<TABLE width=500>" G8 _! U T7 V7 `" K/ W4 C
<TBODY>
. k1 n0 d# \. x- ]; K, W. H<TR>5 t! F. w$ m. B+ U2 r6 D5 H
<TD><PRE>Method 01
9 |$ e; e7 J8 K3 ]# m1 Y' M=========
1 v, }( p6 M, y2 w' T# t
5 y; V8 H2 j. ? t+ r* lThis method of detection of SoftICE (as well as the following one) is
0 o: t. J6 b, L) Iused by the majority of packers/encryptors found on Internet.: ?( J5 f/ O! z& e9 }" ~! M
It seeks the signature of BoundsChecker in SoftICE! H4 f$ Z! p6 {# n7 \ g
: m" a. T- y( |% W; v! { mov ebp, 04243484Bh ; 'BCHK'
0 k F( {; c! z S# r! N mov ax, 04h5 r5 C$ G& ^" D
int 3 4 C9 l. i" ]4 e% w _8 |
cmp al,4
; ^) J0 w7 l8 W0 x% \ jnz SoftICE_Detected- U- ~2 W& x3 P$ P g* m
R: U6 O/ R2 ~( }/ J2 v___________________________________________________________________________
8 ?) ]* z( k9 M1 `
$ S; Z8 |3 k- g$ ZMethod 02
7 @( a7 y G8 g% ?+ ]0 y1 a% m=========
7 f( _5 Y% ?6 k2 v
8 Q; [9 P' `' e" eStill a method very much used (perhaps the most frequent one). It is used% L8 B, k8 y/ s' z3 d" d
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" B6 v. N3 G+ C1 [, @or execute SoftICE commands...$ L! t: P9 Q! e8 B2 \
It is also used to crash SoftICE and to force it to execute any commands
3 y1 ]3 B1 p/ d1 e) e5 ?# f(HBOOT...) :-(( + K9 `/ }( x3 H6 i) R
" w, L# J4 e$ ~0 w6 ?9 q5 t+ S
Here is a quick description:, F& n3 n! X9 t% @& }+ S
-AX = 0910h (Display string in SIce windows)
2 s7 b4 w, `. U, U6 Y$ W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); k! s' y; O8 U! m7 B9 D W: j
-AX = 0912h (Get breakpoint infos)
8 Z* z* Y, ^4 V W8 K7 ]3 [-AX = 0913h (Set Sice breakpoints)0 c% l. [; j4 S- `, X8 X
-AX = 0914h (Remove SIce breakoints) b7 g) O& |8 B0 {! J
9 B! E& ?% C. ?2 ~# Q7 I" V3 m4 Z5 vEach time you'll meet this trick, you'll see:8 h9 V9 b3 W: |3 z: }4 N
-SI = 4647h
2 t0 g8 t- G. a3 X: [-DI = 4A4Dh- l8 `* H5 h+ L P R) L: m
Which are the 'magic values' used by SoftIce.7 r/ P* X# D* X3 M* j7 Y1 J! k' f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: m: B; C( f: I, _/ M" K
4 ?+ M; [" e8 ?# j
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 h- F7 V" l- X, K
Envelope utility use to protect DOS applications:* a# b0 D( q4 ?- L9 R
7 K1 t1 j# [ c6 I! J& L
0 y$ m% B( |. [! w8 l
4C19:0095 MOV AX,0911 ; execute command.
! @# u) c2 K* }, D" Z% v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; Z- z3 d# l: @3 \ l! A
4C19:009A MOV SI,4647 ; 1st magic value.
) t8 `7 u& U1 g* i" y4C19:009D MOV DI,4A4D ; 2nd magic value.4 ~0 I* Q5 K8 ^8 E3 c% q+ [3 o9 t- n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# d5 }- S7 |/ f' g7 W3 ]" _ N
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ a8 O1 a* k; }6 U
4C19:00A4 INC CX! R3 {. U! b. H# } p( H0 c) R0 L
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ M" V' `9 s/ A6 f. ]* o
4C19:00A8 JB 0095 ; 6 different commands.
3 N( e2 ^. I7 q; s4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' z! U1 k( J. l6 k5 T; H' z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& N& x4 b+ o3 I# u" G2 n
5 r& I8 R: S. o& E/ I: jThe program will execute 6 different SIce commands located at ds:dx, which
" K8 e# F- R2 m# Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& b' t( n$ N Y- C5 w9 v
9 a, K2 O4 q5 q- L( c% w9 T! S1 N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! c& Z8 \; a6 T5 `1 v___________________________________________________________________________
$ E6 F4 E2 k3 f) W2 L2 r- s6 {, B4 r& X9 i+ D
, z' M$ j' n0 K9 ]; |Method 03
3 g/ P n4 I3 |2 i2 n* E( H=========
& a( B6 i+ w" W1 B* u* @6 {6 k) k0 q ^ B$ ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 }1 C0 U; ^. W" T(API Get entry point)
* L5 ~6 @4 ~3 @5 t( e7 y" h: W( n ; a& P' `0 b+ C
6 l, q" E) _5 \
xor di,di
2 i/ \: D" n& i1 m* N s mov es,di9 z9 X* |2 w$ |7 z
mov ax, 1684h ; q9 B) v& k( v
mov bx, 0202h ; VxD ID of winice" A& K7 z- R$ |) G J: r
int 2Fh
2 t- B9 H' ?% o6 m$ Q- @3 N$ W mov ax, es ; ES:DI -> VxD API entry point
9 g( {+ z4 U% W8 Y( L add ax, di0 F9 c, G8 R* k. u$ w8 u* t* A
test ax,ax
% H2 g" T- z9 S& ` K5 ~ jnz SoftICE_Detected
$ i3 j. X8 M# q
9 c) n! R$ w* o5 W0 C& U5 J___________________________________________________________________________; q6 J' g8 Q2 X7 }
6 T0 a' I- e' s k0 A
Method 04
( F" D- K- @- K& L; N=========
3 z! s) l. i9 S) |
( S6 ? l0 Z4 ?; a% g o4 DMethod identical to the preceding one except that it seeks the ID of SoftICE
) W. ~8 e' O" d# c- yGFX VxD.
+ ]2 V1 \ O+ I$ H9 ~8 z0 C
( w; g# z' ? Z, f' S# Q: A/ P0 m xor di,di; p! ]! @2 u9 e$ Q' w; L! |5 ^* c3 h1 Z
mov es,di
6 b! E1 R; p6 Q7 i& R% f0 R mov ax, 1684h
0 t$ N& n/ h/ f# A mov bx, 7a5Fh ; VxD ID of SIWVID
2 u# O/ |% ], L; _! b% c. I1 P$ b int 2fh
' b1 [$ }# ^6 @ mov ax, es ; ES:DI -> VxD API entry point( B' l9 N/ s% Y6 I. N$ z
add ax, di% O8 h# ^. k- f1 g6 s; w$ \4 J
test ax,ax1 b3 [" z4 a5 t" f9 E
jnz SoftICE_Detected
, S: P! C0 f! T2 s( b" {+ F8 ]! P% h) a7 F2 j5 k, F+ K* r
__________________________________________________________________________1 q: Y1 J5 |0 t8 p D3 n
- L# H8 w7 T: ]( T( I' M, p( t! N e2 L8 m! a/ N0 I5 v
Method 05
- ~" t5 c4 I# A( L7 ` g=========
' P$ ?4 N: c1 J3 _+ E0 G2 \. m' A; b. c* [* P& G
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 V) I) k4 r! H9 }1 _1 V; edebugger. It calls the int 41h, function 4Fh.; q; [3 }4 d9 S c% G! M& O2 @% c: Z
There are several alternatives. % h* j1 M$ _9 V' H& X
% I+ K4 x: y% z, f" jThe following one is the simplest:/ P0 G" ?1 ~6 O9 R$ L' H6 \
; P; o9 X/ f, u% b6 B mov ax,4fh8 ]8 R) g; L/ U
int 41h& Q$ {* E! _! ~7 v" T I
cmp ax, 0F386: ^4 D2 o4 E7 m4 t* y0 N+ O
jz SoftICE_detected8 E3 {8 c' U6 p& l- k
4 M9 F, k% j8 B# X
0 ?' P0 R0 K+ ~5 w) \# F; V( e0 XNext method as well as the following one are 2 examples from Stone's
( L- ~1 o4 h+ }7 y; i"stn-wid.zip" (www.cracking.net):
! { @& w r9 L6 X9 @/ ^0 k/ @( E* x% W9 w& ^) X* l( V' o4 F; o! H. O
mov bx, cs. [: A3 o4 q. [/ P2 c
lea dx, int41handler2
4 k- ]% D" ~- Q xchg dx, es:[41h*4]
: M! E" w' f) ^ xchg bx, es:[41h*4+2]
7 U3 e' M! P: y! s1 s+ U4 G mov ax,4fh
# z+ g& [* Y1 X2 m! j( Y8 s int 41h
8 Y* O/ v" B A, K xchg dx, es:[41h*4], D- ?% a5 r, P t9 g0 Z5 K
xchg bx, es:[41h*4+2]
$ }7 X+ C( U3 n- O. F' ]* A) ] cmp ax, 0f386h9 }: z- m @7 X2 F
jz SoftICE_detected9 i9 h6 I. t5 b
# l0 Q1 u' v. g9 r% J$ eint41handler2 PROC
' h& Z9 n8 r* @7 [+ n# T- w iret
. @! \4 R6 N( ~% Y; R) ^4 X: q/ ^int41handler2 ENDP
4 }- w- ^3 I0 v+ `- t. I9 V" S; v- l) V6 K; S4 C1 X
7 ?+ [; Y2 y% W0 V
_________________________________________________________________________ j5 u# m1 r0 O( i4 O$ u
: L3 l3 ~6 K* X/ r0 Z# J4 h
S# Y8 p) E/ l/ D4 rMethod 066 L3 x# p$ w: M9 v
=========: n+ x( I. G$ F& X5 q
/ Z! ~+ f) D* f, c; k5 e9 W
' r& Z7 I: r! E: M9 J8 ^6 O2nd method similar to the preceding one but more difficult to detect:
# s* {0 ]7 H- z7 } A: G2 K) Q) k3 h0 }
" ?! G6 [& r0 `4 P- M$ f# P
int41handler PROC4 ~5 C! [8 f C4 l5 q1 V
mov cl,al
) j( i. }7 v1 |7 \ iret
" w4 [# } R1 u' w' Uint41handler ENDP
' a5 k2 v [: f4 h" `) r# Q1 s+ t0 ^# Z- T
. o' p* q0 |4 `5 s# B% D
xor ax,ax1 Z2 ^& f! L! [, D+ K& }
mov es,ax! O8 H6 d* |& E/ o
mov bx, cs
0 v" z# Q3 K- Z b: F# r lea dx, int41handler
6 Z" d: Y0 i* h. b1 R) ~$ u+ i5 D5 p xchg dx, es:[41h*4]
; b1 v7 U; m5 v! u( | xchg bx, es:[41h*4+2]
d, O) T. t; K/ Z4 e in al, 40h
, j& O' P: H4 V+ u: } xor cx,cx
0 e6 ~) k# p/ Z. } int 41h
% T$ w" a# c' x& i' t xchg dx, es:[41h*4]
2 t* p) Y9 w) |' \8 m xchg bx, es:[41h*4+2]8 x7 x7 o4 o; G: O. i m) c
cmp cl,al
) S' k$ N# G% y- q: z7 W jnz SoftICE_detected
: C& F( J1 q/ f3 I9 t) m# O+ K" A2 P8 y; j; L0 P/ j8 Z
_________________________________________________________________________
`) v* A/ P: ?8 D- x
0 a% D, a9 @. Y2 f# L1 XMethod 07: ~1 Q1 v: R. Z, L# [, J5 G1 L1 P& N
=========6 k" O5 q4 T6 s( A2 L# e' v! ^
* Y; V. }2 \) n" h+ ZMethod of detection of the WinICE handler in the int68h (V86)
0 \' A1 U1 ?: `0 X2 g( Y7 n# p0 U/ m# ~* E8 s% X- x4 T
mov ah,43h
8 c2 I; t! p# H+ l/ w3 w5 x& _ int 68h
( X% H) N1 x2 j, }( A/ z. ^ cmp ax,0F386h
, k" d7 L; m, V) S7 [7 N' J jz SoftICE_Detected
3 g$ s+ W2 | C+ h# P
5 c: B/ ~5 f' v! \2 z( E1 |5 t7 l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# P! j0 t. L6 o! J+ D G app like this:
% Y6 u' p7 i8 E1 g& L; y9 t$ y7 x" [1 I: \0 q/ o7 J. R, ^
BPX exec_int if ax==68- D% X4 D6 W" W' a0 b& I$ x
(function called is located at byte ptr [ebp+1Dh] and client eip is
. O1 u2 S J( k+ R located at [ebp+48h] for 32Bit apps)& J) s* s& H9 E2 ~" S
__________________________________________________________________________
+ A1 d X c5 r* m+ F9 O, i/ ~
4 K" r* S" F u' K: _! j$ C1 A
; V \$ a; A7 Y- b0 Z. ZMethod 08
. p; I+ I& Z7 e" e. K=========
* _5 {) X7 ?; `! S# R/ B" A- E5 a$ ]: c5 l J6 o2 i; a/ t H
It is not a method of detection of SoftICE but a possibility to crash the! W, _/ v$ ], ?: ?4 d
system by intercepting int 01h and int 03h and redirecting them to another+ a) x' J0 b& ~( W9 I* N
routine.: l1 P+ w9 ?3 k& {$ J
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 m8 {/ x) r' V$ ^9 @to the new routine to execute (hangs computer...)
) L7 ]1 [0 J4 D2 \0 G$ _. v
2 e* a' \% ]% i+ _ mov ah, 25h
W- B* a; a. {( g | mov al, Int_Number (01h or 03h)7 w$ O- }3 B: c' ?$ O- s' {9 `
mov dx, offset New_Int_Routine/ d9 a" x$ F. f0 |9 Z! ]: [$ K0 `
int 21h
" o' V4 |& `- a L1 T1 F$ \2 D8 v5 @3 j) T
__________________________________________________________________________
6 ^! _' N4 o) T" D- K5 N+ {7 } a+ O& K3 F7 t
Method 095 `4 m }; G6 A
=========2 |; G) _0 I$ g8 w! ]0 S# g! n
( ?8 x$ l5 k' q7 P) gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) q. x) v% P' x$ xperformed in ring0 (VxD or a ring3 app using the VxdCall).
. y& C0 p% E9 M5 mThe Get_DDB service is used to determine whether or not a VxD is installed
; l+ Z, c& _3 Z7 o8 X. [for the specified device and returns a Device Description Block (in ecx) for
. E) M2 O2 q" Z' ^+ Pthat device if it is installed.
$ s M$ h/ W' _+ d# D2 ~
/ ?# W5 Z* n. R: K7 s g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ k' J! Z: I, I1 f5 D: {9 V) S- u mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, x' W! c7 s3 R9 m VMMCall Get_DDB
4 Z& b1 i; |2 f+ P mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 O# X; u0 m1 I
7 h& [3 M$ n0 n# WNote as well that you can easily detect this method with SoftICE:6 b; N9 B' h/ v% k x7 U
bpx Get_DDB if ax==0202 || ax==7a5fh
7 i5 }" i% F( f" A6 G
/ I- O b; U9 B3 R__________________________________________________________________________9 E" x3 n5 L/ \% d( b
# F! \. N" u2 M+ y: {
Method 10( C! ^6 f% Q4 K% g& C. o
=========
! O/ r4 x1 q5 Q r) d( ?: K* i, Y) N: n+ ?+ D3 [/ a" ^
=>Disable or clear breakpoints before using this feature. DO NOT trace with7 _; \7 {/ r0 ~
SoftICE while the option is enable!! u; u8 |. Y; B S+ {* |5 M/ K
/ s4 a; X- A1 R* c2 N
This trick is very efficient:
4 s/ K% o* o2 ]/ Pby checking the Debug Registers, you can detect if SoftICE is loaded, f; p' n, H, o+ y5 ~8 o1 m/ N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. S4 R( o; Z4 x% _) B2 othere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 f0 S$ C$ R8 r U0 |9 cvalue (in ring0 only). Values can be manipulated and or changed as well% w4 h0 W: ]# w! }0 _- ?" I
(clearing BPMs for instance); n- M. u5 _; d$ T) Y# Q, L5 S3 v- w
# r. R: F: |5 I9 ]$ ~7 h__________________________________________________________________________# b8 Z- X: d, F% s. R
i. U6 i" ?7 l8 e) q9 WMethod 11
% D: T1 b& r% _& o! A=========3 l7 ?4 b2 h) z' m7 H A
8 B5 g* q( F$ { r& j$ B" oThis method is most known as 'MeltICE' because it has been freely distributed
+ ?1 Q8 F; U( ~9 Q6 F( ?via www.winfiles.com. However it was first used by NuMega people to allow1 m& ^+ L/ j+ i7 h9 ~5 A: \$ r
Symbol Loader to check if SoftICE was active or not (the code is located
2 ~* N& m2 j* M& U. j9 einside nmtrans.dll).
9 V2 a$ E( z6 I6 t+ m& w" T5 O5 A1 Y) z/ H, c9 F' U
The way it works is very simple:
# B. n6 r% f. a3 ^3 E: X4 i+ [1 [2 eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; h" z0 }2 S/ V! Y2 |; W0 d* b- H5 P5 f
WinNT) with the CreateFileA API.5 L6 ]' p$ k1 V# r
! e9 I5 T, B' LHere is a sample (checking for 'SICE'):
' S% N: V5 g ~* G, E
( Q9 |8 ?- O% g& v% C& q8 q# EBOOL IsSoftIce95Loaded()
$ U: F- t& f2 B% R3 ?{
0 s$ e2 A4 u w HANDLE hFile; 3 J% B7 _4 a! C% |; v- R7 h- ~
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# b1 T+ U; G- |6 F0 Q FILE_SHARE_READ | FILE_SHARE_WRITE,
# ?# k8 i# Z/ O' S( B. w2 y) z' h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 d5 i0 y3 m/ Q$ }( H if( hFile != INVALID_HANDLE_VALUE )
0 e9 n: N- ^% p9 u {
8 |9 v5 c& u; x% J8 V CloseHandle(hFile);
& X: j- Z9 \; A- O return TRUE;
" J6 d7 X0 W# V' f' B/ [6 e- D }5 ]6 v1 D) _/ I- ~. j
return FALSE;. N0 H% U1 U; B* ?
}
8 Z9 x8 p5 P3 O' q) M1 E9 B) }& Y+ c7 t) ^# v2 G3 Z! v
Although this trick calls the CreateFileA function, don't even expect to be6 a/ i1 ~8 E! l6 X
able to intercept it by installing a IFS hook: it will not work, no way!4 N3 g! B( r4 E; `( a. N0 b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* b# j0 t$ Q" J1 H8 e$ J7 {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! Q% y; x' v+ l5 Z& `
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 K7 V6 ~, r+ `2 F2 z) M; l
field.
' E, t2 p% H: |* MIn fact, its purpose is not to load/unload VxDs but only to send a
( }, P) g( s1 M& G! ~" _: oW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); ~6 d. q0 |( r, W( D! k9 d
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 b2 q8 |2 p& J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: e X3 m3 K- `% {0 mIf the VxD is loaded, it will always clear eax and the Carry flag to allow
5 A9 _- L8 U- A h+ m/ N: b0 yits handle to be opened and then, will be detected./ q' e y* A# Z+ H* U. L' } s
You can check that simply by hooking Winice.exe control proc entry point
# O$ X! b& u1 rwhile running MeltICE.2 S. k0 J* U+ |4 U, j2 _- e
8 d6 U% h: Y* j9 k- k7 l
+ [4 s c+ ]: d2 p2 x 00401067: push 00402025 ; \\.\SICE4 T E$ \7 H4 H! M
0040106C: call CreateFileA
6 |# V* Q6 L! i& S; U 00401071: cmp eax,-0019 `- F& X. n H, g5 U' M* l8 m# c
00401074: je 004010914 Y! \( g9 s3 ]8 G$ q
6 K4 M* ~# a- v: O# j' f# f/ O: R% r1 }, S
There could be hundreds of BPX you could use to detect this trick.
) T- X1 n) A4 Z6 a- W, g* I-The most classical one is:9 L1 \5 W; n3 T) W( ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 Q; y4 S' |; Q$ M/ M0 k
*(esp->4+4)=='NTIC'- B( C6 f' P- t9 d: j9 B9 P* l
' J4 t, C: V* E) Q0 N
-The most exotic ones (could be very slooooow :-(
3 _; A! L& X5 d; [! { BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: {' T) A$ p* \: f ;will break 3 times :-(3 h {3 d5 ]: @
+ p3 w& Q' d* |% I& K4 i
-or (a bit) faster:
" j- A) u0 j0 g1 h. H BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: v4 }4 p9 I8 k- P; O/ Y1 f, X+ G) u& p$ h- q- W9 U5 r7 u
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . ?1 S$ N$ q+ J$ I4 N2 ]
;will break 3 times :-(
) r6 t( H. G7 u6 F) D) k; k( S
( q9 A3 Z, m& |* S1 X9 K-Much faster:2 u. Y# y2 j! Q( b
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( N6 w( ^% |! O; J, ]5 Y0 u
# I7 s. N; ?9 \$ P' ~Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ G7 [5 R1 ^1 [0 W1 V9 x9 j% ?; Cfunction to do the same job:
6 m& _) r f, v8 Y! B: b# W |- B* _8 E9 C$ E% B* d
push 00 ; OF_READ" q8 q3 G3 u' W: o* a" W5 e# l+ z6 R# R
mov eax,[00656634] ; '\\.\SICE',0
; x }5 m. ^2 _) L0 }6 A push eax' L7 f* b$ X" e2 M8 Z- q
call KERNEL32!_lopen7 z. Q9 J$ J( U9 K( ?( l
inc eax
/ I# `2 F8 L0 V5 ?4 K jnz 00650589 ; detected6 i1 b" g% Y, d
push 00 ; OF_READ" R0 x- ]# d- W
mov eax,[00656638] ; '\\.\SICE'( u X$ S: }, }! @$ X
push eax
! N5 z- ~1 I9 ]) u* B- ~ call KERNEL32!_lopen, \2 V: a% L4 A# `
inc eax8 [) E4 M3 z- l% U1 }1 k/ _5 h2 O
jz 006505ae ; not detected
, R0 }* @( i0 f5 e4 d& j, G/ H8 w1 G4 ?% x7 T
# ~+ Q8 A# Y) z1 u( f( E/ x1 c
__________________________________________________________________________' x$ E# c$ H, g' h
7 S8 Y$ x; t- k7 t2 q0 o5 {- AMethod 12
$ M2 i3 x. G- ^4 o/ ?( e=========
- v1 b; W, M8 `
/ X+ ?) w7 L/ P" M0 nThis trick is similar to int41h/4fh Debugger installation check (code 05
8 G+ t+ A* ~ p1 U+ T! a, Z; }5 H& 06) but very limited because it's only available for Win95/98 (not NT)& W: p/ l$ H# J/ @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( }4 x# H* g; V# y+ X& b5 M5 J
8 V$ ?- e" B* P. S3 R- l- E, A/ w4 w, \ push 0000004fh ; function 4fh! b% w% r. J& V) G
push 002a002ah ; high word specifies which VxD (VWIN32)8 i# l0 Q% U) v5 E6 A6 K; |
; low word specifies which service9 c9 r8 ~/ x- J
(VWIN32_Int41Dispatch)$ o0 x, @3 u, ~# ~
call Kernel32!ORD_001 ; VxdCall
5 S9 Z% g9 F4 a3 Z$ {* w" O$ d cmp ax, 0f386h ; magic number returned by system debuggers
+ G4 ~: W6 S7 m D. \9 h+ ] jz SoftICE_detected
3 V7 Y0 p* n9 m& H" Q$ a3 g7 s0 s
0 f Y; o8 ~2 r5 |# X7 JHere again, several ways to detect it:
5 v2 q7 ?6 U3 }! H5 b8 Q% c
1 Z( Z/ k, X) R5 w- `6 h7 N BPINT 41 if ax==4f3 L9 g2 { B' g! x( p3 M
; y. {- P! ?( _: H0 ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% p+ }8 x2 _; r4 F; Q( ~' ~, t* O p. a6 l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- {# e# n6 U! T& f$ B; B
4 E5 n; t; ^3 B& J4 N( Z: I5 y( W) q- M BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. X% G) g. @- B8 p2 b
8 K/ K# ^3 v' P# Q: j__________________________________________________________________________: ?2 P4 i! }7 o& C8 P D9 o8 K
! b# }8 W2 Z; EMethod 13
# `- ?, O0 n# U1 |2 d=========7 ^% O. M: y, p2 l, V8 O' Y
" c) T# Z3 G6 M7 @0 k5 P5 b
Not a real method of detection, but a good way to know if SoftICE is
$ ?# ]1 z1 d: H5 t% I) Winstalled on a computer and to locate its installation directory.
0 Z: Z* ~$ S, U8 ~" S* _7 NIt is used by few softs which access the following registry keys (usually #2) :
4 s( E! C9 x2 H( j0 ] E) c4 S5 C/ R t8 e; V; K$ L
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 u( A" d8 H4 v& n\Uninstall\SoftICE E$ A# t% X8 k) P: c6 p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) H. f) P- @# x6 s
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 b8 @! u, H8 p9 |0 S
\App Paths\Loader32.Exe
$ R4 y/ L+ [0 w9 Z3 q/ p9 L! a$ B V. O) X3 M8 k& l
# u7 D- L. ?0 \, y% r
Note that some nasty apps could then erase all files from SoftICE directory
; z5 ]& L9 s4 x7 ?, A' ?(I faced that once :-(3 F! ^6 Z% [- o ~+ H9 y4 n/ c
' p5 X- l+ l9 Q3 t& @! K. B) gUseful breakpoint to detect it:
" t2 s/ k: r8 J/ D) C5 u1 a& h7 O4 o& s
5 J6 Y6 g8 s- |* f/ I6 h BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* [, g3 q- }: h
& m* W9 r1 y( C
__________________________________________________________________________0 R, h5 v! ^; r6 b, q f
" I L, `- V( U
+ F& e* Y) J! P# @Method 14 * a' G" i3 `/ ]* z d* ^
=========3 l' l/ X* h, c8 B
& W& k! @8 r ^& U! b/ Q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 K& ~3 p; o7 u+ E* A! nis to determines whether a debugger is running on your system (ring0 only).
( s! F, V. ?/ z8 H5 M) D E2 i* q; h N, s
VMMCall Test_Debug_Installed
+ `2 O( D ]$ j, ^ je not_installed; j" @3 y+ s) ~0 T& d- e7 }
4 L& l0 n( T. _2 H
This service just checks a flag.
% G0 u" r U% P# r7 |5 ?</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡