<TABLE width=500>! [1 Z% L2 _, D
<TBODY>) R! K& W5 [1 _/ C
<TR>- o/ s7 W6 q9 s `) o, I
<TD><PRE>Method 01 9 q, C& R9 G) {4 b: _* V8 V+ `3 N
=========2 m7 a N; t, I$ T( u- s
) U D6 t* N6 ?1 Y& s
This method of detection of SoftICE (as well as the following one) is, R& e! S3 ? m( V4 v
used by the majority of packers/encryptors found on Internet.0 u0 z* a. a. r) C
It seeks the signature of BoundsChecker in SoftICE
- A1 ^% U: ]" n! ~! T( @# [; I! `, U* k6 N0 J, F
mov ebp, 04243484Bh ; 'BCHK'4 |5 |( M4 J2 S2 S4 u9 n
mov ax, 04h
" h. F( h6 T( r8 u int 3 / s% k' q- \: t
cmp al,4
) w2 U' y- B. y7 S jnz SoftICE_Detected& L) U* u# w! m6 J1 } w0 @, O
7 j0 V5 N" \0 V5 ^7 A9 E. I
___________________________________________________________________________
r! n7 A4 U; D1 L5 t" o1 ?% b6 [5 z" m3 A' R1 c
Method 02
5 |' z" e0 P, J1 t" ^- B9 N=========
/ u+ [# N9 D) h6 ]
2 ]7 v4 T& P0 @# p0 B4 iStill a method very much used (perhaps the most frequent one). It is used4 i1 W0 o1 T2 u; z; p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ ]' a9 p& ~( h
or execute SoftICE commands...
( f3 k Q: [1 G) e: C) B2 kIt is also used to crash SoftICE and to force it to execute any commands
" w3 u/ r4 l7 h8 Y; L! o S& J/ H(HBOOT...) :-(( % b& p* o9 O3 ^
6 J3 U, ^$ ~9 E7 D( \ c
Here is a quick description:
9 ?; ]: ~/ P( o: D-AX = 0910h (Display string in SIce windows)1 H) j u* y) F( k9 H6 O# W& F
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 ~) L+ \5 a$ x- P7 X
-AX = 0912h (Get breakpoint infos)) Q! R- w0 `0 S) r# n/ b
-AX = 0913h (Set Sice breakpoints)
- X, O5 t/ G0 S- p7 @/ ~% R-AX = 0914h (Remove SIce breakoints)
' A8 [+ X# }' w% Y; @% A, @9 V5 h
* g3 `, g1 i/ JEach time you'll meet this trick, you'll see:
: {) a) U! Z- I7 m( G, O6 w-SI = 4647h9 J: A; s' ] P2 ]' Z0 z" z0 `
-DI = 4A4Dh
! {( o! o: K: Y" i" y( gWhich are the 'magic values' used by SoftIce." D6 k+ C/ b; f9 R" U4 t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- D% o# n0 A) U4 F5 j
0 l8 j# f; j- fHere is one example from the file "Haspinst.exe" which is the dongle HASP3 |* t0 C6 p, p3 ?+ ?
Envelope utility use to protect DOS applications:
+ Z' _% N. }: ] z7 t V, l0 r3 r( Y0 z r" Z& |- |" D& g
7 ^, Q; |6 P. J# {* P6 s
4C19:0095 MOV AX,0911 ; execute command.. S& b" d+ D& H" m3 |( l+ x( a
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 x4 ^3 t7 j4 g
4C19:009A MOV SI,4647 ; 1st magic value.9 @# N% X( E% j1 a
4C19:009D MOV DI,4A4D ; 2nd magic value.0 k9 r" m, H* ~# J) S O H/ Y4 E
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 o! W) m9 m) k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ x4 \' m* y/ W
4C19:00A4 INC CX
0 X4 M* c. e! }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ D. i4 o4 B" S5 d
4C19:00A8 JB 0095 ; 6 different commands.0 |9 T1 V- X3 ^) W, W% _9 I7 X
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, ?: G# i4 p, V( q6 l4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! L$ ~: R2 Y6 b8 ^# i9 F" P/ a
( j3 a1 V% |0 ]8 c- ~- ~ NThe program will execute 6 different SIce commands located at ds:dx, which5 E; P4 @" y$ c* A* t* t* H8 k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) s" l" W2 b9 P' L# Z3 g) T
' z- C* r% e |: Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 [& M7 a- D: G% p. S6 O7 `___________________________________________________________________________
1 B4 \5 k0 g* Z5 E' u3 Q9 y7 K* c6 M7 I# C/ ^2 Y: Y5 O0 d; L
4 a! ~, \/ i" xMethod 03. F. L; b; r2 X/ b0 M6 |' s
=========
1 p7 S4 U: h6 V1 {6 I" K
X$ e4 E3 r; c8 h0 ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 J/ s; K+ ^- l6 }9 F5 ]7 A6 T; M4 i
(API Get entry point)
) W" {! G2 k/ g+ R' u
0 R( T0 n% q8 Q* B9 Q
* m/ b2 d! C1 {* L xor di,di
8 E$ ]/ E. v, g1 d* L; S5 l mov es,di7 N' f) j0 `4 W
mov ax, 1684h
7 f5 ]% O% ]; E( w) Z( m. E mov bx, 0202h ; VxD ID of winice. ?. h% d( ~# S. K8 a: S
int 2Fh
S4 l1 n* x& g3 N5 v7 Y( s& W mov ax, es ; ES:DI -> VxD API entry point1 R! x/ g6 I% a4 A$ `
add ax, di
- m0 ^0 e' W P3 g& i# ~8 Z4 q test ax,ax
/ j- u/ o F$ i- P) t( I jnz SoftICE_Detected
4 u- y3 }7 G: W' D' x
' A$ i+ r9 Z' x2 W___________________________________________________________________________
' U& @ R0 {+ a* R; d8 e, M% W6 t, [( j: P5 s
Method 04# ?5 |! m4 n: a A
=========# b4 [- t3 L; h( @1 ?2 d# v8 G# Z
; F" V! m* t* i2 n/ Y P1 V
Method identical to the preceding one except that it seeks the ID of SoftICE, |4 [& f8 C) k. ^/ v1 }5 A2 g
GFX VxD.* H. C! L! v! g+ n+ C
" R8 J1 @ H7 X9 x8 x2 Y2 }
xor di,di
& J3 F U, F8 C; _ mov es,di3 @7 `9 s# E; T) u% w
mov ax, 1684h % D- S( L, v1 s5 S& q
mov bx, 7a5Fh ; VxD ID of SIWVID2 z7 m- F" C) S' B- H1 E
int 2fh
& o; A0 C) h4 t6 b0 ^% B; T mov ax, es ; ES:DI -> VxD API entry point
0 N& r$ O. V" \8 e5 z# P add ax, di
2 _" G8 O4 Q: ^5 n test ax,ax7 O$ F/ g* C) b; @
jnz SoftICE_Detected* F6 y6 `5 V# i6 s: v9 w4 c5 b
M" Y8 c' Z: c W, I/ i__________________________________________________________________________$ b4 E2 l4 N+ t9 p e% [
) d) b4 N" l% v2 |2 f+ h! w& @9 d0 A+ C0 _, v5 z7 B! u
Method 05
7 C* k% e1 m8 A7 ]=========
- _% r) H- n. Z' f; q! {
6 `- B( r+ n h v: a) {Method seeking the 'magic number' 0F386h returned (in ax) by all system \( N5 |! Z. m p
debugger. It calls the int 41h, function 4Fh.
0 c0 S6 k5 o& [" X1 i* L! T! |There are several alternatives. * g& {7 _: F1 ]3 Q( ^6 u
5 C+ T9 S! {$ h% C. p/ z/ S. c
The following one is the simplest:
_: m% P# P. x i% Z# @& v% m1 Z3 ^0 y& r
mov ax,4fh
; f" T* y B- C) P- D( X/ q, I int 41h
- V& [% H( u5 }/ k' k M+ `3 \4 Q cmp ax, 0F3865 k: P4 h* i0 }$ _1 m0 X% S
jz SoftICE_detected/ Z( }1 O! _1 Q% n/ \* `7 R
6 `7 o( I" i! }6 z, k0 q
: p0 S! f/ e; G6 C( e/ o- P
Next method as well as the following one are 2 examples from Stone's
+ T; g6 d- [4 O, w( w- [' F/ S"stn-wid.zip" (www.cracking.net):
) J9 v; a1 q" R0 x; d' j" ~1 d0 o. J; M6 I% n0 b. ^
mov bx, cs
6 d0 q8 l/ |: z. x lea dx, int41handler24 X: H7 U, b* e- r- B
xchg dx, es:[41h*4] I/ _- l7 Y, |) C
xchg bx, es:[41h*4+2] W% t d: W6 a! y6 i' s- K' L
mov ax,4fh, D& z' `; c- O
int 41h
! s9 R/ U" a3 R! X3 ]( }: z xchg dx, es:[41h*4]4 `6 L( G5 u$ _" @- ?( t) F9 S
xchg bx, es:[41h*4+2]5 @2 j [1 c' c, n6 ~
cmp ax, 0f386h
" m/ ^4 k7 d" B Q; b6 E jz SoftICE_detected
: \6 R, c! |& N$ T* k/ N8 w1 h8 _/ Q% I/ H9 t* E
int41handler2 PROC
* D' ` L3 B& _2 q iret
+ E: Q5 V1 m4 u7 i4 N2 d1 gint41handler2 ENDP
) u3 E+ Y3 o" Q$ N4 l& q1 r: b' v3 |4 g1 g
8 E7 B1 m, G$ B/ v) S* l8 U/ x
_________________________________________________________________________
6 ?) ~+ `2 ]( q4 U7 Q% S/ N# I
. u9 }9 j J- V K( n# z8 y3 G+ _1 d: a& I5 U
Method 06
$ W! U2 N* l4 L8 {6 h' S- l=========
3 E. E# [! D6 ?) q# V( n
1 ?# ^* i+ n' i: j( U$ ^& _; n. {* D% P
2nd method similar to the preceding one but more difficult to detect:
' I% }# m$ H- f8 R
6 v9 y: h& Z7 A' @3 }( h6 P" J
3 U, u7 x7 P# x3 eint41handler PROC
0 O7 R2 C# Z/ w8 ^: \ mov cl,al# S3 \: N$ v; f+ u, ?% O
iret& a* ~' c" e: h6 { T
int41handler ENDP
( p- Q9 S7 H- s4 s/ v: w- K. M S6 Z
) C% Q% z& r- G) N2 W/ H0 I3 X
xor ax,ax9 y1 O/ _+ Z6 A$ A
mov es,ax& _0 G- E+ v9 ?7 i* N% N. E
mov bx, cs
4 m) k p0 U. b lea dx, int41handler
; Q7 H+ G5 Y! o* H; h xchg dx, es:[41h*4]" J% J" O6 U: O+ h
xchg bx, es:[41h*4+2]% F }5 m9 L1 A& Z, F* N
in al, 40h
# U) \$ Y7 A: f+ f# h xor cx,cx, v0 g$ J1 q3 P3 w7 a
int 41h: C, ^3 U* n) |# r3 {. _6 ?
xchg dx, es:[41h*4]) I; [, t- p( X U9 m
xchg bx, es:[41h*4+2]
. ~( K% `: t( ^ cmp cl,al
" b5 ~) k3 p9 p! N jnz SoftICE_detected
- \% F" |5 a! `6 l3 B& o" W, \
# q6 {8 `' G& c2 E: N_________________________________________________________________________
" \, a- [. d( v" a9 L$ d" T% {6 `3 ?) M6 B* M0 ?3 a, V) _. W
Method 07
9 }* |5 _$ s0 V. P: T0 W; B=========0 J8 [7 K4 ?7 q! m& N- u$ y p) e
U' {, b+ @: p9 w
Method of detection of the WinICE handler in the int68h (V86). ^& j+ E9 ]6 N ~ u/ R
8 s1 e7 D- \1 b* [* R mov ah,43h
( n# i, c( j9 E int 68h
4 v( G! n. E3 V1 |8 H' m7 f$ ] cmp ax,0F386h( a; E( E) C! |$ K
jz SoftICE_Detected; |1 D+ ~; g) z- @, r F
i5 Z: M4 u1 i( S7 `
. h, n" }6 f, ]7 V# M* E=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- u0 B E+ ]( L, l- f* \4 T app like this:
# C6 M' Y, J5 f0 u
+ d$ V' e/ U j- O+ p, @ BPX exec_int if ax==68
6 T7 g, q/ \% p7 U9 S$ e1 h0 S (function called is located at byte ptr [ebp+1Dh] and client eip is. Q r I+ \8 F# q- r- b9 k
located at [ebp+48h] for 32Bit apps)
; M v. a5 _3 @ F4 a( a__________________________________________________________________________
% z* ` |$ m4 m6 z9 A
0 I: W' s6 Z8 ~) D( t G. r% u* e8 ~. p: Z
Method 08) j, C2 n2 d0 F( q' q" d: a
=========
' a3 {2 X. D# Q+ E4 e; L2 i( B
4 j& s8 p# y: J+ TIt is not a method of detection of SoftICE but a possibility to crash the% g4 D. ^ ~1 H4 o
system by intercepting int 01h and int 03h and redirecting them to another
8 D/ V! t" j' l5 ]routine.( m* u7 Z/ o, W3 O2 i# d
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( Z K% I: P3 \# I @) ^1 Kto the new routine to execute (hangs computer...)
% {) A. V) s, j7 x: W) F" S% h Q
4 N& R$ S4 @" Q mov ah, 25h5 k! m( D9 Y7 p) x7 ? ~( x
mov al, Int_Number (01h or 03h)
. G7 J3 H! o3 c' V2 P; `( R6 t mov dx, offset New_Int_Routine
& A: T0 N/ m4 F8 U7 b5 u int 21h
# a) _$ l8 W/ p& x1 [) k2 q# q7 E1 x- m8 d' [: ]9 X
__________________________________________________________________________( f& R- p9 N9 T1 C5 d$ M
- c+ h1 a' a1 bMethod 09$ \" G" i0 S" m6 X; V
=========, ]. r; |& S' ]* X% h8 L8 W: R
" h; q2 C4 }, S5 d4 d
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; a6 m1 w5 R% K6 X; J8 nperformed in ring0 (VxD or a ring3 app using the VxdCall).
( u: w2 A* T: L* Z% N5 D6 DThe Get_DDB service is used to determine whether or not a VxD is installed
: \( _% }' [2 w& q) X9 @for the specified device and returns a Device Description Block (in ecx) for
3 F( W! T) n& e. U, wthat device if it is installed.
% C Q- d% p0 q4 V% H9 F k- X& s2 ?1 X+ q. p+ U
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: i; G8 j2 q2 C% I0 h8 Y% s: f mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( b7 l2 l ]4 t9 e6 ~
VMMCall Get_DDB
% b( x4 I7 `* b) l mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 |- S f& ?% O6 p4 n( A) f
& M0 B0 {1 A2 C4 b$ oNote as well that you can easily detect this method with SoftICE:4 d+ }, y: M" p% @, E6 e, e
bpx Get_DDB if ax==0202 || ax==7a5fh) y4 Y# j7 ?# r6 H; v
1 L& I* }( C9 g" |- U% M__________________________________________________________________________" ~3 o6 M0 f( W0 I/ \
$ D1 S% j K' ?* O0 {9 `$ ~
Method 10
7 l1 `- Q( \8 ?5 [: L% x) B; W! q$ G- [=========
8 [9 R- H# i9 [% Z3 X# |5 Q4 G% g4 y# y3 ]9 o
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ m1 Z* W/ V, r, _ O' _# A
SoftICE while the option is enable!!
0 n6 A y0 w. ^- h5 y0 `/ ` L
$ t! n0 M; z% b- QThis trick is very efficient:- U9 r! L) J3 ]: x# t2 y7 j
by checking the Debug Registers, you can detect if SoftICE is loaded
) |7 J9 E, K6 k$ [, R. }7 h(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 ^, A$ F) g9 lthere are some memory breakpoints set (dr0 to dr3) simply by reading their- {7 N- s1 C% s+ s+ N5 b# m
value (in ring0 only). Values can be manipulated and or changed as well* q+ o2 y/ r$ u ^; ]9 ^& |& V O9 {
(clearing BPMs for instance)- B" Q' ?& S1 X0 c) z/ i% h" B3 A
1 V* d7 i. O% Q; G1 `8 @. A4 u, C
__________________________________________________________________________! a5 o7 F' M& G9 J! J- V
/ ~$ B, ?# u3 l+ v' R$ iMethod 11( _9 @0 O5 E% t) ]! l: `# A: [4 w/ }
=========
3 W) \5 _ ]1 J: y( J. Q3 t: ]& @& V: P
This method is most known as 'MeltICE' because it has been freely distributed/ f+ X3 ~; C1 d8 ]: d0 Z
via www.winfiles.com. However it was first used by NuMega people to allow4 a3 W# ]2 S/ V. T' ]( q5 e
Symbol Loader to check if SoftICE was active or not (the code is located5 {$ f+ K8 `% w/ r
inside nmtrans.dll).0 Z1 a# l+ E. Z" z' P. W2 p
# k% w j' O5 N4 V/ }- {The way it works is very simple:
0 V6 [7 M! t2 o0 S- Y: K! w' jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ s; {+ b u- Z$ e7 z0 X7 C! d: \
WinNT) with the CreateFileA API.
2 d2 ~$ O1 `5 b8 S+ [) c( T9 Y' B$ a1 w- |% m; h2 Y
Here is a sample (checking for 'SICE'):& K# X7 n) a- a7 |1 U
* ~5 Q& ~, t/ v1 e
BOOL IsSoftIce95Loaded()
# F" z+ F2 a; S A# {4 V/ N{
4 m- m: j3 A9 r7 ~ HANDLE hFile;
) x6 S* q- N$ l2 a( ^- J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( K) O/ ~/ G d
FILE_SHARE_READ | FILE_SHARE_WRITE,
! u3 n- ?. J% `% \* J, t NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ n' h. G4 `. c& T' {8 O
if( hFile != INVALID_HANDLE_VALUE )( R: @: U" L* k4 D4 @: Y% V& }
{: x/ |* z- |; Z& G/ j: j" K
CloseHandle(hFile);; h g1 }/ Q/ l$ R
return TRUE;
1 n$ \" s7 H" Q! X6 M }; \$ Y" g' N2 Q# c7 b! w$ E4 F! e H
return FALSE;
+ L; W8 U$ w: Q4 M- I- b}+ B$ J- B) K# {: P, Z" _. c# G
( D" S" k9 z0 ]$ _( _5 w3 P
Although this trick calls the CreateFileA function, don't even expect to be
7 F& x1 B) h5 M0 b* j3 G, J/ Oable to intercept it by installing a IFS hook: it will not work, no way!8 ^* l! t* `9 z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: F4 u0 B! c* b; f2 t; kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 o: g$ [7 p; }4 f+ [7 `
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 k2 S& g- [1 \( h, T, Y x6 Kfield.
1 n! U2 R! _+ `. s5 `' kIn fact, its purpose is not to load/unload VxDs but only to send a : k+ E9 Z3 i" | J. n. c3 s) Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 e+ F2 B. E( G* e' u6 C
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 f+ E7 _! G1 }3 ]2 _2 E' T' a0 K8 Cto load/unload a non-dynamically loadable driver such as SoftICE ;-).' ?& e, p& F! I
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; e4 F$ a2 M+ Tits handle to be opened and then, will be detected.
% j8 K. _; D( I; f. ?You can check that simply by hooking Winice.exe control proc entry point& ~- b: @9 w+ D( M8 u& j3 {, d
while running MeltICE.2 {" n5 ?7 v) S4 i y# Q( W* C
+ Q" ~" R0 }0 U( p5 u- L5 h4 @ P# R( a
00401067: push 00402025 ; \\.\SICE3 z7 t' Q1 O/ b
0040106C: call CreateFileA
8 K# V" \ f* t$ ?' k5 k1 @$ ^ 00401071: cmp eax,-001" Y0 g' c1 y4 L' x6 K! V( d( X3 ~
00401074: je 00401091
/ j) X+ u! X' d- W- {! K9 e: J* A B7 c
1 [5 U2 ]# e0 B# b/ p
There could be hundreds of BPX you could use to detect this trick.
+ e8 T1 c( v; z( r-The most classical one is:2 [' ?' P& z8 M+ c5 p
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, j3 I9 T( Y. q# b; k1 S *(esp->4+4)=='NTIC'
- [' m2 ^3 W, h2 s
7 Q/ H9 D' `+ C+ T; `3 h-The most exotic ones (could be very slooooow :-(0 O9 }% U. ^' v( @
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & v1 f6 |% e6 {: @' Q% y, ]; R
;will break 3 times :-(& @9 o5 C1 g% g
) h" ^6 i4 D& K! i-or (a bit) faster: 0 g, e6 w8 ]5 F3 [* N6 \, b O
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 f" v" x$ Q5 O
8 G. M: ~ A) c$ v% B
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - A+ W& @2 ?; T3 u1 Z# M' n
;will break 3 times :-(9 K2 P1 l/ F8 N/ Q
" p1 j% u- ~9 q, E4 \-Much faster:
+ g( u r5 N% g# ]' M) T+ w% j BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 X( o4 @$ G3 h4 m& W3 b. {
& w5 N- d8 s% W& u3 e) a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( P( P, s' Q3 _5 {9 s/ F. c* `3 a# X
function to do the same job:
6 v7 x3 e! t$ U$ }9 o4 r; ^$ y/ q k. a; Z4 p$ L8 I' {
push 00 ; OF_READ
1 @8 T" t3 z/ I4 K mov eax,[00656634] ; '\\.\SICE',0$ q5 Z5 J3 Y1 U' A! X- r
push eax5 f3 l8 \6 l2 P. i4 G6 H2 L
call KERNEL32!_lopen
4 m" P# R% I" R3 I* _7 \ inc eax
$ g. S |7 Z& s8 [& F2 } jnz 00650589 ; detected
$ O5 `3 ^7 z$ ~ push 00 ; OF_READ
5 m, S- t/ e3 D1 j! o mov eax,[00656638] ; '\\.\SICE') O5 M# D1 {0 X6 G
push eax( H/ i! P; ^" m, O. \ C& R9 Y
call KERNEL32!_lopen+ u c) C- j' C& b( V j2 x
inc eax$ r( _" e1 T' s) h8 m' p
jz 006505ae ; not detected
0 W! J |4 Y0 g* U( N8 y
Z, [8 K, y4 j2 f6 \
8 u" m% o' n% s4 j__________________________________________________________________________
* i4 k4 n: m" n' s* T- o/ _+ k: H3 h
" K8 N6 e* G+ `! W& F; B: w oMethod 12" o3 T6 Q/ }! U
========= g. V& I/ h: W
f4 F7 o& T i; A& X$ }
This trick is similar to int41h/4fh Debugger installation check (code 05
6 q: I5 d3 ^7 C1 R- ~7 Z2 j& 06) but very limited because it's only available for Win95/98 (not NT)& Y. u( Q- o3 x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# p' Q) w' Y |0 m! f" u M
) d: p0 @/ |7 x4 c' d1 c0 f+ ~ push 0000004fh ; function 4fh4 ~; w" e; S7 z' `% a1 g$ x' ?
push 002a002ah ; high word specifies which VxD (VWIN32)4 v( v" l( n# |2 Q' x4 I7 ~
; low word specifies which service
' b" y; s2 r* V$ l, z, @ (VWIN32_Int41Dispatch); [7 y, a3 O! v! J K3 s2 t
call Kernel32!ORD_001 ; VxdCall
% g6 z u' v2 ^! p, P8 V) m* n% r cmp ax, 0f386h ; magic number returned by system debuggers
& J* U: ^$ y& v jz SoftICE_detected
$ P, V' w# ?9 O
+ J, F' W4 U0 H. G5 J$ x5 z% LHere again, several ways to detect it:
7 l2 n% I! M |# U$ [+ b4 T6 ?, G- d
BPINT 41 if ax==4f0 C0 }& c9 f; n$ ?1 m% O, u, a# k$ j
+ v0 m% ?: r, }. N! g: p BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ p6 ? S! g" d0 L3 F& I
1 F5 T4 S: o% ?- L2 ]! q; B0 X
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: S$ l6 e# D2 s6 z8 J
0 q C) r1 ~) U T/ b# ?, l2 i BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" B3 [+ p- F" a s7 d$ Z& J+ B- e7 P, D$ ?& m7 I1 y$ S
__________________________________________________________________________- s* K) B0 K; n D* B, g
; ~$ h7 p8 d$ D5 I G& s
Method 13
; b5 o9 q) {1 s5 G5 L2 w; m=========3 {9 d2 d) b! A7 ]$ O
( n& ^! ]7 A- q: xNot a real method of detection, but a good way to know if SoftICE is' Y6 b5 O* C e1 U6 T
installed on a computer and to locate its installation directory.5 ^" r W7 ~) s3 f$ m
It is used by few softs which access the following registry keys (usually #2) :
% E" r% c. \7 m3 I3 p
; A% r# c6 _! \' I3 E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& y% B" q, a/ [' ?1 j- G3 {
\Uninstall\SoftICE
; J$ A5 m! ?) ^8 Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& r4 p- G Q/ [1 }& f0 i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# _( O/ ]. S* @" ]; V: @* V
\App Paths\Loader32.Exe
, M$ t) O% X0 F( \
" r. V) }, t w1 J
$ ?$ M/ b" I- x* V( r- wNote that some nasty apps could then erase all files from SoftICE directory. _" `- l8 @; e+ z+ q
(I faced that once :-(
' W/ H& D# x' k |( b1 D ?
6 A+ w7 u* T) o" i9 kUseful breakpoint to detect it:# c, G' B; Y8 J' x" |" l$ W
) D$ t2 `% x$ r- W$ o9 x2 t
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 w/ i; m. n, N2 [0 k3 t
6 M! Q' }- k% L& ]; v" F__________________________________________________________________________
7 N% ?- G! N2 S# M0 t1 w
9 b8 `" ] I5 I; q6 I9 {6 T- J) k+ h/ q5 ]+ C
Method 14 8 u& w. v7 A1 j# F
=========
' ~, _0 R/ l" V. p0 i3 K9 W7 [* E( B) {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; G; Y: |9 w- @/ M( e
is to determines whether a debugger is running on your system (ring0 only).4 `! [1 K- A* F; I2 l
0 `. T4 K, ~ S+ B5 r8 N. ~ VMMCall Test_Debug_Installed5 Z3 ^) B+ m! c0 W3 D
je not_installed
+ I' a: f# @- L$ @0 [$ |% R
; a" l* `: B/ a' C0 Y8 @9 wThis service just checks a flag., p8 f6 [" c2 H9 Z1 }1 J5 p
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡