<TABLE width=500>
8 f1 {; x m4 g9 n! ^9 C6 K2 k<TBODY>
* \7 ~& _6 m" ? S# n$ D4 n<TR>
# L8 J- _7 f5 j( |6 f! V- \<TD><PRE>Method 01
! N8 V7 I5 b6 X=========
' }: Y/ A$ s& O' I4 F. `& k1 f( d
This method of detection of SoftICE (as well as the following one) is
8 K0 \2 p% s& ^( R" k+ n: m) Q# N" Gused by the majority of packers/encryptors found on Internet.
! m( @! z4 c8 d2 [ F; D7 JIt seeks the signature of BoundsChecker in SoftICE9 P& n0 H, q, C( R6 F' }
3 }6 u, [' s. S7 J9 u0 } mov ebp, 04243484Bh ; 'BCHK'5 D( B* H7 E* `$ m$ t/ B/ T: A
mov ax, 04h
d% a6 m! F+ ^9 B- h, W6 K/ s; ? int 3 5 e+ m, h7 T, p" M2 w( Y, f
cmp al,4/ R) \- |/ b' T9 H: H+ p1 j
jnz SoftICE_Detected" G, a+ f, u9 z. `
5 s/ Q# Z7 \9 f* A, G
___________________________________________________________________________
, Q* W$ |1 x: L2 ]- h0 l
: S& M* G6 i, s {+ KMethod 02) v1 h! y8 F- z6 Y2 J. L
=========
1 P0 O6 k$ r" t8 k6 i
3 c- d% n/ s; N( J, tStill a method very much used (perhaps the most frequent one). It is used
( ?4 Z: s3 ^3 L2 u6 {( R3 O$ ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,& }3 {& `" Q. ~2 ]4 ~( x+ G
or execute SoftICE commands..." C/ Z$ Q3 b1 R3 C) g8 J: h
It is also used to crash SoftICE and to force it to execute any commands
* S) V- l+ n3 v7 v(HBOOT...) :-(( + ?4 x3 k y% m" J" r
& A- e- x2 a! ^5 g% A
Here is a quick description:
0 a! X. \4 d }: f-AX = 0910h (Display string in SIce windows)$ M& D" C" _; } p4 I* O+ Z! E% z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 j; u2 x; ]+ X. \9 m0 I
-AX = 0912h (Get breakpoint infos)
1 K* @4 L* I/ \# K2 b7 E {1 o8 `-AX = 0913h (Set Sice breakpoints)
8 x" x6 d9 f! S/ O( x$ d% K-AX = 0914h (Remove SIce breakoints)3 o" H( M* {3 e6 J0 A. [
$ r6 }) u7 p: TEach time you'll meet this trick, you'll see:
& W# x5 t- L' z4 e# K! b: _" k-SI = 4647h* u$ S% A" C: _- |" m
-DI = 4A4Dh H2 Q5 g& j" ?
Which are the 'magic values' used by SoftIce.
& p- `9 z, N, k3 ^For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' B: n' ^6 W& H7 O* `$ ~( ?8 Q
; h+ {' `' q( p L6 s0 ]4 i0 @8 m& Z
Here is one example from the file "Haspinst.exe" which is the dongle HASP8 W, ^3 W1 ~0 X h! V) P3 D
Envelope utility use to protect DOS applications:) Q' B! ?7 c, x3 J1 ]1 ?9 D
8 {" y+ k& g& U' R3 g- s5 s* i
3 j' Z$ O: ?) c: \0 h: N, o+ ]4C19:0095 MOV AX,0911 ; execute command.7 [! D( c1 I8 B P0 g: R" h) P7 N# f
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ |& l" t2 o+ u f4 O/ w4C19:009A MOV SI,4647 ; 1st magic value.
6 ~7 H7 p) X- Z1 F$ w% n3 h: m4C19:009D MOV DI,4A4D ; 2nd magic value.$ e4 i( z' g0 T4 q- l4 U7 p! _
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& a2 n: I: N* V4 ~! h
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 p' V5 r; m2 m# l4C19:00A4 INC CX" z+ v3 H" X/ D# b
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' O. Q( O) L* `# J; `4C19:00A8 JB 0095 ; 6 different commands.8 O4 i( X) o: T2 i, p% w2 D( _
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 U. e8 I: F* b$ [, n) {# L( c' s6 Y: {. L9 T4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 i/ L' }3 S) ~6 _' A# @3 n/ L* [1 j( A2 n, K+ i4 C
The program will execute 6 different SIce commands located at ds:dx, which
* e# A" ^9 ~* Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 I- z5 [! t A
- ]4 f2 a, {. z. U# r: O& z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 @6 k, V/ ]# s D___________________________________________________________________________! m1 N: U0 x9 {0 u# S+ r) r: X
7 N9 j1 [ P! i
! V0 T1 W# L7 yMethod 03( N/ U3 b+ M, K3 k
=========) S. k7 U2 N4 i4 f9 ?
$ s* N! t" L% h' l1 k
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 w" ?2 i2 t- o7 ~(API Get entry point)
5 t# n4 a. x3 f8 M7 ~& `+ u3 P
9 J# `/ Z, g6 D) Y! `
$ Z" v$ Y0 |' w/ g6 z; t& S# H xor di,di7 |2 g% C5 {9 I7 c) k
mov es,di3 w3 W" ? `: ?
mov ax, 1684h + D# s# a" }3 H, o9 E/ D( u
mov bx, 0202h ; VxD ID of winice
0 s- X; w8 K& C, v$ ^ int 2Fh
" H+ n9 \* I1 f9 n mov ax, es ; ES:DI -> VxD API entry point+ v- v' q( e$ m8 P$ C6 V
add ax, di
2 D! H& a5 ^7 A7 Z6 f test ax,ax) _& O! H! T7 i' W
jnz SoftICE_Detected
5 T+ M b3 p9 F+ f: T! ?$ A; |
/ e# @' J( w4 I- M7 t3 }: t___________________________________________________________________________$ y* a# Y% w; Y# k# h
6 k; {1 x2 e/ r8 D8 A3 y; x
Method 04
! E" X' |' @0 M6 e=========
* Z. x0 @' q3 z# V
* R: m/ w3 R: a# eMethod identical to the preceding one except that it seeks the ID of SoftICE
, ^& z2 o. T# g5 w7 \9 y* ~' I3 @GFX VxD.: L; j2 _2 _' U8 g: K
; y3 o5 o, e, V" W( j
xor di,di; |6 [1 F" B* K0 ^3 l) k) u8 L
mov es,di
2 m. C; X) c9 w9 `3 `0 d$ \ mov ax, 1684h : b1 v1 c& V. N4 Y( B9 b; Y
mov bx, 7a5Fh ; VxD ID of SIWVID4 R+ D5 B. Z Z# T3 {9 c
int 2fh+ S2 a+ A& `$ y! R& k
mov ax, es ; ES:DI -> VxD API entry point) O7 Q' t+ S) a! b3 L
add ax, di
# ^" }0 t# V8 r2 |1 n test ax,ax9 M( j0 _9 e0 z1 O) X
jnz SoftICE_Detected
4 ^& z4 n4 c6 s1 e
3 }: ^) w( V) D- W" `: ~: f__________________________________________________________________________; w) R; p0 S9 l8 e% l8 x' e
4 \) X$ O' R% ?! q) ?2 o
% g1 H" X+ [& Y" @Method 05 k3 _% `' G0 I+ a
=========% r8 q0 D) ~0 ~/ Y' r$ k" q
6 Z2 R" ~2 R2 x) Y& v6 Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system( L) T) F5 J' b& \+ ]
debugger. It calls the int 41h, function 4Fh.
, @; N! l' ]- t) @There are several alternatives. + s* o5 |: _( P" H
8 n2 O7 Y9 L" j1 a7 q5 [+ A2 G/ _
The following one is the simplest:
. H5 i9 B; i B. ]5 m3 o
" i3 [# n3 v5 h* \8 k* X! z mov ax,4fh s7 W8 Q, P, a+ }( ~2 M# R, v/ k: L
int 41h( H2 z P7 D) q! F
cmp ax, 0F386; G& {' W' y" h+ V7 [
jz SoftICE_detected
& J2 d( \5 M) w6 E
x- |( t n( r3 G, J( ?" P
; ~- b. A% j$ Z5 f/ r' M/ PNext method as well as the following one are 2 examples from Stone's
- V! x7 y: y3 e8 H"stn-wid.zip" (www.cracking.net):
' c" a: p" k# }& M, ^& f0 X1 C; Y7 U, |$ ?
mov bx, cs' L1 J8 ]( M8 Q! r+ M! Y
lea dx, int41handler2
- w( @1 H+ i" G0 a0 j( D xchg dx, es:[41h*4]9 {0 K) E2 [8 V
xchg bx, es:[41h*4+2]! R6 d- q" O* U$ N
mov ax,4fh
3 p& a& \, Q4 c$ k/ \% V0 S0 q int 41h
$ o4 ]9 S& G6 |4 F2 d1 @8 h5 G" U xchg dx, es:[41h*4]* h/ s% g, k7 d; d! k
xchg bx, es:[41h*4+2]7 l8 Y q/ \; \/ `5 N
cmp ax, 0f386h% L7 x5 d& T# \4 o1 |4 {
jz SoftICE_detected
- N; q' ^- X7 l* x
& H: |) `4 ~3 Z0 }+ p: m! Dint41handler2 PROC4 w/ n7 v6 w0 k2 w! b3 T3 ^3 ^
iret
# o8 s0 m, O# v0 nint41handler2 ENDP
$ K( |6 _5 D3 \! b9 q+ K7 O! u5 }& M) p, R& O4 @9 ^
! }" r! e5 ]3 t7 D3 p
_________________________________________________________________________9 d) H" M5 p+ S( f7 ^0 T% E
1 g) E! ^) Q- E6 }- p
9 ~% p3 J' E; ?5 CMethod 06
; [+ M: ]1 d' Q=========
' J/ z$ Q1 w* s$ p, m/ r% H; _5 a2 l. w
) z- N( s8 V9 b0 g( e2nd method similar to the preceding one but more difficult to detect:
$ B4 y/ f( o6 d$ c; t; e
& T' g. ^( Y' N& D, [! `0 }0 Y, D; J+ K; ?- }. H$ P! O
int41handler PROC
8 f2 X! R. t- F+ z+ h& y mov cl,al
+ x3 G3 ^/ C& y- N9 y iret
( r# U5 x) u) h' z3 U4 ^7 i6 J9 xint41handler ENDP2 K a0 u4 f, y8 C) |
& t5 L; a1 W5 P$ n$ |
( E4 B' k$ C0 \! K! W+ X4 P+ O9 x( ` xor ax,ax; [3 n1 t8 K. i+ p7 E; n
mov es,ax
6 m/ j" D& Y$ U' B$ k p mov bx, cs
4 Z. v. ^* X$ Q9 u: l lea dx, int41handler3 h& o8 g# D9 a& r( U
xchg dx, es:[41h*4]
) D7 X& f P6 J5 ^% s xchg bx, es:[41h*4+2]
! Q! i$ r* o# { o; O in al, 40h! b4 ]. O' N, t% o
xor cx,cx
! ~+ ?1 }: K; L6 H$ P5 k int 41h
' b0 Z( D, d3 m$ U xchg dx, es:[41h*4]
9 t4 L$ t* ~( ? xchg bx, es:[41h*4+2]# ^, ^ g: ?( O
cmp cl,al1 @- Z( K+ ?. Y: s3 ? N1 z1 @
jnz SoftICE_detected; E! L8 _! l3 u7 k! o7 @( z4 q
1 V' ~# @& @( v% m
_________________________________________________________________________" \6 [% J; c9 q. |! H8 }( }
8 N0 Y' K5 U; Z4 ~7 K: {' M: i
Method 07
~; D: X! F7 b% s=========
5 _; {# S# a2 _" C7 s( O3 }. M" O& r7 z# e3 t
Method of detection of the WinICE handler in the int68h (V86)$ M! c1 T2 h* z: K+ {& ~
& A1 N ^, [+ d' Y mov ah,43h# N* Q J) m$ Z. N! q
int 68h7 y% x# ~* j1 x- n; ?, ?
cmp ax,0F386h" u9 J- ^" {0 b% r3 X/ V
jz SoftICE_Detected: T; C; j+ E8 t1 C! i
& S, X% M1 d8 Y
) X) B. D) `& r7 d2 g* ^2 Y( |=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 Z# Z2 s8 l! W9 V$ r4 b/ m, c
app like this:% s, B# K s' G2 n) V+ P/ M2 v1 {
. J+ U0 Z* |+ Y" `) L0 {' v BPX exec_int if ax==68
$ b8 L% q% W9 z5 o' v. n# |' b6 s (function called is located at byte ptr [ebp+1Dh] and client eip is: x* p3 [4 q. I( Y1 I
located at [ebp+48h] for 32Bit apps)! r/ T% M9 ]$ \
__________________________________________________________________________
! c6 h0 N* {* W* `6 U3 R5 B/ T4 P; F. @+ Z( s
' Y! ~% a% e& e( M. b: MMethod 082 C# c/ J5 j( H6 L
=========
. ]! K# r( X2 x4 G, d$ _7 d, M) q/ ~) ]) H3 h: u8 b+ Y8 b
It is not a method of detection of SoftICE but a possibility to crash the. y/ R4 X9 u5 A4 c
system by intercepting int 01h and int 03h and redirecting them to another, T" D( b3 m9 } B( x2 t
routine.
" @0 q6 G: Q% ?1 cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# B" u% c% T* j9 `$ m* Y: p
to the new routine to execute (hangs computer...)
1 K2 p) l B1 V5 S4 g8 X R1 P; c
mov ah, 25h
g- H& U& N5 v/ ? Q3 { mov al, Int_Number (01h or 03h)& T* P- J: o0 [3 m5 x
mov dx, offset New_Int_Routine
9 R( X$ R4 j- N- a int 21h
* n' A* Z, |8 b- d; @9 [1 _6 x: {: s, n8 a/ @
__________________________________________________________________________
' B: L9 o* S' N; C' Z7 B# V2 U9 Y5 s: C. k9 X
Method 093 M6 o' K# |( m# O4 Y+ a& v- Q) o
=========) p0 w" K3 `" q& D0 a2 Z
' Z$ o. i; j, Z; Q9 _ O2 A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, c. T1 M: q# Q8 g* A9 uperformed in ring0 (VxD or a ring3 app using the VxdCall).$ | M' c: U7 M
The Get_DDB service is used to determine whether or not a VxD is installed$ ~* ^* O. d! d1 s3 e' u
for the specified device and returns a Device Description Block (in ecx) for
3 z j* o9 R$ Othat device if it is installed.
0 y! `/ S( v: v7 c; ^; W2 p" Q/ m2 ~
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( T5 x) V: }) z% D' L- ]# f a
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 J1 z$ @8 ~' g3 Y2 ?, H
VMMCall Get_DDB, ~- b) S l, ~
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' H& g6 ~$ T0 D. j
2 u- u l; Y6 @0 o/ q! LNote as well that you can easily detect this method with SoftICE:
( g' L6 x; _( w" S! W- x bpx Get_DDB if ax==0202 || ax==7a5fh
* M: O( @1 o. k' n& U% D6 q/ g' d4 g& T5 _0 n) m8 T- N) g
__________________________________________________________________________( b6 {6 G; D& i* E0 y& w% p- D
% E6 q1 g8 c, h! M$ ~( |. x
Method 10
' R9 z# o$ J, n; N$ v% l=========
" @' f# ?3 Z( n" w4 m
% `: \! U) p; {=>Disable or clear breakpoints before using this feature. DO NOT trace with
. O& y) U h/ z) N SoftICE while the option is enable!!
! i* |7 c4 X" k2 p
1 w, k' W' f9 b& y) m) MThis trick is very efficient:
- X+ k: D7 ?0 U& P9 L: F' D( qby checking the Debug Registers, you can detect if SoftICE is loaded _( u) o) s' f: }2 {1 ?! _2 q6 B9 A
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if i; U+ x: F' ^
there are some memory breakpoints set (dr0 to dr3) simply by reading their
+ J, [5 Q1 P1 l* Avalue (in ring0 only). Values can be manipulated and or changed as well s Z9 x( ^) O& x% H: q/ G3 l
(clearing BPMs for instance)* @" n* i t \' L
& \7 o) r: [( e
__________________________________________________________________________
/ V! @7 ~' }$ C) I7 {6 y9 p
' w" p, r4 ?7 N/ \8 {Method 11
+ X9 D. d% W' o0 {! i" B1 G=========
: S- Q8 T2 e, ~4 I: ?9 j+ H1 c( p7 |" l& m! |6 v$ o
This method is most known as 'MeltICE' because it has been freely distributed1 p& v" x4 G, u T+ u
via www.winfiles.com. However it was first used by NuMega people to allow
+ n8 C5 W) E$ e! o( f3 {+ ISymbol Loader to check if SoftICE was active or not (the code is located
L0 ~2 @6 ^& oinside nmtrans.dll).
' @* E3 ^" A$ B$ p c; i# q4 V% o6 w( |- \$ _, B
The way it works is very simple:; [; v; U! k/ l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, K. Z& @& ~! K/ DWinNT) with the CreateFileA API.
! m7 G1 }2 D% |/ u2 O: C5 k6 ]* [+ P; }0 O
Here is a sample (checking for 'SICE'):% X: @, ?* L5 Q- u2 v+ L; P! k! v6 B
' C% w& S4 @# N5 @7 B+ w
BOOL IsSoftIce95Loaded()
' J/ H) U: h2 j S3 G( |{
4 T$ r+ y% M4 K! u1 F) l HANDLE hFile; * r, c7 i' L" B; T# h; R+ E n
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) f; J F$ C8 J# e FILE_SHARE_READ | FILE_SHARE_WRITE,( \& }/ C K! k4 Z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' O: M: u, N1 H6 L& L% k
if( hFile != INVALID_HANDLE_VALUE ). |1 Z- C( O' H4 T$ z
{
8 v9 @$ R* E( T9 i/ ]+ D6 P7 ~ CloseHandle(hFile);
3 z6 J3 t7 ^1 F' B" l2 Z6 ]# h return TRUE;
6 U) \5 _. M: {: v) l }# M6 K6 j! [' V; j
return FALSE;2 J; g. q$ W7 F0 M5 L; U% y$ ^5 p0 S, {
}( [, B0 |8 K5 ? K& G" @$ J9 L4 T6 u- d
1 w! ~9 S6 f/ [& i) g
Although this trick calls the CreateFileA function, don't even expect to be
, B6 M% r3 p! h+ nable to intercept it by installing a IFS hook: it will not work, no way!; u% d6 C! T$ }# G. `5 m, S2 Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ z. t, N' y6 \% b6 R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 D& ~8 ~# a6 @0 S" m: n" G% wand then browse the DDB list until it find the VxD and its DDB_Control_Proc
H. q( g4 Y! X1 Y; j3 J7 Jfield.
( F9 b3 P! z6 h$ a6 L f3 G' x BIn fact, its purpose is not to load/unload VxDs but only to send a
, M8 R+ L( T S8 F# t# VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 u9 ]. ?6 H* j0 F5 Dto the VxD Control_Dispatch proc (how the hell a shareware soft could try# N* T2 d0 Q! v1 ]7 Q4 v# H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- x2 @; f2 e* b7 k& U) g: i* t& [2 H
If the VxD is loaded, it will always clear eax and the Carry flag to allow! Q2 j1 T1 U! v" l& \
its handle to be opened and then, will be detected.' o ]! p% E; E0 a" Z; l
You can check that simply by hooking Winice.exe control proc entry point
) y# A# X- k8 s2 ?% hwhile running MeltICE.
/ N# C! S; P. u, T# p" t+ n( l" g6 p) i, D/ s; u P% V; R+ s$ u" I
O4 H/ L5 _% l- z+ n& `3 a
00401067: push 00402025 ; \\.\SICE4 T. r8 s9 l; B! b1 c2 `0 j
0040106C: call CreateFileA, `, R& E1 L0 W6 D, T0 F. Z) b
00401071: cmp eax,-001
- _/ z* F$ }2 n/ O 00401074: je 00401091
) Y7 z- S: \* J( G# W. A- z4 S' e6 C7 D F3 E$ a5 l, v5 H% B
* `' T8 v7 b5 C9 |* g \: P
There could be hundreds of BPX you could use to detect this trick.
' r/ g7 J h# S S% y% k8 X-The most classical one is:. L: o; H; H R# ^4 W0 R+ T
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ Y; T8 `* y9 G
*(esp->4+4)=='NTIC'
0 U! }) J7 X8 Y" j2 s2 h* l9 m5 | P* z
-The most exotic ones (could be very slooooow :-(/ K- n- [- ~& u a" t
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ J, N9 J3 M1 [" W ;will break 3 times :-(
; \! ^' K; @" b6 h/ i2 \$ \4 X1 v% p( Z. e, D/ d- f
-or (a bit) faster:
* W* U+ w1 U0 L4 F R7 I BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* h; h \) @: e t5 u' {
3 J$ h0 G/ b4 ?5 u7 o! h+ ?5 ?
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 j$ d( j, v# ]( L2 t' D: @) u ;will break 3 times :-(. U" Z4 m0 D" \4 k! `4 X
6 B8 l* Q5 G' l1 C( l: |
-Much faster:% E. D; K$ k# ]8 D& z5 q0 H+ [+ {: a
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" c, w7 T# ~4 w, }
5 h& S" m' Q0 `2 L( X/ ]Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ R0 Z" C! W0 }7 lfunction to do the same job:) o0 q$ y! D# o" L1 G' ~/ h9 U
9 f/ B& J2 K' G/ M: }; g
push 00 ; OF_READ
x! o% {2 n' s" X; _) x. h- c% L mov eax,[00656634] ; '\\.\SICE',0
! M3 ?9 J8 \3 u, t push eax# N: W- m/ R! P9 R2 S$ a4 R- u4 k+ Z
call KERNEL32!_lopen1 Y( O2 d5 k3 K: m- i/ ^
inc eax
7 F) e/ u1 ]$ G jnz 00650589 ; detected
2 Q4 c( z; u( p) z7 ~- b, G$ z push 00 ; OF_READ
2 Y7 L& _8 h& S$ ~# L! O mov eax,[00656638] ; '\\.\SICE'/ _+ U U7 P& j$ N: ~
push eax
0 g4 w! W! x; x. E3 U7 w- i call KERNEL32!_lopen
% @5 N) P$ m/ ^( y$ y' z" i inc eax
% o4 [) X( i- ~) n$ | jz 006505ae ; not detected
1 j* r( b0 b& p8 E2 @! F& \0 \# L$ s
7 T6 g$ y. W2 T. Z7 i__________________________________________________________________________; u! J% M+ `" o' H+ b( e
; b' L; k7 b! m! I/ CMethod 12
' S! t8 c9 L' q) ]$ T9 h: t0 E6 d! W=========
* u, @& M Y& b, I1 i. T& j6 g$ x- [& L: g: Y
This trick is similar to int41h/4fh Debugger installation check (code 05& P4 B! m! M. _4 H3 K
& 06) but very limited because it's only available for Win95/98 (not NT)
8 f& e; A0 k2 E3 C8 ?5 \# T kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, ^% q( Z4 P, ?: K- \# |6 D) T! g( {3 `' h; t7 Y
push 0000004fh ; function 4fh A! V4 l% y+ O4 V6 E i8 y$ U ~
push 002a002ah ; high word specifies which VxD (VWIN32)
) O, g+ R) G' g. h5 [ ; low word specifies which service
; c+ \+ v3 x( v+ p" E& P3 o( c (VWIN32_Int41Dispatch)
9 U0 ]4 X! w; \ call Kernel32!ORD_001 ; VxdCall
- k6 u: Z( q- |. [ cmp ax, 0f386h ; magic number returned by system debuggers% K8 _2 R' S4 o! k! v; D! n) H
jz SoftICE_detected
( ]' d* |/ u5 e9 D
! |3 z7 `% q8 ~' e2 ]" YHere again, several ways to detect it:
; V$ j- c" q( D. L# p; g
" @. \6 }9 A2 s: } BPINT 41 if ax==4f
H$ S' N) @! n& Q
9 p! Z a% n5 P$ ]6 n. N! \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 x3 b% q( v3 e+ z3 W
& s6 X! R& ^- O
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 P: F& }" T# i5 \# r7 c
^ a8 P: u, }1 B1 {3 ~. G$ b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! ]# d7 M' A: p% U9 K
5 V" a# I6 c; g1 G# Q) {5 s$ e2 {__________________________________________________________________________5 z7 l9 ], R0 |- ?: E4 u: Z
e+ |2 K$ M" ]. X% ^. v4 PMethod 13# C& S$ l# h( \- g$ T4 @$ D& v
=========
, W/ Y& y: S7 {4 Z- ~* L' k2 D& Q; m0 E5 R+ r# \- }; x
Not a real method of detection, but a good way to know if SoftICE is
. {, ^, G+ U# K& Oinstalled on a computer and to locate its installation directory.8 T( @5 {+ I: h% [( Y
It is used by few softs which access the following registry keys (usually #2) :
3 H3 P1 }; x* h; c+ K+ R/ I
, m5 x% G) L' l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# _ g+ ^. _7 o1 U. s! S0 x- S
\Uninstall\SoftICE
" X9 V" R6 V3 g7 Q+ z/ [4 a-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 M% B; r. `9 U' K% i) Y g$ N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( O- z; Z ]' l3 \
\App Paths\Loader32.Exe
% z$ V$ e5 P" [$ p! M1 }2 V
8 V: o' k- t3 T9 T; L& I# R& ~4 o" V! U% X: f% j
Note that some nasty apps could then erase all files from SoftICE directory8 F0 q9 K3 y1 Q4 o) O
(I faced that once :-(, _2 x! ~7 f6 A
: Q* v2 b- c: X& q! L/ F- b# A* n' }% cUseful breakpoint to detect it:
; X _: S% h6 g5 Y7 |& G5 t9 ? E# q' N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 m4 y4 d O9 q( P) A# p" W5 w2 L$ p
. s: [" B E; \5 t6 `6 `__________________________________________________________________________
" D# g, [% L) U% B! ^' D7 ^, k4 M7 ]4 y- T" T
7 L6 \, ]% S6 k% M* P/ U
Method 14
0 }- P, a4 j& S) A, t9 B" ^$ ~3 ?=========
/ R- f# Q! |' e3 V4 Y3 e1 r$ E) s/ O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) b' h6 _/ m1 I8 A/ g7 B
is to determines whether a debugger is running on your system (ring0 only). _9 B: ~. f/ k$ e3 b( N) O
q7 h: ]) f9 ~* S* U3 K& S6 ?
VMMCall Test_Debug_Installed
6 w6 Q! l$ ]9 a- A- y je not_installed* l: E9 ^4 P) c* {9 S3 I+ Y
, {/ L3 I5 S$ ^" X, uThis service just checks a flag.6 _' k b% f0 ]5 F% ^
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡