<TABLE width=500>
( T* }1 Q7 y( {! L<TBODY>+ k# T7 E/ S+ D/ v( S* m A
<TR>. j# p, A, [& d2 @9 ^0 s, J: f
<TD><PRE>Method 01
! T @; v4 v4 W2 H9 ?! }+ g=========
* h' T" Z5 [" n% W4 K Z y4 L5 ]$ T# P" @
This method of detection of SoftICE (as well as the following one) is
# B& x$ d+ B( O% rused by the majority of packers/encryptors found on Internet., w Z9 R/ @: `. {8 ?
It seeks the signature of BoundsChecker in SoftICE: q: ` s; V X e3 W' j( z& {8 Z
: J8 Q T6 C+ K4 p
mov ebp, 04243484Bh ; 'BCHK'8 u2 n# h( W0 r1 n
mov ax, 04h, l/ ]3 V( S0 d4 v
int 3 , o7 G2 Q: l" v
cmp al,4! C9 z6 O% m+ h+ A7 x2 Z
jnz SoftICE_Detected+ l2 L% q2 H% r7 w
9 ]& O; e4 w7 V0 R# O$ q___________________________________________________________________________6 I T) n3 B, K u( \
" @' `5 Y$ V" z& Q: ^9 T3 EMethod 02( V! A3 Y7 z) ^/ i
=========( o; T5 ]: N1 N" `" m
. T; Q5 ~/ D1 h0 U* FStill a method very much used (perhaps the most frequent one). It is used* ?0 A( V. `0 t: a) ]9 {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
]8 [! Z6 F. Z& H9 u9 d" I& {9 {or execute SoftICE commands...: q5 E4 M2 R3 {
It is also used to crash SoftICE and to force it to execute any commands
. n$ q' o6 z1 n: \: b(HBOOT...) :-((
1 C. y8 H) I5 F8 r( ]
5 M$ y4 M! `& Z# Y; `Here is a quick description:
6 _! ~' G, X1 z! j-AX = 0910h (Display string in SIce windows)6 V, Z# s8 Z) D9 h& q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" q2 d& L/ Z8 J' k- Z
-AX = 0912h (Get breakpoint infos)
& ]7 F) R; ^$ s. B# V& E6 M2 [-AX = 0913h (Set Sice breakpoints)
@& e% r; {% Z f" {# E-AX = 0914h (Remove SIce breakoints) y6 S" K7 V* e* h$ H
/ S8 |% Q# a0 D1 d/ G" t, R& `Each time you'll meet this trick, you'll see:( r7 ~5 K* i- M" k3 J* E' |
-SI = 4647h( y. a2 |! m2 j, ?! T6 R' P
-DI = 4A4Dh( `+ P d7 k- l3 V
Which are the 'magic values' used by SoftIce.( N+ y9 y: i9 L2 J) V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% C: z- O8 @4 n) W* j6 @5 j u) |
" { b9 [( Q, l3 N8 lHere is one example from the file "Haspinst.exe" which is the dongle HASP' ^( I7 Q7 q8 E+ s2 ~- w/ ~
Envelope utility use to protect DOS applications:
, h' z6 ~1 |( n i/ D0 F1 e
+ _) E& Y9 P) Y: U0 R. w5 C4 a7 P6 g
4C19:0095 MOV AX,0911 ; execute command.
' \: {8 o- [- F9 t9 p( D1 H) |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 E- R" F6 A) Q( Q; a: L2 ^! W6 f4C19:009A MOV SI,4647 ; 1st magic value.
' r0 j# K9 S; Z7 t* ?4C19:009D MOV DI,4A4D ; 2nd magic value.
( r; [ r$ B6 }5 M* k3 _6 m5 ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: z. @: A: {4 Z3 n4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: F: l I( h- |
4C19:00A4 INC CX
% m2 @2 R# E' u6 R! n2 A4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ o( C0 t. B# R$ U+ U3 @, t
4C19:00A8 JB 0095 ; 6 different commands.
* g& g6 R c1 S4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 f! i( q' a- \: G& e. F
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" G9 S5 x( w6 M9 j8 ^1 g
9 R4 R7 k' q( G1 w8 Y: \7 u) f
The program will execute 6 different SIce commands located at ds:dx, which
6 u- \& r( o: O- A4 R8 ~ vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ R! `* Z4 I# F9 {. p; i3 i6 W& p+ l8 j2 U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& Q P/ k! f3 l; n6 a* [- _% r
___________________________________________________________________________4 z. G [. D( o7 `
/ N t- ^5 U `; x" V% ]$ w
$ E+ c! N2 G& `( l# D1 y0 I
Method 03
5 h- { Y; t. Q=========9 ?# p( T& R. E4 y
) `% B1 w! B W! W( I6 ULess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 \) F) Y# s7 X* e(API Get entry point)" q; G: K; c1 O
4 J ~9 d' m$ k. |
4 j9 _6 K+ C7 {' }- z xor di,di# L% w4 `9 V7 f- ^- D) U1 z1 H7 [
mov es,di
' n9 a0 R; R; h Y3 u! ^, F- ^ mov ax, 1684h 3 z; S7 R1 H a3 d& ^
mov bx, 0202h ; VxD ID of winice1 j7 C0 N9 p# L5 P; T* w% S- V
int 2Fh
$ z6 ?: u S ]' U. _ mov ax, es ; ES:DI -> VxD API entry point" l4 d9 n' A/ b: D+ T9 }- @! |
add ax, di
8 B! f! N1 W( N" t6 r3 C3 X, H U test ax,ax8 f* M7 a$ I3 ~) b5 E$ ]' ?# X1 q
jnz SoftICE_Detected9 ^( E, A/ ?: A+ V$ ?
( u: [. s" d5 z. d. g
___________________________________________________________________________. t! Y9 O8 v- Q$ l7 Z$ d, u
& m9 ^% E% b+ k: j% `# NMethod 04# y% N9 x# a8 s4 L f, u. x& y5 w, U
=========+ l1 X5 Z2 U( v$ A2 e
* w! J* |' {6 M+ i) ]9 d+ KMethod identical to the preceding one except that it seeks the ID of SoftICE; Y' B- ]) d" |- M: S
GFX VxD.1 r( Q7 y* N5 j8 @# Z
5 D) j6 c- u. Y/ {# r, C, M2 u
xor di,di# i; ^8 F& g7 _/ G; u
mov es,di/ z& a ?5 j2 b
mov ax, 1684h
% u. g+ G. t7 W: z) A6 l mov bx, 7a5Fh ; VxD ID of SIWVID+ a2 A4 Z! ~/ K/ r1 N/ B8 A
int 2fh
- ?. O! B( c+ J: B- ]! V8 f! W mov ax, es ; ES:DI -> VxD API entry point
2 x- O- a0 r7 \' \, V* x add ax, di! y0 Z* g4 M3 G8 L1 \/ L8 W, V' X/ d, `
test ax,ax
+ J6 M, L/ D. w1 I8 _ jnz SoftICE_Detected
6 |1 a5 y- K7 w1 V4 Q3 |" W
{1 F$ ?! a+ {9 p0 [. O1 Q$ e__________________________________________________________________________% l. p: [, Y" `& K# J, _
' W8 \1 [$ |5 W7 E0 ]" Y8 c ^
2 @* M" w, f; A- S/ ]" }
Method 05& f% E( u9 s6 C6 _* ^8 X$ h5 U
=========
: o- X* E! x3 V# t/ ]* d N) J5 R" M4 B% O, d! c9 r( e5 }
Method seeking the 'magic number' 0F386h returned (in ax) by all system! A9 P* A7 s' @3 @
debugger. It calls the int 41h, function 4Fh.
6 A5 N/ A1 C" n6 X- tThere are several alternatives. . R& |, t& x! Q" Q" ^5 D
: o: l: Y6 N% h9 q
The following one is the simplest:4 b0 j8 r# o0 h e' C
1 [& @! R3 b" o7 k$ }* \
mov ax,4fh
* r1 l; k: K) L; [: k! X( L& x int 41h% p: ?+ Y$ |5 j, I
cmp ax, 0F386
8 U. ?5 F. C* y3 t4 X jz SoftICE_detected
+ t5 }* f0 k, a: ^0 C o6 @4 S p: I7 T
4 R4 V/ s9 ?$ T& wNext method as well as the following one are 2 examples from Stone's 0 t* W( G5 u! M6 ]3 R
"stn-wid.zip" (www.cracking.net):
5 Y* i! l8 N8 Y9 n6 z
4 v5 I: O6 r$ s3 q, B2 J mov bx, cs$ }7 j2 o# P$ `* d ~ E
lea dx, int41handler28 Y6 w& h2 ~. n9 M
xchg dx, es:[41h*4]
0 q' A) c5 p# }8 R# L8 p; ` i; d xchg bx, es:[41h*4+2]
* M+ ^/ U) z, O% m5 A mov ax,4fh$ y* J q" e9 ~4 |, O2 [" Z
int 41h
$ @- {, H1 n! ?( a0 O2 E xchg dx, es:[41h*4]4 K$ d9 m$ Q# g) O/ l8 s
xchg bx, es:[41h*4+2]
3 h, {- R: c( e. H% J cmp ax, 0f386h2 Y% l3 i% |4 _" z# x, x/ ]+ i7 D7 }# O
jz SoftICE_detected8 Q5 e; L4 T' m" I" D
% E, c$ w) Q& A9 N' x8 P# d4 rint41handler2 PROC
1 ^$ w; z K0 }8 `1 T6 M iret
" B% |; Y' X; Aint41handler2 ENDP& H/ M; y5 h0 R6 |. W8 B6 k
7 b: p$ k7 c$ M( |) d
6 X+ s% ~. ^) j8 ^* ]4 x# _8 V_________________________________________________________________________( v0 p& ]+ ]$ H+ h- C# Q: B2 K4 l
% ]/ ~2 I. v4 f. r1 ?. n* r: I: Q! `$ v
Method 06$ g6 a8 O$ l% M- V6 l
=========
: R& x& \3 a2 V; E9 s+ M3 o U% W' L0 q9 @' P! n3 x/ d M
: d; O9 d! c5 G+ \2 _7 U+ e1 q
2nd method similar to the preceding one but more difficult to detect:
5 T! S+ {7 R! Q6 U: J/ u
( {/ W4 C: r0 R/ X* T( m+ p( k- r' l% `' K! u: k S6 e' y
int41handler PROC: |( V$ ?8 R% @8 q: O
mov cl,al
5 T |' u$ D) v! E; b6 v8 A1 T% r iret: R) v2 ~- D1 }2 g7 h, L
int41handler ENDP$ {: p9 f) U7 n( `1 o( V
3 g) c/ p2 H F- f' h0 ~( |* p2 {# m, B4 ]1 s7 c8 u
xor ax,ax
+ r* L# r1 j1 d& h0 u/ o! c* U) H; C9 {* M- ~ mov es,ax
g3 f6 G2 A+ P# R4 K& j mov bx, cs
, b# c) `# t3 B$ \ lea dx, int41handler8 S( W6 z$ I2 W
xchg dx, es:[41h*4]. _0 A4 p) t0 l0 X% p1 \/ g
xchg bx, es:[41h*4+2]
& z8 q3 r* V8 _' ~8 Y in al, 40h
: c; _3 m$ i5 ~8 H* G xor cx,cx
( F- p b& S4 o) } int 41h" I' e1 F9 ?$ p* `
xchg dx, es:[41h*4]0 y& q/ |, h% s/ g# _0 L
xchg bx, es:[41h*4+2]
5 R+ f2 A. r$ W/ O cmp cl,al6 i" R9 v7 x4 |: ~4 z' L/ {! ~( Y
jnz SoftICE_detected
" v$ U4 @6 r0 W0 w5 k J6 B! ?# t0 f7 } x! S$ _$ ^
_________________________________________________________________________7 l( l( k2 h# v- Z! A; ^
; Y o* s* v' n' _3 j: M* M
Method 07
) o; O+ X" p+ N, @=========: E2 B$ x0 L+ B; G: G: O/ \
9 W& m. e5 A6 V# }/ J' ?# R2 C
Method of detection of the WinICE handler in the int68h (V86) D# k9 p8 ]8 R" P) I8 |5 x% S
6 ]) q7 d+ [: D/ a
mov ah,43h( X$ v3 F: _) t q1 e$ t& X
int 68h8 A! h( q% c ]: F
cmp ax,0F386h
* e8 J" e* Z6 b. R# f( G0 ?2 }$ k jz SoftICE_Detected7 ]0 O) k3 F% S8 U2 ~& N
$ l& t: |' {2 F3 p3 \0 x
: n' A# K( I/ R5 g% X
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. A" |, N* Q1 x/ G app like this:+ C3 t0 P- S! e& D9 U2 ?
5 @# b+ H% C" u" v, A( J0 D
BPX exec_int if ax==68! m9 v/ b S0 V% @
(function called is located at byte ptr [ebp+1Dh] and client eip is
) E8 }' w9 m+ G located at [ebp+48h] for 32Bit apps)
% X3 s- |% O# X+ d2 S+ ~( N__________________________________________________________________________
5 N3 u' ?$ t8 X) n4 P1 g( }# q5 R2 e/ s; {/ C( x2 K
8 n1 S4 ]& {! A: T$ w- EMethod 08) ?& g* ~- q0 G/ o) q
=========$ a& A- J7 h- @
+ P: ?. J0 l z* ]
It is not a method of detection of SoftICE but a possibility to crash the
1 H/ r2 {9 M* o8 G/ @9 |1 W4 B' ^9 m$ G8 Esystem by intercepting int 01h and int 03h and redirecting them to another
3 J! M2 a/ s: E. T- W( [4 v& groutine.
' i: u8 d7 j9 t# I) [3 t* ~3 BIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 u& z3 X' ?% O, `/ [7 ?
to the new routine to execute (hangs computer...)2 ?" H; X! {8 F4 @6 w% E4 Q
9 r" s9 g( p3 u9 r7 f% w5 {& Q, I mov ah, 25h
9 s, M. T6 o1 j" h# D( I7 Z mov al, Int_Number (01h or 03h)
; h* t) D' k; o# a1 U3 @6 y mov dx, offset New_Int_Routine5 k8 J5 Z+ G, A4 S
int 21h6 E# y+ F" O7 N1 Q [& V
0 s/ r: |. P- L3 q__________________________________________________________________________" O. _+ L i7 j3 ^
, o# f+ M: c5 z/ L; ^2 m5 p( `) j
Method 09
) @2 S. Q0 T4 c+ x' z' I=========
, ~4 v& [+ \5 j
3 J- q# p, L x; g: _9 S. w) O2 y2 sThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 O, W" Q0 v8 Z4 [; Yperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 D& ^% @ M0 t) O5 R1 dThe Get_DDB service is used to determine whether or not a VxD is installed
) b& K$ j' p8 T J, b1 s, kfor the specified device and returns a Device Description Block (in ecx) for
6 _8 |+ D# ?5 T9 E" U- ? [' c; vthat device if it is installed.$ n, \" ]' I$ k/ [+ Z9 Y. A: K
' T+ h, D( n* `* Z0 Q" G" \3 l mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, w& u, s% E% F3 c mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* U# a6 b: d' ^/ ?) V
VMMCall Get_DDB$ r1 @6 T) g3 Q% r( {' @
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ Z. B2 P# e9 s7 h4 A9 j
$ ~' f H: ~! D! uNote as well that you can easily detect this method with SoftICE:
! V u( m3 E& ]+ j: X bpx Get_DDB if ax==0202 || ax==7a5fh
/ |) G! T- n9 t% `) Y* c( C, u; |$ l% W# s# _2 I# [6 }- t0 U: n# Z
__________________________________________________________________________
) G2 F& E [* H! B& ?4 h5 x6 U+ i& _& u$ N* E9 n+ A$ H# b5 m1 C7 ~3 \
Method 10, w# E9 S: f% }, W: r. @6 J/ |
=========* v( o% n2 N; {. [1 m# t
# w5 j! w+ s6 _$ f! `, e. h; c=>Disable or clear breakpoints before using this feature. DO NOT trace with
- i r) E) U2 Z( t SoftICE while the option is enable!!
% j/ y }2 b$ C8 F* A( W! }1 L8 c1 C2 z; E
This trick is very efficient:
( |( ^. K7 j1 Z$ gby checking the Debug Registers, you can detect if SoftICE is loaded
( V: J* g- l% Q% ~8 n( k- A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 I5 _7 d/ C% bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: R0 N+ H% X' D8 gvalue (in ring0 only). Values can be manipulated and or changed as well+ e% K# M6 m7 `8 ?, Y
(clearing BPMs for instance) g3 Z# }# _6 Z- ^! V
- b8 E2 w' m! Z5 E% d: S$ \__________________________________________________________________________. z$ y7 V0 r; F$ A/ Q' D* E# q" ]
3 o4 V5 ? A/ d# j1 ~/ M% `Method 11* y0 e& F2 M# {
=========
: U! t, ^! O/ ^
( Y+ P6 W, o6 nThis method is most known as 'MeltICE' because it has been freely distributed% m- O) X7 f8 Y6 k- _( Q
via www.winfiles.com. However it was first used by NuMega people to allow1 o( @( v5 Y( \9 J5 q
Symbol Loader to check if SoftICE was active or not (the code is located
) t' O$ p9 W' p }9 G. R$ tinside nmtrans.dll).8 _4 \4 [) r" Q2 k0 e- X
6 c" H% h) W2 [9 }* G/ bThe way it works is very simple:
6 Z& y7 {, _5 A; L. l" ^It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( E1 H5 o0 U6 }WinNT) with the CreateFileA API." F. B' S# A0 n' n
/ ^& I F9 b5 Y5 J/ cHere is a sample (checking for 'SICE'):
- F5 |& ~8 {! C5 a. M- v; ]) s( L$ d) f
! N5 L/ L& d7 {, c. G, zBOOL IsSoftIce95Loaded()# b* d% Z$ o+ U/ I( s
{
8 O4 N& Q( V: Q4 q! ~ HANDLE hFile;
2 l% h" G. b) X! [# k! x6 V9 ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 A0 C; G7 Q& ~0 I% ?5 F FILE_SHARE_READ | FILE_SHARE_WRITE,) P j, ]) u2 f
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) _) S% O: \) N0 K, `$ \$ n if( hFile != INVALID_HANDLE_VALUE )
2 H' U4 i$ n& p6 c- o) h z" l" E1 t8 G {/ W5 X4 r7 C6 Z: E: V, d5 `
CloseHandle(hFile);) r5 u8 o# [0 r1 D) B
return TRUE;
* W) R& F" {: r }
9 ^- J, }' i, M& H/ l return FALSE;$ Z4 b2 K! f6 b3 B" p, g
}" L3 S, L7 |$ \) F" G+ Q
- n6 A, n1 A6 W, B5 k* v
Although this trick calls the CreateFileA function, don't even expect to be C" N: B/ ~/ K
able to intercept it by installing a IFS hook: it will not work, no way!: n: _( z D5 f6 j6 g3 ^- y+ |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F0 L L) P' W+ K) Q( n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" M3 n3 c0 a; S- V! X5 g% l, Oand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 s+ ]$ y. A/ z7 y" Wfield.
0 _7 P( ~5 l/ h9 U6 K3 x" ]In fact, its purpose is not to load/unload VxDs but only to send a
3 @8 D7 A; K: w, N' _' j xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 s* i+ c' Z' N( U# N' g0 J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ i+ r F7 L @+ q3 Y0 P2 ?5 X2 hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: R3 A, x( z. m8 A3 O5 sIf the VxD is loaded, it will always clear eax and the Carry flag to allow
( p, ~+ b8 i/ @7 j) s! d( T. |- E7 ~ uits handle to be opened and then, will be detected.5 @9 I$ B2 l( s( I, O
You can check that simply by hooking Winice.exe control proc entry point
8 ^1 j5 T4 w+ ?6 y) jwhile running MeltICE.
# c! r. i) B5 r# H+ W0 j# ?6 [* ^9 @# P& \5 e2 G
/ ^+ f, y3 S4 z% F 00401067: push 00402025 ; \\.\SICE
2 _, X8 ^5 n% |( r 0040106C: call CreateFileA
- F# I- p! M" k* g, v 00401071: cmp eax,-001
0 i6 [8 j+ g | C, _( A" C8 ? 00401074: je 00401091
3 Y' N! n8 b' D
, _2 P0 O4 ~( ]: U3 N0 f: ?! |
) v& F; _6 I( l' A2 ?& eThere could be hundreds of BPX you could use to detect this trick.; }" b0 K) S( E& ]- e1 o
-The most classical one is:0 s4 G5 Q' d( s p: ?* U, l6 @, M4 G
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 p, F0 x$ `- \5 L7 q, J [ *(esp->4+4)=='NTIC'
0 ]0 y- A! R' Q. P; a/ ?
! q6 f6 ]- e( |, o* m) v9 H5 R, u* D-The most exotic ones (could be very slooooow :-(, S- b( e7 e& h) m' M
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& P7 _- S7 |% p' n1 D5 _4 b/ f ;will break 3 times :-(1 q& T8 l2 m' v/ g" b u$ G, X
2 x5 O; y: U6 j2 f' h-or (a bit) faster:
2 Y3 R: E( C1 [3 y2 N BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 W1 Z! U# p% p) Z }* e# t: G8 u+ C9 k4 v0 C: P5 p5 N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' z6 M$ h: r3 F6 l
;will break 3 times :-(8 l) l( r: D8 w
- w4 A8 l3 k/ |3 w: U6 D5 Y3 i0 T-Much faster:
/ v5 k- y7 q8 t) {$ V ]1 @+ `: P/ s6 H BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
x0 B: G! l3 D/ m L4 g
* {: V& ]4 ^. n' @' o( H ]Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 [( u' E8 Z; f& F+ v4 m/ sfunction to do the same job:" p4 ~/ |/ m2 {# o0 j- n
! N3 j$ N" b. \& U! R( t push 00 ; OF_READ7 R1 g# K' n* f; d+ `" _& x. p* f4 _
mov eax,[00656634] ; '\\.\SICE',02 G- Z5 B; Z- b0 X# @
push eax
& N; h% ?) r9 ?" I" F6 @ call KERNEL32!_lopen0 A; E5 N" w( B2 [! [1 u
inc eax9 m$ H6 e+ p& ^" h- ?
jnz 00650589 ; detected2 o, }4 I p/ V3 z% c* J
push 00 ; OF_READ
6 _+ R2 }4 E7 \7 H2 \4 F! P- @ S: t1 | mov eax,[00656638] ; '\\.\SICE'5 n$ B& i- Q5 _3 L
push eax# P4 c8 M( h7 `' y$ n, Y% H
call KERNEL32!_lopen1 D b: w/ Q/ S( r( X3 V& l
inc eax: y3 T1 P6 X$ @
jz 006505ae ; not detected$ m$ d1 x+ D" h& q) p# T k6 i8 B
% _- `, R5 P4 Q) Z9 c3 ]
" f) A$ z% b" E/ g! m9 n__________________________________________________________________________: w0 e7 @# v* t8 J* K4 F
* u( @: s/ N( @" O, w# u# ^# C
Method 12
, ]/ `( n2 z) E/ S6 P=========
. S: m6 T9 Q8 o, M* t0 ^
& k' c4 [" P! \3 WThis trick is similar to int41h/4fh Debugger installation check (code 05
% x: i8 ?- e* B3 M1 i8 u1 [& 06) but very limited because it's only available for Win95/98 (not NT)
4 y3 b2 r: k9 G+ i3 Z8 t Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 t& t; K9 F5 v u
" Z8 e1 R6 Y+ \" P) Q6 Y push 0000004fh ; function 4fh
! {& Q4 J+ _5 Q' {; F push 002a002ah ; high word specifies which VxD (VWIN32), F+ M" Q _' m* u7 t; _
; low word specifies which service
0 q$ k$ g) `5 w (VWIN32_Int41Dispatch)6 P" \, `1 @" ]. D8 [
call Kernel32!ORD_001 ; VxdCall! C) Q6 [5 c; [
cmp ax, 0f386h ; magic number returned by system debuggers! d1 H: d; z4 l. d* w
jz SoftICE_detected8 f8 u( T, J# ]4 _- ^4 |0 Y, G
n$ i. s3 d* b
Here again, several ways to detect it:
7 v% R0 v* A% ^2 |
3 Q* M, A+ c ] BPINT 41 if ax==4f& A; t- F) w: I' L; D+ t
" s: s9 Z" O8 p% {" @" i
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 c' g8 } R1 M' `# W
v: Q2 `! J6 t$ C" {! _% ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 K5 d+ \. E f
% t# @$ ^; N- c7 l
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; L5 \( u) e, X! t# t8 i
9 V5 v6 P: M& H/ r) W" C. \__________________________________________________________________________7 L/ ~& G5 p) E& r4 J# U
2 ]5 e) R* Z4 [3 h8 RMethod 13" R% {1 u6 N0 n6 [- r3 q+ m$ f
=========
0 m. d: ] O0 U5 f& d2 R/ a- ^3 B* Q8 j5 K. E# g/ r
Not a real method of detection, but a good way to know if SoftICE is
2 {. k+ H0 O# p& C5 {2 V T5 @installed on a computer and to locate its installation directory.1 T, {( y/ b' T, _" F- H
It is used by few softs which access the following registry keys (usually #2) :
% G( _9 J- \% Y f2 ]
' X0 M* p# Y7 ]' s; C9 y7 I/ |-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! a& O/ N; r6 A
\Uninstall\SoftICE
+ O X$ D }" T4 W. T3 ^/ u. z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 y, q9 O* T2 P# z# U0 \
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' p0 L2 d1 S" a* s( y\App Paths\Loader32.Exe2 @9 e; u' u- j
7 Z; n7 O5 P* J+ |7 G
5 h1 F W6 X9 ?3 O7 b
Note that some nasty apps could then erase all files from SoftICE directory
; h" n2 D5 p/ z4 Y7 S/ B(I faced that once :-( K6 k3 f: e3 g4 X4 q/ C; d
) y" m% Q2 B2 u5 Y9 t: q% n3 z
Useful breakpoint to detect it:
( z% C( p7 j9 L, L& E: X3 m: q
/ {4 U: O# _+ }" w0 W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 _% D. j5 w( I! N( }6 @' U- J5 x; e4 a/ g# {/ }
__________________________________________________________________________2 F4 H) i' [# _
( ^" e; I+ Y: y9 a2 f: G8 L* R0 u& x7 z1 Y) k3 m$ b+ W
Method 14 8 ?( ?3 b* G* U @6 E
=========
2 J- K6 X" B A# \6 Y5 F }% B5 N6 l$ T* n' Y' {: D
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 o7 @. o5 J4 l* k8 U/ ]) h8 q- Y
is to determines whether a debugger is running on your system (ring0 only).
5 K6 T2 ~) {' f1 k
, r- L3 N5 P/ X) n VMMCall Test_Debug_Installed2 x6 {! ^; M0 T8 q% {) }. C4 q
je not_installed
6 H- Z8 Q3 v; p2 D+ b; |4 l1 Y( J1 | x% w6 a( o
This service just checks a flag.
+ L+ w. _/ a% W</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡