<TABLE width=500>
3 r1 ^$ L+ j/ Z0 A$ |) X, g g {<TBODY>
2 S) ^$ t0 @& M/ W6 ~2 Z! q% v9 Z. j<TR>$ H8 _( q. l+ w" a; s# z6 ^# u
<TD><PRE>Method 01 $ l6 q1 [- D1 `2 W. V o1 s' a
=========7 [1 N/ x, B$ h2 `( Q6 u2 c7 y2 ]* ^
& M i5 W q5 g& i9 C8 t5 t" |$ e
This method of detection of SoftICE (as well as the following one) is8 R# l/ ~0 h1 w+ t7 U& H, G
used by the majority of packers/encryptors found on Internet.
9 f- H- J* w# Z4 i+ oIt seeks the signature of BoundsChecker in SoftICE
/ J7 u c( O+ L( Q
/ i: y [/ A' m% _ mov ebp, 04243484Bh ; 'BCHK', B: Z# q, ]. h9 |+ r
mov ax, 04h6 u' @3 u& { |2 j0 E6 J% h* a
int 3
Z/ f h9 A2 [$ t3 o9 F8 R: ?1 M7 T cmp al,4% v# v v1 K4 H$ d, L
jnz SoftICE_Detected
% i2 G6 Y% g; Q" W# {: g8 T
0 m9 f% `8 |1 N% X1 a___________________________________________________________________________0 v4 `! }, P5 ?! w2 x/ ~
: g% v! ^- p3 v0 n Z; a
Method 02 R; i8 G, v; p' B5 h' {9 U
=========
2 E) c0 a, N$ \7 k7 Z: y' W
; V; f% A0 b9 \" ~3 MStill a method very much used (perhaps the most frequent one). It is used
% W( }; e5 M1 j; Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 ]5 t0 ^, d' Z5 e/ q ]7 B
or execute SoftICE commands...
" s- e1 w; K2 S3 d' N: yIt is also used to crash SoftICE and to force it to execute any commands
5 r- Y8 E' _; V7 A(HBOOT...) :-(( , Z+ P$ D; k$ I6 B# P& w
- L. Y1 V5 D# O6 n# wHere is a quick description:. p* y; o, Y! z; n1 B
-AX = 0910h (Display string in SIce windows)
7 D0 H0 Y; `/ j9 \, i8 M! R' s8 C9 W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 N, t- c6 [9 l/ ]1 g0 ^% f
-AX = 0912h (Get breakpoint infos), ]- k$ z) B4 _+ J- q7 Y( {# I
-AX = 0913h (Set Sice breakpoints) u: `! Q3 w, s# \+ n. S" N; \
-AX = 0914h (Remove SIce breakoints)& A" b, W2 W6 _, i4 L+ Z
- k( L% \% [: ?+ X& Q
Each time you'll meet this trick, you'll see:
: d, r. n+ U2 c. B6 z-SI = 4647h
" p5 _# E8 h' l; ?( T) `-DI = 4A4Dh
: M- |5 G: |6 fWhich are the 'magic values' used by SoftIce.& D- c# Z4 H0 T) `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ r. m0 V: X) w1 E' \4 F) S
. }% Z }2 l! [; s# mHere is one example from the file "Haspinst.exe" which is the dongle HASP
. w1 ?4 L2 K& N- Y* T* Y \! s8 EEnvelope utility use to protect DOS applications: N* u, T5 S/ X
+ q8 l, W+ j0 Y+ E
0 |( R7 l% ~8 ^+ t$ b, J; E4C19:0095 MOV AX,0911 ; execute command.+ s r0 |% w4 t( I$ a0 k7 ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 g2 T3 J: R9 F1 p3 i4C19:009A MOV SI,4647 ; 1st magic value.
4 f/ w4 m) S- M) w7 z1 p; F: E4C19:009D MOV DI,4A4D ; 2nd magic value.: |4 E* Q! |) ?& S4 L
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! k3 m/ A a9 u$ j( G; D( Y* q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute E1 J5 [( b2 M
4C19:00A4 INC CX4 G$ h7 ?% L. ^! w2 r7 J8 A
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& z) r0 H! w* }/ J5 h8 m& ^4C19:00A8 JB 0095 ; 6 different commands.0 k/ n* M; E$ m
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 [, b5 J. ]3 D* r( r" ]4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% L$ \# [$ z, M
7 C+ t- f5 H+ {% O8 L$ i! BThe program will execute 6 different SIce commands located at ds:dx, which
) w8 @) Y+ ^' ~" Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ p5 ]" f; g* |6 h1 D' {
8 E, Z; ^% J3 f3 u) C& L9 ]* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 L% u# M- o7 P1 z% p5 B1 ____________________________________________________________________________7 s5 j. V l4 f; `& k4 K8 m- ]& u
' ]( n5 u2 e& W$ D
- b9 X% y0 Q2 t# z7 Z
Method 03
1 h: L) J6 h" _/ G' h8 \" U- s=========
0 ?& p; j- a& f* O% f$ [" j, b' _, d+ z1 z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 C- ]: G$ r! q(API Get entry point)# \ k9 D) q6 K& K
$ e- t, N+ \2 y2 V/ a8 y3 N7 J' s; j! x$ W& V \! ]% p
xor di,di+ B/ u& `/ s( t
mov es,di
9 z7 B; C) q; d: y3 v9 y3 L" m mov ax, 1684h
9 e$ a4 x+ \2 p! w g0 Z. X mov bx, 0202h ; VxD ID of winice8 p% P( @ I6 b) r
int 2Fh3 x* S/ |! M- m9 R) f0 E9 {
mov ax, es ; ES:DI -> VxD API entry point8 p5 ?! h& [* W: ]" ]
add ax, di
8 f K0 R& |6 o6 O2 j test ax,ax6 k6 ]; C. z9 G2 ?
jnz SoftICE_Detected0 S6 l3 z" T- e9 F" R" P- g
[: e$ e, S0 [2 s$ X8 u2 C
___________________________________________________________________________
9 j; B* ]- s( z2 H, z) l, l0 I4 y3 `! h% L6 V) n
Method 04
2 Z. T/ g! z' o+ ^: j=========' m3 U8 c, t+ V6 q: R
& n; u) K% t2 R! a6 ~ A3 W
Method identical to the preceding one except that it seeks the ID of SoftICE
3 J: e9 G) m2 X: ~6 GGFX VxD.& Z; R5 n3 e* ^, ~1 x6 _2 a7 d
- T7 ]1 l' y. L xor di,di
# r2 j* G h# q }9 P6 _, `: _& ]% W mov es,di
7 `/ S5 _; v& m3 t n: x: J mov ax, 1684h 2 N" r- m+ ]5 @/ p. }2 v
mov bx, 7a5Fh ; VxD ID of SIWVID
2 @% h3 _+ i( g4 `1 S4 V. z8 P, z- w int 2fh
. M$ ^ e7 C- b; y1 f mov ax, es ; ES:DI -> VxD API entry point
5 m/ b( z2 c6 X, H$ D# F3 E7 b, N4 @0 i add ax, di
0 H5 a6 C7 J# _4 w test ax,ax
/ }% M7 l9 w2 {2 t jnz SoftICE_Detected
! K( W* P9 `4 Z Z2 y( _" N
: A+ _' E% i$ R% t6 r__________________________________________________________________________% I0 J: M9 D5 Q7 R8 F. ]) t
1 I# R* _3 Q; m- o1 I1 n
1 j. ~0 w; U ]# ~ |! K, SMethod 05
# l6 w% _. y: t$ J e: ?! ~=========; W& a" o* N/ \1 I$ m$ a0 ?
5 P% x/ L/ q9 Q. V4 F6 Q$ CMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 C3 A! b4 M+ A( S+ i8 d8 M
debugger. It calls the int 41h, function 4Fh.
2 b# U* J* ]; r! W0 X8 BThere are several alternatives.
/ [ t- C7 T+ X; f& a$ [3 K4 f: V5 f$ n p: p
The following one is the simplest:
) \0 S% j8 W3 } n L& ~ O8 b9 j% |- m% M5 ~8 q7 d% N
mov ax,4fh- u' L" j2 p: J6 B
int 41h
9 B; {0 J5 b1 V% l' Y- _ cmp ax, 0F386; J: a7 | {2 q6 m. w/ L5 t
jz SoftICE_detected
" r4 a* e2 f. ?" q. {2 a a& u# ?: ^- }; W
7 x! k0 X' B" r& U6 }- i9 r
Next method as well as the following one are 2 examples from Stone's
+ O9 O: F& k. z6 Z& F" T"stn-wid.zip" (www.cracking.net):' k; P; J6 f/ Z5 h6 k7 i. C
; K! R6 A' B' i% `
mov bx, cs8 j" v. X7 C4 E; _; @7 |/ O C
lea dx, int41handler24 v0 x& z4 C6 Y6 c- ]6 k. I6 A1 D
xchg dx, es:[41h*4]
7 b' H" s+ l2 M$ S8 ^( g xchg bx, es:[41h*4+2]. m& c3 @; w; M! ]- x# U. q
mov ax,4fh; _5 _1 d% @7 v- ~2 p) W
int 41h
/ N* x, ]8 X T' I/ O1 _ xchg dx, es:[41h*4]( S2 b! m' u: W$ M5 J' D$ o* E
xchg bx, es:[41h*4+2]
' b6 i4 z( I0 n- `' j u; | cmp ax, 0f386h
5 [5 r) j6 n$ ^- O( Y7 B5 J jz SoftICE_detected, O& [ Z6 A2 K4 T
. ?+ Z' Z' X% Z. I7 xint41handler2 PROC- g" P9 L+ H9 A0 r
iret& s; K' D$ U$ u- z" q7 |4 L. F! F
int41handler2 ENDP
4 S7 S5 K( Z& T
& X1 E& l- R- E6 H, b6 H8 B. h9 a! ^- m0 y( Y4 f* v l
_________________________________________________________________________! [ T) r" P) S: Y) B: c
/ n2 X$ i, _, o8 G4 e" x3 O+ l
# E, a! a5 G& O* s
Method 061 j. j: U, X- K. Z6 B
=========/ G6 J0 ]" A- `. `4 Y1 d+ N' a/ p1 t
7 G0 i. ~4 c: {! O" ` x- B6 ]' H ~1 l! ^/ Y
2nd method similar to the preceding one but more difficult to detect:
% t% S6 r2 G7 V5 K0 ]& B7 O- w4 V8 g# D j# k5 ~( J \7 G) V' Z
2 y* O! G! E5 ?0 k
int41handler PROC
4 C% n) p8 J% \/ ? mov cl,al
& A4 F' ~/ `5 i. b+ F! z6 w iret
) n* r% K" \8 Iint41handler ENDP) J. W' ?6 q$ t$ G& F c
) F) c9 ^3 Q+ X( p! D! x
2 U7 W* F2 I' {* W& I" T. c xor ax,ax, z& v! L' x) N
mov es,ax
$ ?6 Y9 @. J1 ~& U. i2 n9 X- v mov bx, cs4 c ?. J. g! Y: p* t1 L" |6 s7 e
lea dx, int41handler
, g# E6 A4 N. J4 u* A/ M xchg dx, es:[41h*4]
1 H3 E( Q; Y$ L2 [0 l xchg bx, es:[41h*4+2]( o& Q7 k4 q: ?6 s' `: O
in al, 40h: T8 S# ]" H9 x( v. l
xor cx,cx
; i- W$ u8 M% m9 C8 @' ]$ \5 ~3 q int 41h
5 d" m' ~ L) F9 V l0 B% {0 ] xchg dx, es:[41h*4]. b3 J$ w2 Q7 p( J- Q" X
xchg bx, es:[41h*4+2]+ z( p& ?/ v4 h5 y# ^( H
cmp cl,al+ J5 [. E4 u6 } Q' }. E
jnz SoftICE_detected
0 H% C/ J5 t( r9 r# n' g1 ~# ?9 g/ v- _$ i
_________________________________________________________________________
! d$ \. {* ?# X5 c) K: O6 `; \7 {# Y) k7 u: u
Method 07, t2 `: }0 O" \$ p: I; \) W( z* B
=========6 F: R3 B5 E( W: w
2 s0 O! j' T6 x4 ~% ]" F8 u
Method of detection of the WinICE handler in the int68h (V86)
* ^. f0 T2 c8 A% h
6 c' @; s0 V7 d: [. y6 c mov ah,43h: S9 ]. d ]8 J) I- G
int 68h. F: S; A: _, ]- Y
cmp ax,0F386h
& i; Q/ U2 O5 R# ~6 t# @ jz SoftICE_Detected
& s9 p# E7 t4 s, p, h4 T B; _( b' x7 p6 T
6 W5 O+ A0 \. V=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 x$ Y* n( [" O4 h. ] app like this:
7 C# S b! q* U3 Z& O0 {% k
1 n- B2 F( Y2 @& ? BPX exec_int if ax==68 d' v# y# Z. b3 K6 V
(function called is located at byte ptr [ebp+1Dh] and client eip is/ u/ G1 \& M6 y
located at [ebp+48h] for 32Bit apps)
% ?( \; \4 }6 D. ^$ Y" B) H: C__________________________________________________________________________
0 D- O; h5 D" v! v N; F& V
& D8 F, z( [1 }
2 z9 M% ?) ]8 E" uMethod 08
( ]3 M3 c) A% E# W b+ B=========
- p0 K( I0 c. M! X7 y& c& \3 y- ]& s
It is not a method of detection of SoftICE but a possibility to crash the
( _& `. `0 q% L% Fsystem by intercepting int 01h and int 03h and redirecting them to another
# V' [, o- U8 Kroutine.
- g) j2 b% N6 G l- f# GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% J2 }* q7 c, Z" V! Q5 t, _to the new routine to execute (hangs computer...)
" p& y8 n/ q" c' j
& v# A2 l5 y/ |2 u" p7 t4 C, V mov ah, 25h
; s2 F9 I; j3 f. A! ] mov al, Int_Number (01h or 03h)
+ V4 Z- X2 Q$ O/ ^* E g mov dx, offset New_Int_Routine
/ L- [* [7 e# l* d/ E/ o int 21h6 g1 H0 o) r) w3 C) G
" E, V7 L9 ` p. ?. ^__________________________________________________________________________
$ K7 k8 [+ _) H5 j
- O5 d3 s( [+ ?1 lMethod 09: t* n0 |; D2 m
=========& G8 O# y# r* J$ c: S8 H
! F# b, N; \( k& K# K! j8 Z0 ?
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, } |" @1 g2 a- ~, pperformed in ring0 (VxD or a ring3 app using the VxdCall).
( k. c' G& `1 N# kThe Get_DDB service is used to determine whether or not a VxD is installed4 x O! e2 t' U
for the specified device and returns a Device Description Block (in ecx) for9 A8 r' j6 O& N/ J* Y8 ?8 E$ N
that device if it is installed.1 A$ }) F+ E3 r; d* }5 }
- \( u. L! c5 q% U1 ^1 \
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 o9 Q" M1 {1 d0 t/ B r& g% Q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 q1 h. z ~7 M
VMMCall Get_DDB
) S2 @% l: W, U' L* Z0 \ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ c1 v5 l2 d) O/ P# K
: @8 Z5 t1 m6 k8 J3 Q4 [% {- nNote as well that you can easily detect this method with SoftICE:
3 X J+ s p/ k8 R4 b, m2 g bpx Get_DDB if ax==0202 || ax==7a5fh4 X" M. A+ J: k# k
2 B3 Y f1 W2 }- ]. L2 E) S__________________________________________________________________________6 h7 K/ o2 o) u
% `0 [5 M* |$ c2 X: M. T/ n5 n
Method 10! }7 l* @6 g. z9 {1 [
=========
+ P6 v W' j9 S. [ Z! f9 x, z* R$ R1 e% j
=>Disable or clear breakpoints before using this feature. DO NOT trace with
- j" ^* [- E# ~3 Y, p# M SoftICE while the option is enable!!+ v! |( D# k$ G. h
% r% s. S* a, m0 b# rThis trick is very efficient:. c }9 S; j7 U0 b q/ P2 R( ?
by checking the Debug Registers, you can detect if SoftICE is loaded* B: s" L7 D# z% ^" k6 _& x& f
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ N% y- P4 E' |6 R+ [4 w; hthere are some memory breakpoints set (dr0 to dr3) simply by reading their0 @4 s) u5 f$ V! N) e O5 J
value (in ring0 only). Values can be manipulated and or changed as well% R: _8 j8 z/ a$ j! d1 P S0 x
(clearing BPMs for instance)
6 W, E4 g3 _1 h! K. w1 m0 i# D' g; n% U7 M- ^ g
__________________________________________________________________________, n7 ]9 i/ h+ k% ~
" G0 W6 L- V% Q) QMethod 115 q* Z% X5 J8 v# z/ @+ O6 H
=========
- _8 |; j6 q. t4 o/ B! u( b" a7 H
This method is most known as 'MeltICE' because it has been freely distributed" n% t! m0 f/ N$ G/ y
via www.winfiles.com. However it was first used by NuMega people to allow$ X _9 N3 V% V
Symbol Loader to check if SoftICE was active or not (the code is located5 P/ @- j; _. p' P/ V+ p
inside nmtrans.dll).
+ v- t/ F4 ~3 c! o/ [( I* K& {" b1 Q3 a( i
The way it works is very simple:
' s9 \& Y) ~0 {* P8 B% R( T; f5 X5 rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& s' q% W7 {: FWinNT) with the CreateFileA API.
+ t0 g4 D! s# Z) b% h4 G V- a
: o$ B2 o6 C4 _6 H: THere is a sample (checking for 'SICE'):
, G& E. w8 W, N; W: ]
7 g6 P3 w k- {% e2 {* i0 k: @+ t; ABOOL IsSoftIce95Loaded()7 }% h5 _" n+ m+ A a; G, `/ N Q$ x
{
! a( y/ p" j# E2 ]. ~& I HANDLE hFile; 0 @9 A9 z8 e; R7 Q! d) q
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 a+ c' T6 Y9 A/ z# Q* G/ A) R FILE_SHARE_READ | FILE_SHARE_WRITE,+ p. L! J' ~2 x2 A( U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. Q) b& f: j; k if( hFile != INVALID_HANDLE_VALUE )/ [( I" q$ T4 C# R( H& e% B; Y
{) }# y: F" f0 T5 G& L
CloseHandle(hFile);
; R6 u j3 ^ {8 F! h return TRUE;
K! O, {% _9 T+ h" p; e' Y }" ^# ?" Q u% d; u/ @& _& q
return FALSE;7 e h. h; L9 e$ e+ \
}
! v$ v8 }) [9 H+ q+ F* L; e0 z' J% I/ `- [
Although this trick calls the CreateFileA function, don't even expect to be
4 u& {& ?- L6 A0 F* Fable to intercept it by installing a IFS hook: it will not work, no way!
# b0 u3 N& X: i% T4 y @8 I# S: jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, y% m- R9 t& oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 u/ ^* C& ?/ e: f2 |$ g8 K6 f
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 r( U5 h. r; E
field.+ I% l& B! U$ C' v0 s
In fact, its purpose is not to load/unload VxDs but only to send a G4 O9 {, C# I* J- ]1 E$ t
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): [) i5 }+ i" j" `* E8 H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* q& m* ~* ]& T/ zto load/unload a non-dynamically loadable driver such as SoftICE ;-).5 F/ Z3 p% e# \; i' q' e
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% K2 l: L, t& k: `+ n. F0 g$ F/ x% _its handle to be opened and then, will be detected.0 D7 R; d9 f0 u' W* O5 ^9 T
You can check that simply by hooking Winice.exe control proc entry point, i& v. r! {$ G" \
while running MeltICE./ \( n) L. }" g2 d# j/ G
- T) ]- I5 @6 m' n. t1 B1 G5 ]. Z! E( a( W
00401067: push 00402025 ; \\.\SICE
, S1 g y2 M7 W# [ 0040106C: call CreateFileA
3 q+ I9 G% `4 g6 z0 [+ L 00401071: cmp eax,-0017 \8 W( x" x( s0 o- V: P( q0 @* [
00401074: je 004010911 V# k0 D9 P, }
. }/ u, p2 O- \" |
; I U4 Q: N3 m- ^% tThere could be hundreds of BPX you could use to detect this trick. O0 Q4 R5 f/ e% `* R* {" w
-The most classical one is:1 @' X' q3 j4 H K( e0 {0 p* Q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: i. L! P8 H( p& l: z *(esp->4+4)=='NTIC'7 N- t1 h" [% o5 Y: c* K8 [: n
/ r2 k. O+ {4 ]/ r( N0 g" M6 P-The most exotic ones (could be very slooooow :-(4 _: ?, r& ~6 _0 J# s: a0 O7 j$ z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) d! ~) h) z9 K r9 A2 J ;will break 3 times :-(
; F: F- w1 y% y- V' r+ c! \5 Y( C6 f7 _7 \% a: T% r [9 X- F
-or (a bit) faster:
$ y' ~7 k' x) S$ f BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( U$ {8 z8 ]" L# _7 s" o( m
U2 P1 L% O" {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # f: u X4 @$ v& @6 S* M
;will break 3 times :-(
2 j V1 h) X! V" J
; e- ~7 _) t1 K+ T5 e$ K* b" t) w-Much faster:
: K( M9 D2 P8 c: d Q3 V BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 R9 [, H. C! T) \0 f# u+ f. j) Z: D& z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' e a. |. \9 O' P: f
function to do the same job:
8 v4 h- C! Y/ g/ W6 P* B
9 K* r- ?/ R+ v! ~$ x push 00 ; OF_READ
) |$ {7 ^# _9 l; h% p0 {0 I1 r mov eax,[00656634] ; '\\.\SICE',0
0 x7 M* Q; u7 \+ @- c push eax! z: x3 z% r/ D% n) G% v
call KERNEL32!_lopen+ M9 l6 I: Z& w: _
inc eax
- `8 O# V/ k: P6 t. j# n jnz 00650589 ; detected! H8 P, K* T- ?% j7 [% d3 ~% v& [
push 00 ; OF_READ) p* ] b4 D9 c1 @' a
mov eax,[00656638] ; '\\.\SICE'5 J f5 y5 L9 s- h
push eax9 d# h; I# f+ Z
call KERNEL32!_lopen
0 j9 x* N/ T+ y: ]- X, g' w inc eax
/ \% c7 c* N# }& c. m$ Y jz 006505ae ; not detected
" [7 w' q* f" o7 @) K9 X
: [) [9 _* h( g- ~
3 _" a: ]% t, @4 W+ o0 [* O) E' x__________________________________________________________________________
4 Q: K. l6 e" K' \8 g! _- P7 e. q! N$ d
Method 12
( F$ ~, [9 d: Z=========
4 }& V- Y( {2 Y& V1 K
3 I" q; l; r+ g2 ?; {This trick is similar to int41h/4fh Debugger installation check (code 055 ]8 X! Z( r! D/ _$ V2 t# k3 Q
& 06) but very limited because it's only available for Win95/98 (not NT)- L {! k! j9 b/ g, E: i
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) a% Q( F. m, l1 w
$ x0 V0 o- E" g
push 0000004fh ; function 4fh' X" o) a, I( x5 T E& W6 J
push 002a002ah ; high word specifies which VxD (VWIN32)/ w: p! l6 A! }9 R
; low word specifies which service
, m1 B# ]" V& @% ^3 i. I (VWIN32_Int41Dispatch)
z. H3 y, V* K+ x call Kernel32!ORD_001 ; VxdCall- b2 Y7 n, H9 I
cmp ax, 0f386h ; magic number returned by system debuggers
3 @" a, b4 U9 M, ~& U' s jz SoftICE_detected
- {! w+ @( j# |. e( ]) z5 H7 }
" g% o7 Y( m) F; \. [9 X3 Y! HHere again, several ways to detect it:
& J: u# w# l' s5 t
( F9 @# e+ v' S5 L* h BPINT 41 if ax==4f, E* N7 z3 u5 i- j4 K
w" q" i+ P2 k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% X! |! f3 ^" S6 C n$ G7 ~1 Q: P# m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" b) ]2 \* {9 n& c
3 ?7 [7 |7 s; E( P" {5 f BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* v0 K' { e. D1 i2 ^
5 b! n* _( X% ^# F( R__________________________________________________________________________5 e* `8 [/ {6 L7 K. r
5 |1 o% c9 f0 s( f' g6 ~7 q
Method 13& Z3 ]# C# J" l4 B+ l! {# m! o
=========
7 p2 {$ \0 Y9 L3 D# @
! v7 n$ y) N, i6 m: F9 kNot a real method of detection, but a good way to know if SoftICE is
/ A1 q" G) n, tinstalled on a computer and to locate its installation directory.2 n% @( _& E; ]1 X# D. c
It is used by few softs which access the following registry keys (usually #2) :
& `% f0 G' h% P6 u- C- u. [8 e# d1 U0 C3 @3 [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 p" v- Y. k6 S; b* g" c\Uninstall\SoftICE
0 d( `2 Q2 \+ y% w-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& [% d+ r3 r7 P0 C5 R% }' L9 Z. ~' B-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 k! ]: _! \3 |7 X3 z\App Paths\Loader32.Exe
: v5 X& K9 T+ s6 l6 @# q8 V# \( w/ j C* T7 w" u
: y1 P v5 g/ ^5 v" BNote that some nasty apps could then erase all files from SoftICE directory
. M9 V3 @: ?4 Z' V1 h( t(I faced that once :-(! K. K# B7 H+ ~
& ]3 V0 r4 r# k5 Y) \
Useful breakpoint to detect it:! \8 h4 }2 C) q7 _6 \
4 |1 B1 V# C9 u' y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; r% W& [: F; ?! A y# t9 q1 K& H
1 x* m! Y7 R5 W8 t% z1 f5 l/ p- i$ L__________________________________________________________________________
8 U/ o' Z/ B2 Q: i$ \: x6 g# i2 M! w; M2 \) M" @4 i5 X
& Y' P$ @. p: @2 k, o& u5 fMethod 14
- Z T! M2 Y: ]# P=========6 Z' |4 C u/ e
0 K# b( g5 F( B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- l$ m+ Y6 C n4 R. U" {is to determines whether a debugger is running on your system (ring0 only).7 n) J7 E5 R2 U4 Q6 t2 f- Q( E' b
/ d4 T2 p* l8 i1 j; O$ K, o, p VMMCall Test_Debug_Installed! V9 U" F y8 @7 {& H
je not_installed
% ^) E( }$ d5 q" j% q* W* z3 G
; g, n& k$ A* s+ F9 UThis service just checks a flag.' }) ~/ R4 Z' ?$ B6 }3 ?# p
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡