"stn-wid.zip" (www.cracking.net):
4 I, L9 ~ Y& z- O Z1 b
* p l! e: k5 x; ^: J$ Z mov bx, cs2 m: O% ^! v2 r$ V# k, N
lea dx, int41handler2
! k1 w8 W r9 A9 o3 C4 l h( D xchg dx, es:[41h*4]$ l* p$ O8 d: {5 O7 c
xchg bx, es:[41h*4+2]7 k [1 W9 p1 ^& }% w9 u5 X
mov ax,4fh
8 y2 }2 m% d8 K/ _9 | int 41h
- j$ N4 q# k2 K: J/ M xchg dx, es:[41h*4]* q+ D6 d+ J9 @- L
xchg bx, es:[41h*4+2]! t' ]' X) }: o9 O) k
cmp ax, 0f386h
1 W9 q( [: Y! p9 @ jz SoftICE_detected
7 v; m0 r. \- q3 U+ F* w9 d
1 a* r/ r: Z# c8 n4 pint41handler2 PROC2 E% T& ~( ?8 r) v8 f: R
iret" O6 c/ ^6 ]5 O6 L b! W
int41handler2 ENDP& E4 ^; w \3 n" w- O8 G
: _7 H3 a) f. Y$ P) ~% @5 h) n# B2 o5 E2 R( o4 H1 y; E6 e
_________________________________________________________________________* @3 K8 D: l) |7 N
0 T$ u% R. }2 i
% G7 t- G5 b2 `6 G! d7 N% I
Method 06" w- ^8 f; l( ]+ n% ?
=========
! p6 S5 Y& Z t) G H1 L- B5 F- W ~5 \" S& U
! |" E% |5 L9 j' B @2 n" P) b6 q
2nd method similar to the preceding one but more difficult to detect:0 @! z1 P4 [% Z! d! J
' ^ ^# @1 b# q( u; z* b
, q( I+ s1 C( N: D8 e4 y; F& O9 d
int41handler PROC
9 Y9 F# c+ @/ _* ^* S3 Q- {( k5 z mov cl,al6 H [8 H: _3 G2 p( s
iret. c/ v! j7 W& W( L
int41handler ENDP
: f& y# { N8 {" M
% O, G7 e" O- a; V$ M3 p- F% B5 n" w7 [# q! j3 Q! I
xor ax,ax3 U! s$ {/ e R9 q, Y" F, T* h
mov es,ax% Q, i( ~9 I2 k4 ^: l
mov bx, cs
/ W7 \% y" h" ]' K$ o4 R @ lea dx, int41handler
0 A: f5 G O, q% g xchg dx, es:[41h*4]
/ H# g$ ]+ @- u6 _9 d* m xchg bx, es:[41h*4+2]
9 P9 r" X( r* [: u) s% T in al, 40h
$ \! E* f0 `, b xor cx,cx
3 P7 W) Z7 ], ^1 w/ V3 @1 X1 r int 41h
; |( B+ A8 } b4 O9 w1 [! U xchg dx, es:[41h*4], c* d) x8 \5 v* Z# S% g
xchg bx, es:[41h*4+2]; S$ V2 U, }+ ^, D5 X- k; G
cmp cl,al/ a% u1 L4 t6 e& H! \1 r
jnz SoftICE_detected; o$ P8 b7 W6 c- n7 p& z/ _$ q- Z
% q& B" W" R% [/ `. q8 d. t& g_________________________________________________________________________
# e2 a+ g% c( }4 \. X; R; |# C. j' {$ W/ I3 B# t+ ?: z: d
Method 071 c: y' u9 ~- q5 p7 J$ S6 Y! i( F
=========
# S" s- C& w+ ?; |; }/ D
0 G/ r6 ?7 b7 \% P0 A, @8 KMethod of detection of the WinICE handler in the int68h (V86)
0 q- X+ f% S; O1 J8 }& \0 a* Q. V i3 j" K* f; ^# J% P% D
mov ah,43h+ Y, M9 O9 h s
int 68h
) v8 S) J! N6 w1 q1 B2 |2 n cmp ax,0F386h
8 X- C1 `7 Z6 f8 x jz SoftICE_Detected
6 L5 E5 P0 K2 i& G; f4 _; }
8 J4 E7 ^" t# T# U- Y
: w2 Z$ b$ g. v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 N8 G j- X( w- n" C app like this:
# r7 Z) e4 e! a Y0 U- c7 y2 ]
* A! ~8 r: y$ s/ o0 d! I" b BPX exec_int if ax==68
/ ^5 `# M6 y; z: T- M) @3 G. ~ (function called is located at byte ptr [ebp+1Dh] and client eip is
6 r" ^- T7 K) s7 \" B located at [ebp+48h] for 32Bit apps)3 ~: U" t$ I: O
__________________________________________________________________________1 g- E3 S9 f6 L' T8 G- A* s, B
/ Q& S# z3 B* i$ w. F" X1 J% n
5 P# ]/ D6 v3 i$ ?
Method 08
, u1 d A) ?) T& j7 \=========% C3 R! p- l3 C" v8 C+ b6 Z
# R' |, F& x: b0 B {
It is not a method of detection of SoftICE but a possibility to crash the1 V5 E5 `5 i2 }5 O8 r) U0 K# x) O! R
system by intercepting int 01h and int 03h and redirecting them to another: s) J$ Y, a* d7 [" Z
routine.
! a$ J& `. Q* z v- ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ y- k7 E0 L: b' c* I; Sto the new routine to execute (hangs computer...)
2 [& w& }1 j& h$ T" }, ~* F7 F
9 w9 s9 k/ Z' {) i! h/ i+ K% ^; t6 L mov ah, 25h
" i2 M5 P$ d* b+ W mov al, Int_Number (01h or 03h)# [$ \3 b9 ]" n/ _. f
mov dx, offset New_Int_Routine9 }/ g1 \& j* W/ V( N6 k
int 21h: i% v" ?2 k+ @3 R+ n7 y- z
# h7 w: T2 {8 {: D$ Z | U) `__________________________________________________________________________1 w: s, x) W4 d' ^0 O( F
) u, t- z, ?4 _* d
Method 09
, i! X g- J7 L=========6 W5 l5 V" s h! L/ j' V
6 J# E1 B% z9 \ r; c% `! S; ]6 s6 v
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 {$ ?3 C1 M [9 q6 B8 O: n7 P4 Bperformed in ring0 (VxD or a ring3 app using the VxdCall).
" O$ W7 ^0 t+ x2 bThe Get_DDB service is used to determine whether or not a VxD is installed
7 Z; f0 x+ M! O/ h: |" H# Vfor the specified device and returns a Device Description Block (in ecx) for6 u! U u. [: F1 v- D
that device if it is installed.
" b- a1 U2 ~$ k+ n- N- E& n6 o& m* U* M# Q9 u. o( m
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ r: g1 b- v* w: S6 Y6 f
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 s3 v- q$ o. a. d- V) W
VMMCall Get_DDB( r& v( f: h" N1 t3 c4 H& x7 W
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 D. Q. M) q& k5 D) P! H1 |6 P$ Z2 ]" `6 u% C6 H. b/ P: e
Note as well that you can easily detect this method with SoftICE:
5 i5 ^( [) T) o6 U; f- ~ bpx Get_DDB if ax==0202 || ax==7a5fh4 X" h1 u2 B& {0 N0 o
) u) m7 K/ i5 Z H7 X" @2 S) G
__________________________________________________________________________
) r4 I. {/ z8 Y" X8 C: n# V( C' o7 z; t5 D8 F+ V9 d3 W
Method 10$ p1 Z4 }+ l I' p N) V$ G' p8 w) Z
=========
1 G( W# E: p2 i5 z; i7 {, k+ [1 X+ p% G
=>Disable or clear breakpoints before using this feature. DO NOT trace with
% t1 s) O9 i9 c2 v" f SoftICE while the option is enable!!
+ q' u' a# D f3 S- g2 n$ s& G" k+ _' p: e$ F/ S1 _
This trick is very efficient:) R4 u2 @' E. }. z
by checking the Debug Registers, you can detect if SoftICE is loaded& H( V; o0 @; z! d2 i+ m4 J4 x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ D* n3 f6 w; M5 h1 y, gthere are some memory breakpoints set (dr0 to dr3) simply by reading their5 N0 H* u, w5 C4 q/ f* c
value (in ring0 only). Values can be manipulated and or changed as well" m' \! B' p& |' f8 e/ J; i
(clearing BPMs for instance)0 N$ q. N0 T g3 o2 Z
! q5 `/ G( ]1 x/ u& E__________________________________________________________________________
K L! }% L6 ?- l
- Q# U1 E* b h1 k$ f9 A3 U/ UMethod 11
: n8 {* {7 S9 N8 H" S/ {7 a=========- x7 N4 e+ I. y7 g
- [' [& ^, W: C; X, k5 J, SThis method is most known as 'MeltICE' because it has been freely distributed) w* N7 L: J% `0 Z4 Q7 _
via www.winfiles.com. However it was first used by NuMega people to allow/ n# R0 a+ N2 t G7 B6 d$ Q
Symbol Loader to check if SoftICE was active or not (the code is located
- G8 E/ |1 Z% c. U/ Q% v& I0 r8 Minside nmtrans.dll).
6 D; q+ k7 i- m$ j. y! C; f( B. n' k; _
The way it works is very simple:/ i- a2 u( s, G. m: j* I( d& x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 M! O, h: I6 Y% b$ Q
WinNT) with the CreateFileA API.
/ k3 W3 H* C- R+ ]& D; k: d8 h( O7 S5 F* {3 t& J/ V9 L. \
Here is a sample (checking for 'SICE'):: \2 H: }) A/ H+ q
: Y% b4 I8 q& g: b$ p# i) K! ~( K
BOOL IsSoftIce95Loaded()
' ^( ~% K2 @* ^: E" ~* O5 Z{
- D5 L& t$ t# j1 j HANDLE hFile; 7 F8 b! [9 ?& s4 I, ?9 s# ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 I. _+ s" \ r) s( k$ H- u
FILE_SHARE_READ | FILE_SHARE_WRITE,
$ |9 g7 L9 w O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ P8 a& |. R7 y" z
if( hFile != INVALID_HANDLE_VALUE )
, w* u1 @! D: N; t' [ {
?. _4 T7 q" W8 [8 C" c7 K CloseHandle(hFile);
6 T; Q0 j5 g4 X# K4 ^ return TRUE;
, \) L4 d. t( ^ }
* B5 B1 P s0 P return FALSE;1 R3 K( m: R7 _- }
}
$ [5 P4 n1 @7 c: [9 E, K0 c4 M6 j# j
Although this trick calls the CreateFileA function, don't even expect to be5 @3 l& `/ n* o- Y: |6 Z
able to intercept it by installing a IFS hook: it will not work, no way!+ a# D R5 r3 s5 P, D7 j
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 @: l c, |$ Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 h# W. W$ r0 p1 T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 I9 ?4 C1 _/ H1 s/ S# E! p- P
field.' ~9 w+ N* k Z9 V! ^. s: D
In fact, its purpose is not to load/unload VxDs but only to send a
2 ?( ~/ Z( r7 \: qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" m2 G, O$ R: I! b# [to the VxD Control_Dispatch proc (how the hell a shareware soft could try! _, T8 Q. C8 r# U; `8 ]8 m; H) ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) c/ y8 I2 W6 n P8 z+ b
If the VxD is loaded, it will always clear eax and the Carry flag to allow1 U" d) Z5 ~+ K: {: g. P
its handle to be opened and then, will be detected.
4 y5 h2 O6 U0 C% V0 d7 u+ J& d. tYou can check that simply by hooking Winice.exe control proc entry point2 s+ E2 V# [3 I3 T b) Z0 }5 a4 k9 N
while running MeltICE.( j# k& H& K' {7 }' H, q
3 V0 S* o) j( W, `7 Z' q: [
2 O1 p% ^' A: O6 I5 M 00401067: push 00402025 ; \\.\SICE
1 `/ E% q9 C/ R 0040106C: call CreateFileA! g. x/ g* @! H* U5 `/ x
00401071: cmp eax,-001
' G! ~ x0 A9 R* p 00401074: je 00401091- r- h2 f: N2 j/ C, x ?- X! f
& ]4 I# r( b9 d; S% P# R
3 ~+ v$ z2 u% o8 k
There could be hundreds of BPX you could use to detect this trick.
5 n7 R8 g. I2 I2 R: C: ?( c-The most classical one is:
/ G. W; a2 W' t, Z) r+ f7 c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 D9 N) D" H7 ?9 Y" M$ Y7 {! S
*(esp->4+4)=='NTIC') |2 ?/ X# d4 v( D9 M% p
% g8 T- \5 \" r
-The most exotic ones (could be very slooooow :-(
4 H3 j# z: d+ j0 O- R BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 F0 S; V, Z$ H. O* _1 a2 W3 k" j ;will break 3 times :-(2 O3 H! k1 f9 ^
4 b( u% s& q' _2 P; y5 q-or (a bit) faster:
+ N% o2 @, v. ^8 | BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 {1 l+ h3 @: B8 a3 o
+ W$ _! H" e6 q+ k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) K- F, G7 [" C* U( m ;will break 3 times :-(6 S7 A8 S/ V' `9 Q! J r& C
& e) V! R5 h1 F+ {, Q1 N) N5 b, G2 H
-Much faster:! F8 A) Z& n0 C. C2 M3 Q+ Y( z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 N8 Y: T0 r% Y& X7 c* Q" a
0 ]' N9 H. Z v2 J J. F/ S {4 V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 m/ {/ n. o l$ ^! b7 sfunction to do the same job:
s4 u+ C) q! h+ [# @
5 |! f: e6 b+ N! z7 O push 00 ; OF_READ
9 n% o" _. ] R. v$ [; _$ [ mov eax,[00656634] ; '\\.\SICE',07 Z& M' i5 J* f+ y: W6 q
push eax
. h* o$ u. d! _3 F# p call KERNEL32!_lopen
! @5 u1 ?2 x% v" ^" T& J inc eax
8 Q- i% y4 a M/ Z- p* X jnz 00650589 ; detected
! |# M, L- O4 B E$ ^5 i push 00 ; OF_READ
! E& P a) K4 F }. q# F" S mov eax,[00656638] ; '\\.\SICE'& K/ W- y) p4 ^% j
push eax' l$ K" y/ J% E% p- d! W$ ]) M7 X
call KERNEL32!_lopen! p) ]; o3 j& m4 U0 _
inc eax
- V( a% R/ x* |$ ^& V1 g( J" G jz 006505ae ; not detected
/ T2 |& y7 i) P8 K" p
; ]2 Q) o" E' V8 l6 `& e. `
1 ]0 \' p# @6 Y- h- v__________________________________________________________________________
8 e; J% ~- A+ Z% K) C% h4 i
8 M {/ V( b' |) h- b/ {: D/ o7 n; nMethod 12
& n* M1 `+ t3 n9 Q0 T1 g, e=========% l0 b3 p+ q: N. u2 F4 j4 Y
' @& G# o: T1 E- o8 ~, ]' HThis trick is similar to int41h/4fh Debugger installation check (code 05& w+ k2 ]) N3 _. l
& 06) but very limited because it's only available for Win95/98 (not NT)( I% l6 b$ B, r: k7 D( F- B. [
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ U1 Q7 u; Q$ ?+ n( ~; Y8 V5 y$ L8 D0 G' f# }" ~2 p) \' Y
push 0000004fh ; function 4fh& D n+ w5 ]' z* j# B$ i4 D! e
push 002a002ah ; high word specifies which VxD (VWIN32)
0 `$ G3 y' `8 n) W/ i) } ; low word specifies which service4 r& F$ ?# g# K- q
(VWIN32_Int41Dispatch)) f9 W: c4 n( j8 p4 H* p
call Kernel32!ORD_001 ; VxdCall b% r, {$ t0 ~+ c
cmp ax, 0f386h ; magic number returned by system debuggers
4 J3 [+ A: I- V: f# T- ^ jz SoftICE_detected+ ]( }9 B! }! c& I& P- u+ p
% w" p! {2 ]* J& l. n+ u
Here again, several ways to detect it:) M* M2 R ~% ?. f* n
4 d! ?1 m! {9 I
BPINT 41 if ax==4f' u. y0 Q3 ?6 O3 M" e* f$ A
% H8 L* ~2 }: @/ O$ ]
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& b# s+ }6 D( j
" d- H( T8 |" U& ?
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 S: U* l$ O! ?; E5 G
) }2 @3 p3 p8 X9 d) H BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 J2 Y7 Z6 e! r( l' T# t
6 ?8 p! n) i3 n( s! h; I9 {__________________________________________________________________________
% q! T3 o# [. u$ H
1 e0 z5 S5 C1 B, n$ [) }7 {Method 13
`' Q8 K, ^ q8 f0 N1 L; z% ~; x=========
# p4 U+ o6 ^$ x( s+ o, r5 O
1 Q; T+ j1 C) DNot a real method of detection, but a good way to know if SoftICE is
5 s* x: d8 x" \/ P5 ninstalled on a computer and to locate its installation directory./ \' z; `; U# n& G5 b4 b: |
It is used by few softs which access the following registry keys (usually #2) :
) j+ M% W2 Z: O+ S& ~
% i: L/ n: D8 v/ y; o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) U& G L) N4 A$ H. a( u% v\Uninstall\SoftICE+ W% y( b/ U1 e! I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& q0 H6 e$ Y! p) K# N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; h5 j/ D! x0 n" b+ [* C1 C\App Paths\Loader32.Exe
6 [6 X2 i; V5 g+ ?' T/ |! N; j+ T
9 W$ {- m. h( d# _6 Z7 ]% ^8 l7 f z: f/ o
Note that some nasty apps could then erase all files from SoftICE directory0 Z1 E) g2 K' U% c" d' r' w5 a- t1 m
(I faced that once :-(
" _+ j4 X% u# G$ D" K, w/ M# r. Z m& ~+ H n. {
Useful breakpoint to detect it:8 E8 Y# F: v9 k- T l
5 O% Y4 A* M$ X H/ m0 u
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: [/ W) @. c7 u6 \
% V4 P+ l9 M$ \6 w$ Y0 l__________________________________________________________________________
; {% G5 L- H. d4 i9 B! c9 [: b4 p4 E7 E3 ^2 L p1 Q
/ y# j( ^$ G; T5 `6 A
Method 14
7 A+ c7 x- B! k5 Q7 D( L=========+ [6 ~, O7 H9 G
/ o( \) p7 p3 _% e; w, cA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( x- O7 u4 P, }' g1 E. A4 e) Gis to determines whether a debugger is running on your system (ring0 only).
+ M% Z7 v2 h1 F8 b+ n* G* r; n1 e& E0 Q
VMMCall Test_Debug_Installed
# U" B( C# Y& l# {- i5 e je not_installed' o/ p( h/ |: z8 f6 U& N0 b
, ~) w. W8 u8 L9 xThis service just checks a flag.
/ n# V5 c; z% p( d</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡