<TABLE width=500>/ i# G' w9 k b
<TBODY>
3 U0 @& Y! x, k; N; D5 b* }<TR>
8 `$ x3 u/ h5 R8 w: e<TD><PRE>Method 01 # L/ ?' z! l7 }# J8 V7 d& O
=========/ h0 m' o8 W. i7 S4 g( X
3 f v$ n3 U& R6 I* vThis method of detection of SoftICE (as well as the following one) is
0 B4 n4 P5 ?7 p# k: g. y; g; Uused by the majority of packers/encryptors found on Internet. e, f( F' J4 {! \; g+ d2 _$ Q) Y! J
It seeks the signature of BoundsChecker in SoftICE
; x; b8 ]9 l: d: C4 I8 B+ Y. n7 j
, z, c8 K8 E: x+ q1 [( M, l& \ mov ebp, 04243484Bh ; 'BCHK'
. W) Z" l3 ~4 S' @& i# o mov ax, 04h4 C( R4 f, }% X% d+ @9 T0 _: S! k: g
int 3
0 X3 X9 [0 N: v2 |9 H7 u cmp al,4! _4 R; {. [ f/ {* H# n
jnz SoftICE_Detected
; }4 `% U7 J1 ~6 E, O5 ~
. h4 Y, b- K( q+ {0 W; L% S& x7 u___________________________________________________________________________8 l8 ~ o/ o l, t7 U3 t" i' v
1 r+ |9 e$ R8 I1 N" B4 Y
Method 02
5 z0 A: X t( A |$ |5 h* o=========+ j/ J5 Y* I1 t$ \! k9 S
, S0 a2 G, P7 M' M
Still a method very much used (perhaps the most frequent one). It is used
: V1 u: j. Z0 d) J* G( Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 C& [1 u& a& S; D. d
or execute SoftICE commands...
9 {8 O, V i2 s' G# RIt is also used to crash SoftICE and to force it to execute any commands
6 l+ @7 L7 _! F7 k) n* i: U- h(HBOOT...) :-(( " Q( s4 `) V. {, _5 G6 `+ {6 \
7 o' @: i' w2 A7 N5 @. FHere is a quick description:
1 Z) [" S; b; @% p% Z-AX = 0910h (Display string in SIce windows)
" W) r' Y6 m+ }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 b; o8 {( W+ G+ t& l7 ]) S1 B
-AX = 0912h (Get breakpoint infos)" v' p9 H& V8 l" O6 [# V) ?
-AX = 0913h (Set Sice breakpoints)0 [- _9 F) Z9 F6 U5 s" {
-AX = 0914h (Remove SIce breakoints)
7 p. T$ M$ Y7 J' \
% K+ ]! `0 M9 c% |& l0 FEach time you'll meet this trick, you'll see:) ]" ?% g" ^# `+ E8 r
-SI = 4647h" f. @$ ?, W/ S# @9 t: O) v
-DI = 4A4Dh
, Q- s' x4 u; L2 ?! `4 G, wWhich are the 'magic values' used by SoftIce.
3 @8 i X1 t: d( G/ |3 @6 AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! L% I/ Y4 G! d' [! f3 U1 U
6 H9 M* ? N) u7 P, l- I1 _Here is one example from the file "Haspinst.exe" which is the dongle HASP
* t0 S2 J6 R, j8 a3 wEnvelope utility use to protect DOS applications:# R9 r" I7 @+ ?8 L- F9 @# S; G
; F" p. M( k: V/ J2 T0 ?
1 L. c2 ^2 I6 B; ]! _4C19:0095 MOV AX,0911 ; execute command.+ C& E \1 X4 v+ m" `4 a/ g. B
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) L C" w' N" ? i& S
4C19:009A MOV SI,4647 ; 1st magic value.
" E3 i6 j2 S+ b w3 L2 I2 T( F' J' m. b4C19:009D MOV DI,4A4D ; 2nd magic value.
6 s& k$ k# r* _- h4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 a2 f) Y, F' b# X1 @ K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ R0 f9 c+ b% k, y6 I9 [
4C19:00A4 INC CX4 l) B6 O+ o1 O
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ j$ A$ H6 X. K/ e; o2 c" [4C19:00A8 JB 0095 ; 6 different commands.
6 L0 }% z% B7 k( I* ]: _" B+ Q4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 i8 S Y! f1 Z# \# ^% g! I4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 v9 w( N4 h6 g2 Q5 S2 |) D( }% W2 j! H; y" F9 H
The program will execute 6 different SIce commands located at ds:dx, which i& E/ N" N# k' @ g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( _! i7 b6 v4 ~, d& U5 O ?6 E0 o. I; r
+ E$ X* j8 E! F- A$ A$ e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ p4 v& t6 T4 K& P J8 a
___________________________________________________________________________# n5 V* ]. a. W4 f+ k
# k0 X! G5 X- t! H5 f
9 \6 h6 | x8 T( @Method 03 ~5 A: }3 G6 k5 p% b4 I6 s
=========
2 ^) h5 q/ r: Q+ o1 t; ?5 P. a3 n
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% M' U9 ~, n: M! Q; A4 l
(API Get entry point)
+ `) t, U M I& A# @4 a ( [: G& g! r6 \2 N9 `+ y
5 x5 I- f7 M) t4 z. t5 @; I
xor di,di
8 C1 h+ W5 c- `; O- Q# { mov es,di# Z7 [3 D& q7 U
mov ax, 1684h
; y6 r$ s% {, T mov bx, 0202h ; VxD ID of winice o& I8 O- Z! B2 b9 b2 X$ z
int 2Fh
: P6 g' p- \! P3 S! W! B mov ax, es ; ES:DI -> VxD API entry point
' s0 q5 m1 F) h/ N add ax, di8 Y5 U" R5 d- f; s2 R8 Z) o
test ax,ax
9 v _3 _( Y0 L9 z+ f jnz SoftICE_Detected8 z7 Y' x7 I3 ?) s9 R
/ N1 D3 ?+ L( C/ ?+ E6 `
___________________________________________________________________________) m4 c3 b2 E9 w* b
3 d' {: n" h9 x" S8 h* K
Method 04
: \- a1 B' V, S" ]; c; `=========6 i& x$ W% k( {% M" q
& b* S4 Y+ c. z
Method identical to the preceding one except that it seeks the ID of SoftICE
- F* s5 s: o+ r( ^: _- oGFX VxD.% C; G. D9 x' E
" D1 {) p5 z) i2 {! l* h; |
xor di,di/ V& f$ O! w- G m
mov es,di+ x; A) R: f! v: x+ z
mov ax, 1684h
" ~) h( e7 W8 L" `% a mov bx, 7a5Fh ; VxD ID of SIWVID8 I5 @( H! u3 n3 w) j! I
int 2fh
5 o3 t$ V6 _" S5 _ D5 r9 _ mov ax, es ; ES:DI -> VxD API entry point. {6 Z0 m5 f) [% H; ?# p% z
add ax, di. ?0 b% g. {' r9 E
test ax,ax
: ?# ?$ l4 t4 A- `9 {( v- i% O% X jnz SoftICE_Detected' p. {0 F$ `" H; T$ R4 ]
0 D8 |! w6 S7 D, i3 O' F) p; t__________________________________________________________________________
3 V! S( I R8 i# Q: Z& b
* _8 i- m/ T+ L5 n% x; u8 h1 h |8 p7 U# X* V) e% n
Method 05
- C; T1 G- a, L- k" H3 {=========7 |" d" u2 `0 G; W. ~* B& o
( s1 d; ~0 }3 Q3 s3 I3 z6 d: Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system; o5 _1 a' s8 u K0 f: z
debugger. It calls the int 41h, function 4Fh.
9 e" |9 E1 \! qThere are several alternatives.
" L9 g8 b" n% R3 ?! ^) M' _9 W+ ~( u2 B. S
The following one is the simplest:
8 o3 f0 v3 b! ^0 @ O# n3 T- z& x$ o2 \4 L# x+ S
mov ax,4fh' ?+ x+ P, l. E4 @; a5 l6 X
int 41h. G7 U3 w; Q; k( r1 h
cmp ax, 0F386 U" k+ E' P& |) q7 q6 o
jz SoftICE_detected
+ M8 t/ k0 O7 E% _4 N, b' H
: ?1 U- Z2 o8 w9 O0 T4 K
5 }) d# ~+ e! ~0 g! \) }Next method as well as the following one are 2 examples from Stone's - {9 @4 |, k) D( j( v' v
"stn-wid.zip" (www.cracking.net):# M3 o6 J2 U6 I7 H3 I4 M) k/ P
* O' z) m' x B# i% X# _% U: r
mov bx, cs& z5 s3 F" d4 P+ _( i+ g' a: I
lea dx, int41handler2! \- ~, p3 A* [! H0 J) ]( d
xchg dx, es:[41h*4]5 y c' ^" o8 c* `4 @
xchg bx, es:[41h*4+2]
* p, D5 G7 M, S1 E mov ax,4fh$ G% q, o) i! M) u
int 41h& \& i, v, B* J Q; n+ p u
xchg dx, es:[41h*4]
5 e f0 W0 T7 o7 O+ j xchg bx, es:[41h*4+2]
! r2 N3 b0 ~: c cmp ax, 0f386h# O5 V- Y2 c, Y: s) Z
jz SoftICE_detected. b4 W; {2 y8 E! E
6 h: v+ F! l3 D R$ Tint41handler2 PROC
% N3 z B6 f: }0 \) l iret9 w. j" o" h8 Z: J: s. u! y
int41handler2 ENDP
) ~# K% W8 W8 t p K0 O! M8 X4 c" [$ b
' \( @9 `7 c/ _( x/ d7 B+ ?2 O5 P
_________________________________________________________________________3 C5 r5 c/ X# z. A8 Q
6 d$ q! B ]5 G5 G+ W7 t8 I7 _: W/ E# \9 L. M2 q7 y
Method 06
" C! U' J* r) S3 c& V' p=========
7 @: o7 T! @9 K7 W' N# p
! i9 z/ l0 v5 Z: j7 p9 D8 Q" p: A. a/ N% r/ M0 E6 I2 z, x
2nd method similar to the preceding one but more difficult to detect:
' m1 }! B2 e. O6 n% m
& N" B3 \$ q+ `- o2 C, V* @9 z J
int41handler PROC
8 L3 p- {) J. h mov cl,al
7 g. b: G) W5 Z5 r) R9 j iret: a. j' \/ D* C. {3 w9 H& j
int41handler ENDP- c1 b3 K+ p4 x8 R
0 l" J6 U# x/ |9 X2 n: {* Q* F+ l7 ]
( [" V/ l R6 e' ^* q1 q xor ax,ax0 O5 K% p) U( Q" n, R) S0 d
mov es,ax
, @/ C5 c- F; J5 W mov bx, cs9 M9 E) n7 I) @- m
lea dx, int41handler, K# t- W$ G4 @3 g; j/ ~& I
xchg dx, es:[41h*4]
' S, t- @3 C4 g @" Z3 Q. A p7 j xchg bx, es:[41h*4+2]
" ^4 [; K; P$ _6 g in al, 40h
' ], s+ t4 M7 i# r* p7 h% S xor cx,cx0 ?+ U0 G$ `. S, t2 x
int 41h
, A3 c& z" ]* [ _! A8 B; ^ xchg dx, es:[41h*4]
$ k" _8 i1 B/ U4 x3 x! E J xchg bx, es:[41h*4+2]' u9 e4 z3 k% c5 Q$ s: D; u
cmp cl,al
0 S( W( V) _1 v' a4 N jnz SoftICE_detected) t8 Y9 I2 K2 R6 U/ V* D
! B/ q- w" s* n% Y_________________________________________________________________________
# g0 M: Y2 _$ F3 j9 l! x2 y: z) S4 p! l4 X2 m
Method 07
, H6 Z& H9 L$ h( w=========; }5 |5 @$ B2 I8 g: y, Y* N
' C u: @! \0 ^8 L5 C w$ R+ y
Method of detection of the WinICE handler in the int68h (V86)
$ F `/ X7 Z6 K4 \9 Z* R1 V7 I7 {3 G% g- O% Q
mov ah,43h; q6 b& C. o; l( V$ Q j
int 68h$ ~- c% Y5 m: u$ C3 n
cmp ax,0F386h
0 }% l% r% Y+ m! ] jz SoftICE_Detected
) T" h+ F ~# z. p% |( N" S" c0 h9 N) `" U
. j3 W! W9 S. J/ {=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 i+ ~, w5 n. m6 z. T6 r# `) ] app like this:7 ]' n& D: j% d) ^5 n1 K
2 |$ ?( A3 z- e8 S
BPX exec_int if ax==68
, t& [- h. S Y9 x; O3 ~! E (function called is located at byte ptr [ebp+1Dh] and client eip is
7 g% \8 Y5 d) H3 m1 @, \/ z" A located at [ebp+48h] for 32Bit apps)5 T/ V# T7 b- [
__________________________________________________________________________
' A. G5 f1 U5 U2 H9 Z# [
7 _- h7 M6 w6 m5 ]" Y f
; @" q4 A* a2 B& D4 u( X8 @Method 086 ?( p) p6 u7 S6 u! h
=========
/ s, r; u& A, Y7 }
/ a7 L6 S0 A7 _: K1 ?It is not a method of detection of SoftICE but a possibility to crash the" D* X0 Y+ e/ q& C+ U, B! f/ P
system by intercepting int 01h and int 03h and redirecting them to another2 h* z! R4 d, G! ^5 M) P
routine.
& p* N2 x! W) ?! eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, B7 _1 n" `2 r& Z% l. S: K" l/ a" } ~to the new routine to execute (hangs computer...)
% Q7 `1 }2 k* z0 j( O# ^1 X& H; w, K( |
mov ah, 25h
' ^, J% T# G. O+ t5 v6 p& C, B mov al, Int_Number (01h or 03h)2 n: C# ]% o/ V
mov dx, offset New_Int_Routine
/ v3 l h8 j( H8 S5 f Z N int 21h5 c/ a& y8 \; j( ?) o" n
0 r: m/ | L$ F+ Y* {9 G6 ^
__________________________________________________________________________
+ U9 q9 H/ L/ E r7 ~0 s* }2 b5 G6 ?" {0 N. x
Method 09- R; A3 E% z. X( y$ X
=========" y2 N1 S3 P$ |, ?/ X/ o
1 j! ]0 K3 \3 p+ W" dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 a" J6 E" v& A3 y( B
performed in ring0 (VxD or a ring3 app using the VxdCall).2 v& E8 x/ B2 ]' F
The Get_DDB service is used to determine whether or not a VxD is installed
7 d* x' J- y. N: ]9 y0 ?$ k. Xfor the specified device and returns a Device Description Block (in ecx) for; M) a: K& E: E
that device if it is installed.
p" B; c- W6 K5 v+ z& y& l* A+ X) a7 a5 J- S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ [9 p7 d: x- Y* W6 p6 W8 @! a
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* b% l0 n7 l( N% P% ~' } VMMCall Get_DDB
1 e' A" R2 R% b. \! x mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- Z' H( g1 o8 b% P5 b! f- N, O1 D
# X- X5 D$ G) D# j/ ~
Note as well that you can easily detect this method with SoftICE:% }3 F- A4 P' f
bpx Get_DDB if ax==0202 || ax==7a5fh
9 e @' n7 x+ j. c1 b9 Z+ F) y, r# F1 N2 M3 J: i
__________________________________________________________________________
! h4 ]/ J, B! ] B5 Z% W, }8 M4 K5 t9 N& W2 u+ g
Method 10
! }' ?$ a. W9 R5 Y* I# N=========
) H- a% b& I( D6 G$ Y5 p) w& r8 g+ i: w0 L
=>Disable or clear breakpoints before using this feature. DO NOT trace with6 @% |0 `7 K) a
SoftICE while the option is enable!!* S. E0 h+ h5 k( u4 v& u& h
& L$ _* Y C' x# B+ w1 HThis trick is very efficient:$ @/ u- w: c; t
by checking the Debug Registers, you can detect if SoftICE is loaded
' C7 g( q# S6 P& J! [* N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; r" [0 h, Q' V! O! n/ f* X& u
there are some memory breakpoints set (dr0 to dr3) simply by reading their
. D' i# F9 c- J# Vvalue (in ring0 only). Values can be manipulated and or changed as well
5 c/ R% m. g1 b& y(clearing BPMs for instance)
/ ?. P- i$ l% c/ { f2 g0 F" ?- t9 M) i- p5 T+ P; ~6 |
__________________________________________________________________________0 M4 s) G9 y4 I$ f0 z
* l- i1 T& ^) u" O' y+ _8 O. y
Method 11
- n4 _8 H6 p( Z" b5 T9 c=========
3 |4 U9 V3 j( v. M" Q# [
/ O2 Q& u! b/ [/ H9 x- AThis method is most known as 'MeltICE' because it has been freely distributed' W/ ?1 E7 \2 T1 [$ N, `, v* H
via www.winfiles.com. However it was first used by NuMega people to allow$ g8 U0 c& N, ^$ [1 b! Y+ x
Symbol Loader to check if SoftICE was active or not (the code is located, m* h) R4 V3 W4 N2 W
inside nmtrans.dll).
+ s+ y3 y# c+ F3 ?* J. s2 V- b0 Y* @' n5 }
The way it works is very simple:
4 r0 h! L: C0 s% nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ h" H3 o( @4 B/ r. ?WinNT) with the CreateFileA API.0 l. j* r& b* X; R
8 C) ?6 y4 P0 Y: U# G9 ?
Here is a sample (checking for 'SICE'):0 P3 E- ` S- ~9 K3 n
, L9 O" b1 S5 R9 `BOOL IsSoftIce95Loaded()* z8 C8 k/ z2 M' ]1 Z) p: g; {
{
$ V+ E4 r7 j8 s$ S! P; D HANDLE hFile;
( p$ E- I+ Q0 c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# n2 p: i }; N1 D' p u
FILE_SHARE_READ | FILE_SHARE_WRITE,
* n) m A6 c7 L7 M# c9 y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 Q9 t0 u# i$ _, J: t' a; x0 K if( hFile != INVALID_HANDLE_VALUE )6 W: b: h2 G% ~; f+ d" C2 l
{
& v/ h& B u/ K; ]9 t: R CloseHandle(hFile);
$ {4 e$ k( _7 S8 k return TRUE;, W6 W3 ~* I+ R H" z% @% Q+ @
}
% s' n3 C' q5 E" D return FALSE;0 }5 U' l+ x' z8 e$ {
}9 H3 `9 X n/ h
, | |# `2 ~: ^
Although this trick calls the CreateFileA function, don't even expect to be
0 o9 g* p( ^4 N( x; u. ^, _9 h; Z) ]able to intercept it by installing a IFS hook: it will not work, no way!
0 `% S* A' A2 O/ J: o+ N2 gIn fact, after the call to CreateFileA it will get through VWIN32 0x001F0 E6 h3 j" U9 L% B
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 n# @3 k; [: h" @. N0 B8 A2 C" H( }and then browse the DDB list until it find the VxD and its DDB_Control_Proc/ ]8 o; j6 f* Z! M a4 D# E
field.4 S! q- c& U# M9 V! n
In fact, its purpose is not to load/unload VxDs but only to send a
( y% Q- t) ?; [; S* ]/ s; C) rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 L, |! z0 J+ U4 e5 |* Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 J0 N7 a6 n# f) |7 x; Gto load/unload a non-dynamically loadable driver such as SoftICE ;-)." G; E" `) A; w" w5 G
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. N) i% _8 r) [! P( C5 q6 A0 c9 hits handle to be opened and then, will be detected.9 O$ ~3 D& [# p6 b" v- i% q0 E
You can check that simply by hooking Winice.exe control proc entry point/ u7 _1 t$ I; T: G4 [6 U
while running MeltICE.4 F& Q2 C0 }1 A
% c; n# Z& J0 Y4 d9 p$ P0 r+ J# O7 i5 T; }3 n2 h0 G {+ Y
00401067: push 00402025 ; \\.\SICE- c6 b2 O, K6 d" S! n9 Q
0040106C: call CreateFileA
Z# g% R& r: ^ q/ h 00401071: cmp eax,-001
& W' q6 M9 i5 S, @2 a 00401074: je 00401091
3 ?7 Z& ~) _/ O, P4 c# K% W3 p3 c' [$ l/ i: m6 M& |
$ ]8 ^2 B% o' i3 c5 L; A' M4 R* n! ]) P
There could be hundreds of BPX you could use to detect this trick.
2 r/ U7 C' L) Z" P$ k2 g7 @-The most classical one is:
+ [1 _! S5 P9 D BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ O' W. `% I3 ]- x, t2 b *(esp->4+4)=='NTIC'
m& J& J+ R& P, C5 U$ @8 b% l
0 u1 |9 }& ]5 H9 k% `. ^-The most exotic ones (could be very slooooow :-(5 ^5 d5 f0 E* F3 B2 V4 l: J4 |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' r9 ~/ A$ E) j$ W7 I+ ?5 @
;will break 3 times :-(( o; U5 K: @: E4 J) A; o" f& g4 P
) g3 U( l" q1 }2 a! q-or (a bit) faster: - e9 W5 w5 v. p' v, X4 B8 t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 b5 \7 i, J C+ A& K3 v& O: R3 Y+ |1 [' o* q3 \6 M
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 g4 K6 e/ x) k J/ o o+ F5 ] ;will break 3 times :-(
$ E6 e/ B1 g" W1 O8 p! a+ ^/ H& S7 J/ e, u# R
-Much faster:, Q* S) w L/ C9 V
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& I/ g; A! J4 g' r( {
4 i6 ], @. h: r- d4 h3 lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 X2 |9 k3 D, p/ Z
function to do the same job:& |8 u2 m- h4 y" w4 A1 }
& ^# G k/ O( q, K( y push 00 ; OF_READ
/ [+ ~' ~* R) `0 u; ~ mov eax,[00656634] ; '\\.\SICE',0
3 [4 x, n: f. ~6 w; u push eax( a5 Q& t0 X6 _4 a
call KERNEL32!_lopen) t4 O7 A- t( K1 T: q% p
inc eax
4 ~% @" L, q' S+ m* N jnz 00650589 ; detected
' i1 R8 s8 Q1 ?& a: U6 [* K2 u/ w# \ push 00 ; OF_READ5 T4 }2 r7 `3 v
mov eax,[00656638] ; '\\.\SICE'
; s/ N8 ]' N9 B9 F1 B push eax
' N/ [: S$ j! ^4 z3 j! c2 `9 X call KERNEL32!_lopen
$ [: {9 F3 G4 d+ L8 k inc eax
! [9 w) [ y' I jz 006505ae ; not detected
7 B! t5 I# ~; v: B5 R+ E& ]% ]0 n. a' Y- i
9 `% e D5 Q6 ~. Z__________________________________________________________________________
0 q! S8 T6 b9 _( f+ m8 A* H4 i! j) I9 w' k. x: ^' p
Method 128 r8 k4 V& Y* Z/ z
=========& Q* P! T8 o+ N
$ M" A. d! w% {: X+ G1 F
This trick is similar to int41h/4fh Debugger installation check (code 05
6 g' d$ _; w- Q8 W! l2 ^/ W& p& 06) but very limited because it's only available for Win95/98 (not NT)
' {! P- a- Q! V% k- Q; was it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& c8 I( ^2 e/ k0 E% }% w
$ P1 J- t) i2 {3 D+ a6 L' ~ push 0000004fh ; function 4fh2 n4 ~: o; C" A/ y& i1 Z
push 002a002ah ; high word specifies which VxD (VWIN32)
# j1 E9 C" r+ Y& f( O H ; low word specifies which service' Q. X9 l Y9 I4 l8 A) [
(VWIN32_Int41Dispatch)' k* v) p% I9 e* `" p2 E
call Kernel32!ORD_001 ; VxdCall
9 X8 z, ~4 B. @8 i3 Y' x3 X& N cmp ax, 0f386h ; magic number returned by system debuggers. h& t; E, J. V0 j+ Y
jz SoftICE_detected
' C, r2 M1 d) j# e* ^6 p
( f* ^3 }5 P2 s$ LHere again, several ways to detect it:
9 n- y c/ O5 T+ S, H) I. X7 h) _
; q' w: H3 O1 [2 E BPINT 41 if ax==4f' ~: u+ ?) ^% y4 a& F% D
* l, {1 \/ L& N7 E: W/ } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 m# u0 x4 G; M3 s- a/ n( X
" i" Q' B- W, X+ @: K: R
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 f1 u5 L3 F) P- Y, c, Z; l/ A, v8 X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 A7 d* t8 B, _2 R C
0 k% i' d0 A9 I! |0 Q8 Z, p- j__________________________________________________________________________/ W6 |5 p- r5 n4 c( }" m
# w( c* ^3 Z; ~ H& w2 W$ ?Method 13. L0 }0 p' {5 O' H; L) f
=========' s5 U. k# S1 d; E/ Q
% R0 N" V. P7 P9 U9 C2 X, u# M9 u* }Not a real method of detection, but a good way to know if SoftICE is4 E( [9 @( s9 o+ _5 }
installed on a computer and to locate its installation directory.
; p2 a# W5 R; SIt is used by few softs which access the following registry keys (usually #2) :3 K" x& s/ j c1 b. p
7 J7 m$ z- s) W2 p
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 X+ b0 H; x$ `$ d\Uninstall\SoftICE
; {6 z9 M1 q0 j9 o" M1 C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' I- d$ g% g% B6 e% M# j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( H! P8 N6 {* [+ m2 y7 `+ V\App Paths\Loader32.Exe
& L6 r% K1 u- O& \4 |( n" Z# h( R8 O4 B6 J/ Y
7 T3 m; s8 |! A; R. WNote that some nasty apps could then erase all files from SoftICE directory
8 M3 [6 D# P( G(I faced that once :-(
" [; q# c3 v5 b: P0 @
3 ]% Q9 N6 U! w% T" v3 zUseful breakpoint to detect it:
P2 B6 X% i# G* a6 c7 N" ~- r! T' u# z! e) c
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" a x. m, F7 g
; B m4 ]) E$ v" p8 C' Y* v* L
__________________________________________________________________________$ J& g6 o: E2 A( Z+ i# \, R' ^
2 y p6 L+ V2 {6 ~
. K6 |4 a% Q( Z& EMethod 14
1 X( J7 _' M1 \6 `" I- M6 ?=========! v! @4 t8 U/ w* [! }5 g- p
2 P+ W% m( R0 J2 P+ j8 N. v# LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ d( Y2 k3 j9 A- O' z) Yis to determines whether a debugger is running on your system (ring0 only).9 ^ U( U! E' I) F# u
% i' Z, @8 T! ~3 x/ r VMMCall Test_Debug_Installed& g, i1 \6 ]: b: @$ q6 U9 r" O$ l
je not_installed
" ^$ M/ o' y" U, E5 {* [$ Q% o* h( q2 T+ D( R, h7 q( u3 w2 h( d) G8 z
This service just checks a flag.
) X n$ ?1 U* j8 X! L$ c: ~</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡