<TABLE width=500>
: ~; T* ]: M8 I* l. C: q) }% A<TBODY>
8 o3 d. z% p0 e8 d4 ?$ b<TR>
5 Y5 q0 B! o! E4 Z$ V<TD><PRE>Method 01 $ p( I s. C3 B k
=========4 L$ t' Z8 T" E
& x4 C0 U! C) x! g1 y9 f
This method of detection of SoftICE (as well as the following one) is z; g) N/ A8 ?5 [) n: B2 y3 s7 j
used by the majority of packers/encryptors found on Internet.
/ ]* L, v: ]1 E! B$ RIt seeks the signature of BoundsChecker in SoftICE
$ d4 S i! b- B0 U; H, A2 l! r* q5 v6 N; s8 A" Z; C' T& Q6 x! A
mov ebp, 04243484Bh ; 'BCHK'9 o' H5 `3 @% S- `0 Y, a* [
mov ax, 04h
2 x" i* w& I5 [ int 3 . I4 O# f. L- q6 [; F2 ^* W6 V
cmp al,4
6 ~- m& y% p p: E! m5 }$ t+ |- E jnz SoftICE_Detected* X' S) v; r+ j- q
9 W. @2 z5 s3 _$ M. V, O
___________________________________________________________________________& o* L) Y2 d0 c1 _6 [/ `2 { n
3 n6 X9 i# c& {, x( b1 h% p$ t( o0 f
Method 02
% m, _2 [. N% t* _3 D# \1 ?+ a=========
1 }4 w# J; q z- G) t2 N2 ~6 {
8 }+ P7 j7 P" z6 y8 G, I. }, R8 SStill a method very much used (perhaps the most frequent one). It is used3 S: l1 z5 g0 k* M
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 A- B) I5 Q8 Lor execute SoftICE commands...6 S3 g1 l; B2 j
It is also used to crash SoftICE and to force it to execute any commands5 ^' c' J: U4 c, E+ b6 y( z
(HBOOT...) :-((
( ]$ q& p& D. U$ V# m1 K! A, G: b3 V
Here is a quick description:% X" N7 ^# N6 X# f% _2 b
-AX = 0910h (Display string in SIce windows)9 W$ f; L, Z7 s, F3 y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! q3 r( A* f9 y! C2 A
-AX = 0912h (Get breakpoint infos)
. k1 G# y) d! G, n& j-AX = 0913h (Set Sice breakpoints)9 I8 L& S) |# Z( S$ w& W" l4 t
-AX = 0914h (Remove SIce breakoints)
! L' k' X4 f0 i" Q9 @2 |. e9 y5 M
Each time you'll meet this trick, you'll see:
, i& B4 E2 v& n% m [-SI = 4647h1 S2 Q3 s' u( F) X0 s
-DI = 4A4Dh
7 k0 w0 V4 `) q3 v8 _8 VWhich are the 'magic values' used by SoftIce.
4 Y* @ I" V5 W5 {For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ y3 d/ Z0 W/ G
: [8 ]$ d0 ?1 _7 O! Z! q4 t- M- x/ P
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 Q+ } q& h1 Y. m N8 t0 }& ]9 hEnvelope utility use to protect DOS applications:7 t& F- w0 S) _: [) j5 F
9 M, e6 }: k3 `$ o: |# e8 r0 Q' g9 n2 z' R( `9 `0 Q
4C19:0095 MOV AX,0911 ; execute command.
/ ]* l. U- C- u. }" W4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: H8 C5 H) H/ z0 M+ t
4C19:009A MOV SI,4647 ; 1st magic value.1 z9 D% k0 K; Q, C. @
4C19:009D MOV DI,4A4D ; 2nd magic value.
- x B2 w& C- I1 M8 s) `4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 N) `- K$ ?$ s* `7 _# Q% ~% J
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* `5 ]+ `( [# j& \3 B" T# A
4C19:00A4 INC CX7 X! v9 y: [* x: ?. H
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& d! ~; s q- }, V0 q4C19:00A8 JB 0095 ; 6 different commands.
4 H& A$ T" m! v4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 D3 c) l3 J1 J
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& e; F! _0 u0 i8 x4 f
$ ^" O3 R3 u) {) l# [/ _The program will execute 6 different SIce commands located at ds:dx, which& y) f0 h3 E3 y8 D( j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% W- t- K% S2 [9 \2 r
+ }+ d" c" }8 I, U5 B) E9 d# n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: m' v! x+ s3 Q r$ B___________________________________________________________________________% U/ [! p, e, p e) q
- X2 u; i+ n% c/ m. R
) j- b8 d% I& P- NMethod 03
- ] x+ ^" J, u% J=========/ o6 h1 M( j) W* i
: k# s( E) V N. @; zLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' ~, Q3 T. x4 o
(API Get entry point)
+ m# I" `9 p( {1 c |' O
( R# R# f, Q5 ]; k- ^
1 l7 d4 \+ G. u5 |" o0 i) `3 t xor di,di
6 L9 a& H0 E2 E; h- v mov es,di
$ a; [# G& |/ S' X mov ax, 1684h
( S5 |/ K" g: M- k; V" i% Y mov bx, 0202h ; VxD ID of winice6 W8 h/ A; C( }1 O, _" F" I! B
int 2Fh
* w' {7 a& L8 w% q2 K) c/ O mov ax, es ; ES:DI -> VxD API entry point" B- Q9 N( H% N! D
add ax, di
5 M2 |, ^; c8 j9 y0 A test ax,ax
% Q2 s- ?# E% i8 ]5 @; s( E jnz SoftICE_Detected
; w; T0 t7 Y0 e+ C& u) U& g" S- R% o+ Q: ^, s3 E& d
___________________________________________________________________________' n, @3 e3 d% H$ j y$ }+ u3 n
5 V2 _7 N. H' @5 w# y5 }8 F# K9 lMethod 04
( q( i a0 z) M9 M=========5 D4 ?* ~7 y* `5 d" H7 C6 {8 \3 @
! v" X6 a \8 b0 |- N5 UMethod identical to the preceding one except that it seeks the ID of SoftICE
8 @$ u. v0 n! M1 ^* w) a/ h4 N( TGFX VxD.
% g2 O& Q$ o8 c f1 K* ?, O2 T7 `! i* }! k9 i5 ~
xor di,di4 \7 ?7 c- n9 v# ]& J- s0 l( J4 S
mov es,di3 Y9 A* V" e" E& ?8 }
mov ax, 1684h 3 B0 N L9 `) O I) p4 q
mov bx, 7a5Fh ; VxD ID of SIWVID: E; g$ |$ ~0 P1 Z( M
int 2fh
0 P( m3 A/ e- }* | mov ax, es ; ES:DI -> VxD API entry point
+ a8 z+ g3 S1 Y" |" }5 E J add ax, di
* A$ V2 Y7 u" z" G; Y$ Q test ax,ax
. \- D3 j1 \/ ?/ ?0 {' {* ^ jnz SoftICE_Detected! b. C Z3 ?9 F! `
w! j6 \1 E1 z3 z( h
__________________________________________________________________________2 O) M: u E* r* N
) {' O4 E1 V0 i4 \$ e" f
3 E& b: Y! _0 v |; JMethod 059 H* A% |$ i; {2 ^3 v, K
=========1 U3 ~: ~6 ~: Y- ], Z3 V
) A, B+ V/ o' wMethod seeking the 'magic number' 0F386h returned (in ax) by all system3 I* z4 c4 ]. R* n
debugger. It calls the int 41h, function 4Fh.
) [$ V3 j. b) @, ^8 v# |5 r9 vThere are several alternatives. ( t, h# r: ?$ Z- A* P7 v. ^2 I
- S. O( i5 k: c) ^7 E) y5 @/ [The following one is the simplest:8 j4 v7 J$ G" _! q( Q9 P. k3 L
* U# k+ q( q4 s( q* @- ~! o mov ax,4fh
% X$ Y6 r& N" d: ]6 L- E: W$ ? int 41h! L+ E* A2 i' d( x& H' ]2 F
cmp ax, 0F386
6 t, P: S% \/ V4 P1 I$ a8 X jz SoftICE_detected* b. U8 \# z7 ?, l: o% |6 a1 h# @
6 E( l1 M; V2 z5 k7 t
3 v; a$ ^6 V% ]1 i% V1 p/ m' q
Next method as well as the following one are 2 examples from Stone's
0 A W- U5 g' S2 L; W3 b"stn-wid.zip" (www.cracking.net):
0 l$ B% Y0 C/ Y
8 O5 v- A. ^. K. G mov bx, cs3 x& W; B* C# v7 F" U
lea dx, int41handler2; \4 D) o, P9 P' P" ~6 Z
xchg dx, es:[41h*4]
+ Z! A% r. _0 v4 U& A, P xchg bx, es:[41h*4+2]* j2 Y; j0 |6 K$ U0 Z8 ?
mov ax,4fh
/ {1 k* @; L9 W- y* j7 w& h int 41h+ T# l7 E( Q8 n0 m& I* k
xchg dx, es:[41h*4]6 p W1 U s. r
xchg bx, es:[41h*4+2]
; p' [8 P5 i+ {* u d4 [: O* | cmp ax, 0f386h) ]- A8 [6 Q) T
jz SoftICE_detected% C# W' y7 T9 W+ C9 n5 E
4 Y7 c9 O+ G; a6 P' l+ ?
int41handler2 PROC
; X H- [9 p! x2 F8 J iret) U. S) N5 U$ U) j; @
int41handler2 ENDP
6 Z* X( c& B0 H- p9 g
6 h8 y% n+ w6 v- q6 \" F! E( p
4 w/ u4 c5 ]& _* U4 k: @_________________________________________________________________________, p: F. M' z# }) b% I2 _
- D# Y! X$ N* | Q2 m; W
& I% y; Z2 h3 F% CMethod 06$ \+ F$ e/ {8 F- W/ {$ t5 U8 Z
=========
8 ?! S4 p& N* {0 s: v( c! L
* ^1 ^- r( i: E7 a" G( P0 y8 {5 F: e( U7 X' Z' i( U+ H _. m6 e9 K
2nd method similar to the preceding one but more difficult to detect:3 n. f4 ], N& ~% C- ~8 n
4 k9 R9 |$ }( Y# P
, A) y: [0 ?$ B4 k! z! y# `2 h
int41handler PROC
0 a8 j5 U9 z* k* z) T0 ]' g mov cl,al
7 @* r8 @9 f# M* \. q; A* N iret
9 Z2 ^9 b7 d* qint41handler ENDP
5 `) x V: k) F+ W4 W% }' {9 e+ F0 ?6 b. S
, s) N `) W3 S m( G* L
xor ax,ax
. n& m0 k; N& `3 ^5 n, Z; E mov es,ax
1 K& { y9 J8 H7 U/ R2 F* v mov bx, cs
+ M4 E+ N) N$ |4 h; o lea dx, int41handler7 g) u' n& s+ \0 u
xchg dx, es:[41h*4]' j0 q3 ]5 b3 v7 H
xchg bx, es:[41h*4+2]
4 j( n! \8 L! A0 J7 S0 @ in al, 40h
]$ j5 K' V O xor cx,cx
3 u4 L% v3 h0 `& B% _ int 41h* ?* }6 A6 W! `* u* e% t# W
xchg dx, es:[41h*4]4 c9 b2 i: u0 V4 u) L) W
xchg bx, es:[41h*4+2]* I9 ^+ C& o- v4 i
cmp cl,al8 C" `* u/ z2 l( l
jnz SoftICE_detected
4 m2 n3 q& q& |: j$ c
% I$ G, H. Z% ]- t3 s7 Z* Q_________________________________________________________________________1 c$ E8 |* }5 v+ r( p4 I" f1 {& E
, L6 E/ \3 J! ]! v: {
Method 073 o$ v. p" J. ]$ O. g& `
=========% c3 k9 b+ g- u, B: M: q
1 v3 u) i- u8 _2 K8 z* A0 G
Method of detection of the WinICE handler in the int68h (V86)
5 Y3 y" ]3 S$ S P$ x9 G7 Z7 T6 L8 X; Z
mov ah,43h
3 k! k+ f4 z0 B' q* @/ ] int 68h
4 G5 Q) ^) D& E- \) ` E cmp ax,0F386h
4 z1 n5 I0 H5 s! M jz SoftICE_Detected& d& O) z/ o5 j) _, l+ H
. V: }# E" ]% }! g! W' |$ L' R$ |# P2 d# I2 v; S0 m
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( }: _2 X+ ^. f! w
app like this:6 ~& l6 m/ l0 N, N- P! O; w0 D
' S$ B% K7 A3 E) B: l BPX exec_int if ax==688 V) c3 F/ r8 Z. z z& i3 a
(function called is located at byte ptr [ebp+1Dh] and client eip is6 g- V5 F9 L, ?9 J3 t0 F0 D
located at [ebp+48h] for 32Bit apps)
1 _' X) _! x' J( o; P0 J__________________________________________________________________________8 t% ^: ?5 m+ K8 r9 u6 u7 z
( _, r' i r8 \" q" \ Z/ e
/ U. M1 m" F- ?8 ~- `* [6 qMethod 08
/ o$ R" j+ g8 P& O i: ]( [9 P* @=========# N% D9 r! }% {0 u! X& k
# F3 l1 h3 {7 G* x5 O/ B& E- i5 w7 H
It is not a method of detection of SoftICE but a possibility to crash the
- Z5 d4 D8 ~3 Bsystem by intercepting int 01h and int 03h and redirecting them to another
6 N0 t$ Q0 j1 h5 a8 c0 g. }6 P* l" oroutine.* t' J; Z9 j/ ?9 _; E1 M
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 B8 A5 e3 @/ _- x2 Dto the new routine to execute (hangs computer...)
5 R& `% B$ r G" c2 o2 Z/ c H2 I& b- K e0 F) T. }% _
mov ah, 25h, L0 o3 j. W: F
mov al, Int_Number (01h or 03h)
! g9 D# C u/ s$ c/ u6 l4 F mov dx, offset New_Int_Routine, e7 C+ V7 o7 `: t
int 21h0 `! d# a1 ?; ^- H l$ w6 V
9 Q4 o( }' k' l5 H$ K__________________________________________________________________________, [( D# o& T5 P6 o% l, ~* H
8 t5 U+ V# q7 X. B7 w7 a# m
Method 09# I$ y( c# t+ A6 u! B9 y
=========
5 q& y. Z: I# P( ?
* v ]$ p6 x1 L; `/ J: L' nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: p- @: j2 V' m& t/ z- uperformed in ring0 (VxD or a ring3 app using the VxdCall).& R- I3 ?! y% H. F9 L$ D2 h, U
The Get_DDB service is used to determine whether or not a VxD is installed! ^ L2 T( p8 A9 U1 j) {
for the specified device and returns a Device Description Block (in ecx) for& i4 O! R z0 h0 L+ _: g9 `
that device if it is installed.2 B- A9 K& w& K8 f! X
$ l" V p9 C8 g# Y' H9 ^# n: Q) ~ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# l y0 A8 E% W9 [& E' v7 j! _ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, [, P& U+ n, ]# E2 k& h" _; N VMMCall Get_DDB6 U! n- w5 a" y, ^& h
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 r2 T- [6 v7 h+ s% v7 U& ^& H% S* z1 q. D
Note as well that you can easily detect this method with SoftICE:# b& x! y: W) W( @& a% q
bpx Get_DDB if ax==0202 || ax==7a5fh
' Q. U; x6 Y3 V3 Q2 D% N$ j5 f
1 H8 }! Z1 H$ R* e5 Z8 Y__________________________________________________________________________
6 X% L: g8 T" \! ^; e' R3 e, f! w9 O4 B/ j* ]; `& X$ ?& k- K4 O2 @6 K
Method 10
% c' H" y t2 g& K=========
6 ]+ q, g' u8 M9 T, M* S0 {/ |% d5 }/ {- g
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 j7 k1 Z' q% @: ~7 X" A SoftICE while the option is enable!!9 s5 p; j K) g3 a
* `! T" G1 D9 Q2 _! w, R1 E. X$ N2 [This trick is very efficient:
- i8 V, {, p- A: d8 |. G5 i# Vby checking the Debug Registers, you can detect if SoftICE is loaded
- x( o( P! P6 d _1 D0 j: Z9 `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 @, J7 z+ t1 k1 h! c
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& q) c' H! R- g4 [8 F9 h& g. x zvalue (in ring0 only). Values can be manipulated and or changed as well
/ ]% K" N! ~) ?4 {/ ](clearing BPMs for instance)- [: A1 z3 n7 T$ t& X( P8 M
; t) j/ y/ ~$ z# S M; P; m4 x__________________________________________________________________________
: r8 M6 V, Y4 F; U/ d
# l* k: H' d; a" E# z2 A: R zMethod 11
4 p/ B9 i6 s& b1 h4 _=========
: g& G9 `! V- g! ~+ j# O1 K8 D; w% T! {0 Q. \- {
This method is most known as 'MeltICE' because it has been freely distributed; L% {5 ?) n$ f7 n% _ m
via www.winfiles.com. However it was first used by NuMega people to allow
8 N% h$ a: b7 E+ q: bSymbol Loader to check if SoftICE was active or not (the code is located
U/ k! M/ ?0 e, sinside nmtrans.dll).5 X1 V v; Q1 A8 A1 ^
( |' Q" O) r$ B$ Y' yThe way it works is very simple:
$ x% [+ x( s9 k- z3 X+ fIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. B8 Q+ B2 }5 ^, S& Q7 yWinNT) with the CreateFileA API.
+ a0 q' p f! M) R7 S
. g$ Z. {2 k! B" m$ X) cHere is a sample (checking for 'SICE'):
: b3 ^; v$ U. c* H- N
' B1 K3 j+ @) V; R* q xBOOL IsSoftIce95Loaded()( \/ e, A a# m! P. H- ~! G2 {
{3 u& x( V- T, S, [4 ^( X& K
HANDLE hFile; & Y/ p8 d8 x4 s- w% \ q. J
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; a7 o# r. k9 K7 X/ F FILE_SHARE_READ | FILE_SHARE_WRITE,
: d0 Y7 [$ `2 j4 B/ ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 h' w5 {6 m0 [" l4 N% l if( hFile != INVALID_HANDLE_VALUE )2 M4 X, v( t8 g# _! F: ?* t
{; U4 }2 v4 b# u: H
CloseHandle(hFile);
/ _& x. L5 b. d return TRUE;! V" I: i c" L* g
}/ v' a: R+ B$ C) c* `8 m8 G( T. ~4 C
return FALSE;3 e- R, m0 N7 C) L- o
}0 I1 ~0 l. R9 x$ F
O0 C; n u6 m( O$ R
Although this trick calls the CreateFileA function, don't even expect to be
/ s2 E; o" H4 rable to intercept it by installing a IFS hook: it will not work, no way!
" Q& }" c5 J! i( d P( D: E2 PIn fact, after the call to CreateFileA it will get through VWIN32 0x001F8 [4 e* i# h0 f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 O# M0 S1 W' \$ Y, Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc. k, o4 p3 ?- S$ j
field.
9 y6 Y4 h5 P5 L, V4 v$ d$ d. j I) }In fact, its purpose is not to load/unload VxDs but only to send a : J% U; e$ f' t# J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 D' i* b# c( n" T' Z# B' }! D- e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 R: t0 L& N4 P5 P+ I* Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).* P* v b/ O3 H" n8 Q1 [6 g7 K
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: D0 \8 T9 s; A# Bits handle to be opened and then, will be detected. Z w' J8 z$ \$ r8 t; ~* g) e
You can check that simply by hooking Winice.exe control proc entry point
0 T7 E O3 E; m8 R' hwhile running MeltICE./ }- Q+ j w/ i
# a& z" w2 ?) a0 @; Q) y! }8 v
* u" A% Z7 E) v! x2 A* G. U 00401067: push 00402025 ; \\.\SICE7 f, {: A" }& T) }* O g0 c
0040106C: call CreateFileA
/ Y+ V( ]- F5 g 00401071: cmp eax,-001
R$ K( ^! {; G8 m1 ^ 00401074: je 004010913 D! ~; i- Q* k `. X/ a1 G
4 d$ Z6 t! z; |- i1 c/ V
: t$ [ h! A- x+ A5 c% m
There could be hundreds of BPX you could use to detect this trick.+ ?' B, u% h( K1 a- P" t/ k
-The most classical one is:
/ ?3 v, Q: |8 B; H% w: w1 q' S BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& [* ~# N: l: [! X. p9 D% Q: a *(esp->4+4)=='NTIC'
0 Z4 x9 D# F( e7 n% \
# n4 I+ T& [* o. n-The most exotic ones (could be very slooooow :-(
( c0 @8 R, m4 v BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / T$ ?# }# X. M
;will break 3 times :-(
% ]# Y& |- P, K0 C
$ {+ [1 y: H: j+ H9 K7 K' g-or (a bit) faster:
& b+ E( U( P3 v) b# @# r BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 m0 f" u6 h7 E6 c7 z7 l5 o' ~' N+ T5 R+ o
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 C! X+ F0 C* [0 {) O6 m4 j
;will break 3 times :-(9 o. _/ j. l# Y, `
, x% p, r0 v* {" ]9 x7 X* G. ^-Much faster:
# T2 R1 v- l N9 L6 o) Y- B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; ~* \. l! {' I
2 H( N4 F z9 k+ G: J, r
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
, n: n( W+ _4 _8 I& }3 \function to do the same job:
3 Y3 n! M% X/ B8 _8 f2 y6 u5 `
" h3 l* S+ k# I' \( c push 00 ; OF_READ% M% G2 y4 P" y; H. w o
mov eax,[00656634] ; '\\.\SICE',0& a9 M! K( \+ n& R
push eax
0 A& W; [% F' K4 i& } call KERNEL32!_lopen, Q( [. G' H( M( _
inc eax) B" w& F' j' O; h6 p1 K
jnz 00650589 ; detected
/ z0 b5 k ]; _. d5 {" k push 00 ; OF_READ& ]8 r( b' S' {4 g
mov eax,[00656638] ; '\\.\SICE'
. L$ d4 C* x0 m7 s1 s push eax
$ t! P, Z1 d5 ^( E, H9 U$ s call KERNEL32!_lopen- D& K. l }( z9 K, g3 W$ B
inc eax
$ s0 K, \. q& N jz 006505ae ; not detected2 l! `0 B2 \: {
5 A0 l9 S" c+ N v) C! D8 ^0 i4 c% u* Y
__________________________________________________________________________
; q# B/ G" c# d2 _4 k# [) p5 Y6 l+ a8 @. a. r' G- a
Method 12
$ i1 G' V3 t, {% L=========1 W5 O4 f& w5 r. V8 D* p
4 z. L; O7 Z' A: R, n" s( TThis trick is similar to int41h/4fh Debugger installation check (code 05
) I) n s& _6 {) S8 b0 p0 n/ U& 06) but very limited because it's only available for Win95/98 (not NT)
) a6 r$ j! y' Q, n" ?5 j% eas it uses the VxDCall backdoor. This detection was found in Bleem Demo." B% G9 u6 A7 b1 O6 M; @- p' L
9 @( z% i ]/ r) I. N/ n! k) W- ? push 0000004fh ; function 4fh
$ A6 D3 n+ c/ l push 002a002ah ; high word specifies which VxD (VWIN32)" o8 W8 j4 i# F, I
; low word specifies which service
, v6 b% S" Y" j0 T5 Z (VWIN32_Int41Dispatch)5 _5 D" l- P7 y- E* g
call Kernel32!ORD_001 ; VxdCall5 X; `& D7 ]1 D# C; j& P
cmp ax, 0f386h ; magic number returned by system debuggers
9 E+ n b( R. _7 \. Y3 r! \ jz SoftICE_detected3 b0 e9 k+ e) m2 Y2 ^+ B
) _; \5 b$ Q' H J& d( d6 _Here again, several ways to detect it:
) u4 Z* H& K/ F9 ^+ E! Y4 ^
* q! r4 i6 i; _7 {) I' v BPINT 41 if ax==4f
8 ?) A) K4 M+ K# d! Y K$ ~/ T( T5 w7 j% p8 T& Z1 l' t
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! a# s, A% z, [: k* F$ O
9 _) b5 ^/ d3 P4 e4 i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% q( c' T, z3 M' M9 j! t4 i2 i9 `8 q. a( p2 L2 S. k8 N& R/ C; c5 u' M
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: Z. @9 n: x: k Q
L2 I7 e! T2 a% G$ |3 E" u" J
__________________________________________________________________________
( N: K4 `/ [, c7 ^% J9 Q, \0 I+ H8 ] }* G
Method 130 H& ?5 P8 b; E8 [# e! v
=========9 v2 m7 R& b3 `% w! m
0 r7 l# s; G" \* x, O1 H' @Not a real method of detection, but a good way to know if SoftICE is4 ~# n7 x1 B, i
installed on a computer and to locate its installation directory.. }) _ f% p c4 c; B5 Y4 w
It is used by few softs which access the following registry keys (usually #2) :* Q. K5 j0 X) V; O% e
# {( `2 l4 M+ H+ l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! y5 [! {3 d, f( X' i\Uninstall\SoftICE
, J( X% m/ S- ` p0 Y+ |& C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- C, a1 s2 |1 c" J-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; Z# e$ M- P: W3 r, A
\App Paths\Loader32.Exe1 m4 A$ y3 p2 m- e
+ D7 Q, q% I# r) q: J" k6 C% \* E& G) }8 |; N' K5 i) q- E
Note that some nasty apps could then erase all files from SoftICE directory
6 S% p6 \* C2 [+ ]( p& D3 D2 ]" a(I faced that once :-(8 T8 s: b1 E s- C7 p# C; \3 p
% E) ~* Y D5 {
Useful breakpoint to detect it:% I, n. K: w- |" t. X& E8 E2 j
7 i2 C# I5 {& O+ d/ ?2 b
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' l# {4 Q1 d2 G$ h5 k# j, y; j
9 s8 K' p! o& w+ _- E
__________________________________________________________________________( j& ?! J( f) N7 `" f
- x7 n: i, P9 _" M, h( Q6 ?' O' N- o0 X% [1 `/ V6 G
Method 14 $ R- D5 |. P' s4 P
=========
7 q' m8 E! s5 C( h. q) m( ]9 Z+ L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" @! u( f- U' ^- Z, S/ Q
is to determines whether a debugger is running on your system (ring0 only).6 V8 S3 N+ S6 t. C% i, R
2 d. q9 a1 ?; r9 H
VMMCall Test_Debug_Installed& P9 e. l$ C6 w$ `6 u9 S4 H
je not_installed4 K5 i- ~; }- O
- D9 M- \, x$ Y4 q/ h& \2 Y
This service just checks a flag.
) Q' a- v" Y8 Y1 t$ J- a6 u2 ~/ z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡