<TABLE width=500>
2 G& F' H- C. ~<TBODY>
0 _( |' j5 J4 T. o2 Q0 \1 j<TR>
# ^. g6 \1 c# h! Z" u2 C<TD><PRE>Method 01 4 y ]$ a; f0 k, b5 X2 f- h
=========
# i& l* e) ?+ M* z" K3 u; G8 S
" P# n7 ]; ^4 g1 V! A# I" V; I: ZThis method of detection of SoftICE (as well as the following one) is
+ o" j. F J3 ?4 \: _5 `) Mused by the majority of packers/encryptors found on Internet.9 ?+ x! [, q( L6 E, S
It seeks the signature of BoundsChecker in SoftICE* F% M8 _% T. m, {9 w7 S; n0 Z
! I0 c; c0 _1 \! u6 C% W
mov ebp, 04243484Bh ; 'BCHK'! _9 a0 `1 L9 q$ S/ ~, `. j
mov ax, 04h
: A. Q' H) L2 W$ \ {, q int 3
$ M S' v* I/ A' }4 H6 b cmp al,4+ r1 L7 m( i7 I6 M
jnz SoftICE_Detected" f; A6 Y3 R+ F0 U
) [* j3 F: c$ ~
___________________________________________________________________________
& j+ ~4 S% H L; |) C( Q( y# f' g+ i/ s( s) O; }& L/ D
Method 02
4 W5 U$ L- ~$ x=========/ d$ y" G% r! h' C& O$ a( B
! [+ } @" x8 @ q1 Y, GStill a method very much used (perhaps the most frequent one). It is used
8 [. X$ `+ n# p6 M& B( n* L- gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. B7 e7 C6 W& p' b
or execute SoftICE commands...
! t' i& O- i [1 I- n; yIt is also used to crash SoftICE and to force it to execute any commands
K4 V4 n- \# v1 }- [& y4 V(HBOOT...) :-(( + N3 O7 E/ ^& l+ ]5 c
4 q, }2 l- j1 s& @& b1 V# a: UHere is a quick description:
- s6 k- s( @3 W+ u-AX = 0910h (Display string in SIce windows)
) [9 J* J# }& v2 J- s2 I3 r- H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' G% L8 o# n2 v' f4 R K, b7 C) G$ o8 r-AX = 0912h (Get breakpoint infos)
8 v+ {& Z* d, D-AX = 0913h (Set Sice breakpoints)
. Q7 G+ m! x j* l6 {1 [-AX = 0914h (Remove SIce breakoints)
% I5 O2 i' J5 Q3 r2 r2 x, S3 V W
/ q: M% Y) {9 B0 w9 K) AEach time you'll meet this trick, you'll see:$ I$ u% Q9 e3 B8 O# b) \
-SI = 4647h [) y2 T. R: G. `6 @
-DI = 4A4Dh
! g) w. @( @2 M) P1 s( A$ K4 ZWhich are the 'magic values' used by SoftIce.
9 H/ j& C7 B/ F( xFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* g6 \* k' w- A1 B
) h6 I, T$ q' u) C! B. M, v% H1 f9 a4 E
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ X4 }" ~3 {# m# R# O+ H/ P5 ?
Envelope utility use to protect DOS applications:$ Y+ e6 N9 d0 S
- y% o( L# v7 t Y- e
2 L% W+ [' b5 E1 S+ X* Y
4C19:0095 MOV AX,0911 ; execute command.
0 G. ^$ r+ g) U6 j; j1 c+ b9 \4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 k z: q4 N; W4 o) g( k1 l, X
4C19:009A MOV SI,4647 ; 1st magic value. W6 z- n$ i7 b; i$ A
4C19:009D MOV DI,4A4D ; 2nd magic value.
u8 g% h, ?! `# k9 t y3 i4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( P* X' b8 u6 i9 n0 F+ H3 X/ q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! t$ C# E$ Y$ A' i7 O3 P3 u! ?9 u1 g
4C19:00A4 INC CX
. G9 m! W' u0 T: j0 ^( l4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* g7 c& n7 K4 m6 }( q1 g+ @6 h6 P5 O
4C19:00A8 JB 0095 ; 6 different commands., Z2 u ^# ?* T* ~
4C19:00AA JMP 0002 ; Bad_Guy jmp back.; U5 {. R* ]. w3 t( S* K& ~
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 }8 O) D$ M. c1 c: e# S8 \
$ [9 h( d$ ^, [- FThe program will execute 6 different SIce commands located at ds:dx, which& t. u9 {/ g% \; }" Y1 ?( {. ?6 q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# ]3 C k- J0 F4 B) W
! g- P1 b6 D' Z0 G" ?. v7 H4 A P: k* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 Z; g1 {1 y6 r6 y* I5 Y6 Z
___________________________________________________________________________& v: r1 j( X) I5 J2 P
' c- S# ]$ k/ @ d7 M; k# r, p R$ @; d2 I
Method 03& N9 g$ ]1 h7 s
=========' d8 I0 L6 x* h: K& m$ r. B" L5 W, [
$ s3 I8 B: T) z8 [
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ y5 d; M: Q [8 S8 P% C. R, v
(API Get entry point)
7 _, h2 P8 E' J8 W) N: Y
4 Z, E; p' w! }) H, r
% L7 \% n) [7 s m. e0 I xor di,di
& \/ h* m3 ?: b$ b5 G mov es,di
a& ^ n( F5 V; o mov ax, 1684h 5 y" E+ X+ ~9 h( L
mov bx, 0202h ; VxD ID of winice
% L6 H, F5 B& t int 2Fh# f S( a9 B4 q8 q
mov ax, es ; ES:DI -> VxD API entry point
9 Z4 Q7 p- l1 @5 D: d5 B add ax, di
9 @( Y3 D* S& S9 T0 U Z. k test ax,ax1 `+ l" U9 I. i. H
jnz SoftICE_Detected
* |; W n& y: ]% o' ~$ J; A7 [& D4 S
8 g; \; u: t7 T0 U: u1 l9 k: Z___________________________________________________________________________
7 M( I5 J% n+ k2 X" a" t" i4 Z# x1 z0 u" `' P
Method 04" z) u, U3 D F" s& ?
=========
9 F& |& B1 d, K- D1 B3 D5 Z+ I; O6 U$ P8 Z+ Q4 T- }* J9 y0 s
Method identical to the preceding one except that it seeks the ID of SoftICE+ v; W3 B3 u1 a, L A' ^& P5 k* q: {
GFX VxD.6 ~6 F) ]( R9 R& l& X* j& v# {7 h
. l( U' @% u, F4 P4 X
xor di,di
- Q; K8 x; C- A mov es,di
$ Y+ \+ Q- [! P mov ax, 1684h
( l' { z. I! s/ ] mov bx, 7a5Fh ; VxD ID of SIWVID5 X) a6 a1 f; S6 [( ]
int 2fh
8 y8 E$ ~5 T3 r$ ~+ h mov ax, es ; ES:DI -> VxD API entry point
N* F/ t" K# F! B: T% O add ax, di
: {1 z! ]+ r0 ? m7 `1 @+ E% T test ax,ax" g) }4 ~' ^" }/ p3 Q i) o
jnz SoftICE_Detected
- H; Z |1 c7 e: c' k! N: y U- }3 J8 I! F0 j: X# A( {( K0 f! n
__________________________________________________________________________
( C3 n% L7 C5 f5 o. a3 _
& y2 _( ?3 D0 a
; n1 p/ Q% _( l6 ]* j5 w$ U9 VMethod 05/ A( q' \8 j* \
=========, B6 j+ N5 C# ?3 c8 e
& c- B* v1 M* T) P: F H mMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# B1 D0 A+ e8 c9 D% b2 {9 |debugger. It calls the int 41h, function 4Fh.+ v1 [: O' U: u& d1 H% p
There are several alternatives.
, U1 Z; T3 J) m
( V. k( N( Z: p2 a* S0 cThe following one is the simplest:1 j) f8 t/ h* G' w
$ i$ N" {3 G4 p- Y mov ax,4fh+ k9 Y1 v* S+ x# B- T
int 41h
; E$ p' W) {- H, k* f7 f- H cmp ax, 0F3861 S% n" m( K% L/ `( k- U {
jz SoftICE_detected
% A" L* f6 n! p6 W9 V, a; K1 U2 Q
& w9 d: d m9 o) m' C' X: X7 F/ n2 Y1 B
Next method as well as the following one are 2 examples from Stone's " D" J8 x/ ?! W' W, ~' v
"stn-wid.zip" (www.cracking.net):& h' v8 T5 _. E7 T) P7 K; J
; e( Z' c0 f3 p+ w+ E3 o& K
mov bx, cs
2 `& W& {2 N M) L! ^2 c1 y lea dx, int41handler21 N8 ^# L8 o- A5 |* e% ~6 k" }
xchg dx, es:[41h*4]
" K9 J4 `& h, B+ e xchg bx, es:[41h*4+2]. Q2 g4 U/ [5 B/ z" Y# z* F
mov ax,4fh
- S+ a5 V0 x: G8 W# P# f& C* y1 T int 41h: p9 k# Z) b+ s& ] r
xchg dx, es:[41h*4]8 _! \8 r: L7 ~
xchg bx, es:[41h*4+2]" j7 G$ |- L4 G
cmp ax, 0f386h! Q" L/ L& z2 z& L- ^% j+ e6 g2 n
jz SoftICE_detected
* N! b9 d9 U1 t$ {7 K& D3 F& `, _% n/ _+ l
int41handler2 PROC
' i" ? x6 E: `7 m iret/ D8 [% _5 E$ Q( \) o* `
int41handler2 ENDP; L) k! E* E+ z- e; U' b+ b3 i% @9 K
5 F4 r9 A8 L4 b& ~4 P
/ X$ v( i( [9 A( O_________________________________________________________________________1 u( ]: E) n; T$ K; k( l
, n4 m9 c8 @# Q' t6 v: n9 P x" u# f; `6 t/ H$ L. Z' S! d$ K
Method 06 [( V' X, R9 b- }/ i
=========8 I. o+ `- r! y) L n& w6 n/ G" W
- P# V2 `$ F: j
3 i; }/ V7 y, x2nd method similar to the preceding one but more difficult to detect:
8 Q" ~2 c6 |5 T& M% y; G Y L v2 P
/ H3 d$ R7 m8 L/ i" Y, u aint41handler PROC I7 w, h, Y, E, Y# O* Z" P6 d
mov cl,al# ~& W8 ~+ R$ s* }
iret
( q% M n, ]* }4 o; O7 D7 ], Xint41handler ENDP f( J0 W' { ~7 D: ^
1 A* y6 N; a7 C; F$ Y4 N9 m2 t2 a X, b! [/ n' D
xor ax,ax6 H" i& [2 j4 I" y! S- r
mov es,ax
8 F; M6 E, O6 ^, }) k mov bx, cs
" A; M7 _) U6 A" S3 q lea dx, int41handler
2 J- {0 Y r8 j xchg dx, es:[41h*4]/ q! Q) w3 ]7 [9 _* @/ h
xchg bx, es:[41h*4+2]9 Q0 Z9 \* q+ V6 g3 e
in al, 40h) z+ U7 @/ s8 {5 ^# X8 V( R C- ?) Z
xor cx,cx
~" L- T- \& i- U int 41h8 _1 K0 _' X: O( u/ \
xchg dx, es:[41h*4]
5 r% n$ E4 Q/ R5 B. t xchg bx, es:[41h*4+2]
" o4 q+ ?: U- G8 @9 _! A- |/ B cmp cl,al) W @" i/ S7 H
jnz SoftICE_detected
# E5 @7 M! z# w- |) S- \$ D' y, @6 F* n' Q, O8 ~, X
_________________________________________________________________________: C1 H6 @6 p! T( i# Y( H
' }8 e: m7 M" j9 y4 H! D+ U* j
Method 077 `& T# K# [1 Z* d# c
=========9 @+ F( z4 ^. L
' v5 \9 c4 J9 v, p) K/ N! H
Method of detection of the WinICE handler in the int68h (V86)( }" p/ E4 W+ O+ U6 i# o+ p }
) S# h% v4 U9 V! d! ~& b: T# g( s V
mov ah,43h. M- d* X+ R1 K: Y0 w% [; j
int 68h
4 L# D4 _1 E5 ~9 O. b9 t cmp ax,0F386h
`5 a6 r6 b- V) u% m* w jz SoftICE_Detected1 O6 y1 D; n/ o; d# z( y6 W8 C" n
) }# @2 `' X3 q w+ Z& [7 @! Z/ q+ C+ ~5 r* R3 m1 J+ Q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 s0 m, t( l( z. N
app like this:
4 Y q& A3 y3 e
0 ]! f6 d6 Q- S7 `$ w* x% O% r+ P BPX exec_int if ax==68
! f r: ^9 D/ p" h& f; U (function called is located at byte ptr [ebp+1Dh] and client eip is
2 m' @: J( {% [8 K# I" E located at [ebp+48h] for 32Bit apps)+ H+ W0 I' I, C: a6 d5 H' [
__________________________________________________________________________8 k% W+ f4 _8 i. h# T' g& t
7 L% P' S* E5 G! |
9 F/ ^/ F0 r* |4 n3 C P% \3 Y
Method 08
; y; N! t7 q- s=========
" |2 q* S; ?% N9 E/ y$ h0 Z$ p- ?3 y6 H
It is not a method of detection of SoftICE but a possibility to crash the8 g) v6 I+ ?0 y0 s
system by intercepting int 01h and int 03h and redirecting them to another
. u( U- p0 o; u+ `/ u% T) {routine.
! `$ S) {( I! M" P1 `It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 |# f7 ~$ }' R4 t- G$ Ato the new routine to execute (hangs computer...)
8 B9 h( b2 _" D! N- j+ _# w/ x' }/ _; y. Y. S
mov ah, 25h
, q! ]( J; }0 A8 y mov al, Int_Number (01h or 03h)- `/ O' S6 z7 s+ n' v
mov dx, offset New_Int_Routine
3 I8 b2 b8 [5 r- g! _2 O1 K7 ~, {0 G int 21h$ B' Q8 o' i% z& [' [0 \
! A% p4 p4 `9 N) q! f
__________________________________________________________________________
" L" S; {+ y( A' }. s5 X4 \/ G% `+ I7 ]& B) V/ d, c8 o5 N1 W9 @: @
Method 09- X$ x2 a. j* B9 p/ Z
=========5 _: j" G9 j9 i: N; C1 C- x3 ~
3 c2 @. t8 {; iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( W3 J6 ?) t" Tperformed in ring0 (VxD or a ring3 app using the VxdCall).
c! q/ j b/ T6 S b2 H+ E1 UThe Get_DDB service is used to determine whether or not a VxD is installed+ f# X, Y4 a3 M% D1 ?# \7 m; b% {
for the specified device and returns a Device Description Block (in ecx) for j6 v- `8 {- M7 K. Q
that device if it is installed.0 U6 l+ Y8 U H/ q5 i$ r+ v7 r0 H
* z$ I3 p8 z# {; C4 b/ n. ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 ?, U& r4 G+ i' O& H, E1 } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 W# v, m1 n% f; A% q+ v0 W% |5 x' S
VMMCall Get_DDB* L* _/ G/ F4 ~7 I' d8 M
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" C8 m6 R2 V) r r
+ k) W1 ?/ ^7 g$ sNote as well that you can easily detect this method with SoftICE:' @6 S+ n, _2 _; x/ \0 e5 u4 ^
bpx Get_DDB if ax==0202 || ax==7a5fh
4 z$ i2 C: U6 X# m& I4 V, ^1 d) f3 a0 j, K
__________________________________________________________________________, Z% w& N$ c r* X
8 q) H- H0 Z2 H, |
Method 10
5 n( j: }3 F2 w7 Z1 R=========
: K% ], ^0 u4 m# [; R ]0 D
) l2 ^3 ?1 I5 V5 X: E8 \7 |+ R, t=>Disable or clear breakpoints before using this feature. DO NOT trace with# |: Z, M) T1 B% e; W8 o! k
SoftICE while the option is enable!!
/ m" t6 n# l: z! F6 q) Q! R1 p& x0 W# i: N6 M2 i, P+ M% a
This trick is very efficient:
8 i& E3 |, n* w# }! Jby checking the Debug Registers, you can detect if SoftICE is loaded
3 D5 C4 V" z! C# _/ |/ v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 G5 B5 R Y! x# c l
there are some memory breakpoints set (dr0 to dr3) simply by reading their3 `" L. K! t2 G4 e# L
value (in ring0 only). Values can be manipulated and or changed as well
* o/ _ W& N- [(clearing BPMs for instance)
: v: |) \4 k9 H' M# W9 C. S0 V" {+ v
__________________________________________________________________________
+ |) B, Z/ y/ W, V$ ~# m( {. Q3 k Z# ~4 R I- m5 R8 u4 F
Method 11' f5 b- p. K! }& ?- O( L; h
=========
4 u2 \- n9 W# z& A) u* |9 m, h+ S" @: R, S: B t
This method is most known as 'MeltICE' because it has been freely distributed. _- z& f' _9 X
via www.winfiles.com. However it was first used by NuMega people to allow6 _' ]) b' A7 Z7 h* G- v
Symbol Loader to check if SoftICE was active or not (the code is located
' B. t6 Q# v/ t) J& |7 h9 h( Qinside nmtrans.dll).7 Y( F7 B1 ~1 S7 {# P7 i
, U) J( X' e! j. F. U t* rThe way it works is very simple:
' k+ l% c8 m* n5 A9 uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- i( v. z% P+ O' r0 o% d6 F* d
WinNT) with the CreateFileA API.
. P0 @) Q9 s) L* m5 {3 h, p9 J
3 O9 b* u( W4 B7 U! M, vHere is a sample (checking for 'SICE'):
3 b4 b; \/ G1 I; F
, h% E3 H+ M" X+ GBOOL IsSoftIce95Loaded()
- f$ }1 n) H F8 Q- [ l{; z) U9 G5 h ^2 w( f2 W6 ?8 k n
HANDLE hFile; , M/ O6 Q: x/ J% P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 W+ F0 X5 O' y! z& j: c2 Y
FILE_SHARE_READ | FILE_SHARE_WRITE,: R9 X. M+ ?7 f( b- F k4 S9 c
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ V2 Y5 d: N1 C, K8 U if( hFile != INVALID_HANDLE_VALUE )
0 ?1 v r' T$ ]8 F$ G; p {
: ?5 ` ^2 z" _* p# X CloseHandle(hFile);) I8 Y( x7 T- l$ B8 y
return TRUE;" D9 a" m7 [* H! Y, {. h+ C- H' [- R
}
% n. h5 e& ~* N return FALSE;4 ?; R6 ]: Z. p2 l& N- J- N
}
' w m& j0 u, O+ d" u* l- Y( G; y, ~
Although this trick calls the CreateFileA function, don't even expect to be4 |- h; I: k1 T, ?/ [
able to intercept it by installing a IFS hook: it will not work, no way!
5 R* J2 C3 {4 f- M* M8 Z u4 NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 I+ O- x9 v/ v2 S) C: g! Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- O* h7 }* d, U2 uand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 d' D: f8 s Y% w* b% v S- C: ~2 c
field.
! ^! r0 G, r& U% ], d+ kIn fact, its purpose is not to load/unload VxDs but only to send a
3 G2 p6 _& r- y7 \! i: r' IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 I; t v$ K+ @- I
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! G+ h0 y* U5 V, ], Gto load/unload a non-dynamically loadable driver such as SoftICE ;-).; D( {0 Y- _+ f2 Z% A; R
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! f0 i& R4 ^7 L* q2 X2 @: \3 Nits handle to be opened and then, will be detected./ B1 s( ^6 q; C0 B2 j9 O
You can check that simply by hooking Winice.exe control proc entry point! }4 B2 F7 m0 U1 V) r! ~( P8 `
while running MeltICE.5 d: |! b4 J2 C2 W- K! A3 _ l! l0 H
: Q1 `4 W W! o7 N- ~% N, T: G/ i
3 W$ ?3 d) }4 _
00401067: push 00402025 ; \\.\SICE; ^& m) |. C/ [
0040106C: call CreateFileA
6 f# \; a+ E5 l7 |$ c, A* s# R, n& c 00401071: cmp eax,-001
% R4 a0 u* E1 s 00401074: je 004010915 o2 s0 q: N: W: s$ I/ C
! E* l$ Q4 F8 A: x( y) N' M8 z* X0 w' T- ~6 M g8 I
There could be hundreds of BPX you could use to detect this trick.: |* S7 p. r. F4 ^" p
-The most classical one is:9 X+ R+ ^5 R; O5 @% z2 Y: |
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! T& k0 c8 ~5 c1 T3 p *(esp->4+4)=='NTIC'/ P. E) K8 {& I9 Z- ]
6 o3 n) n4 f; I p! _
-The most exotic ones (could be very slooooow :-(
6 Z0 t1 L i7 P; l: r. i# B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 q$ e' ?" x* ~" U1 D& F- E( l
;will break 3 times :-(
' U/ }( \6 i9 q5 Q2 m) z1 c9 Z" Y3 M. w, J9 Q
-or (a bit) faster: 9 {+ {, k2 V; `/ u: N L
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* d* \- q: y+ u8 P. H, H+ h4 X" ^8 y4 ~, e9 @9 ]% E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 e8 `+ s* U( D2 v: w, D2 |
;will break 3 times :-(
% V/ E- ]1 z2 Z x: L6 o
7 `3 z2 q" I8 _7 N7 e# w-Much faster:
1 t- X" g; c/ s; J8 h* {) G8 G BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 K. K$ j, }" M2 Z+ V" J9 Y3 k) _- o% a. @( i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ Y% ~% b& l5 U) V/ H }% }
function to do the same job:
; l$ j& d% X& ^9 [# ]. ? p) e8 Q( d* R" ~1 F b1 [2 O
push 00 ; OF_READ
, g, Y& W' {2 Q: p+ I7 I! u; b! R mov eax,[00656634] ; '\\.\SICE',0
5 a4 z5 G% J6 W! ~: z push eax! d+ `+ G8 r/ }0 J/ W/ u; e0 y
call KERNEL32!_lopen
/ j9 ?1 [0 Q1 [: {/ b8 n inc eax
2 \, ^: _% F9 ^8 a0 f1 P jnz 00650589 ; detected
% a$ }" `% p. F: N push 00 ; OF_READ' ?) _/ H( M# V5 v6 X2 Q
mov eax,[00656638] ; '\\.\SICE'
6 g9 t" I. w2 O' U& b# \3 w& q push eax
, _- i) X% L) {1 j$ e; Y4 E call KERNEL32!_lopen4 X7 f. c& x0 n5 q+ a
inc eax
1 t' H( U- j# W. S+ B7 J jz 006505ae ; not detected. [5 L! E. \( t: s9 f4 z+ F
0 m$ Q: k( G- k9 }9 k( x. J
) |. T9 ?( j3 b) u9 W: j__________________________________________________________________________: m; [$ b; z. g
9 {( _' ~: }. H. @5 d6 M* c
Method 12
+ j4 m5 j9 E+ G8 ~=========
/ n { ^! ~: {, Q# r0 [$ U. R( `, T6 ~8 P' e: a. @, @! H6 S2 H
This trick is similar to int41h/4fh Debugger installation check (code 051 Q1 C9 S0 u: s2 E$ n- b6 @
& 06) but very limited because it's only available for Win95/98 (not NT)1 P; p) ~! ?5 w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 p. ]8 z$ d& D0 |
# ^" u5 V' e* \; v: ~
push 0000004fh ; function 4fh: R" W7 R* J7 B' Y
push 002a002ah ; high word specifies which VxD (VWIN32)
0 h% t8 {/ |* ^: ~/ P# Q$ W ; low word specifies which service4 J# f: q p% b
(VWIN32_Int41Dispatch)
1 o! _8 {7 a7 V* ]) y. m call Kernel32!ORD_001 ; VxdCall
( ?5 L; x# t% e cmp ax, 0f386h ; magic number returned by system debuggers; S4 s, f! L. H) r% g
jz SoftICE_detected
+ W% {1 E* C7 t
& ?( ?# {6 h9 aHere again, several ways to detect it:$ d* c& K3 H5 u5 p' }
8 b% i! c+ `/ T( a/ S' @ BPINT 41 if ax==4f
7 [( m' U2 J* i$ K! u v; Q) X4 I6 F2 O( E) c2 i
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ o) M- L( u/ K& j9 ?$ l- n
& D8 f' Y. C) \ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 c7 \2 |3 \. m. v
0 [) \+ M: y# F3 i ?) T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' |7 g$ J; T$ H; O% @6 a
/ y% k1 T( C2 E" j P/ j) c
__________________________________________________________________________2 n. H& c' N( f4 Y, T$ d* @0 p9 F0 ]+ Z
# l+ S% O, I0 X% E4 {5 b% U1 e2 j9 u
Method 13
* f( F7 Y' w% b. L( K. w=========! G7 K! h7 b g# i) H
5 k. `8 i, K9 }/ d; p" ~3 _Not a real method of detection, but a good way to know if SoftICE is
& E+ ~5 [# J# Z; |$ ?4 einstalled on a computer and to locate its installation directory.
. z4 x$ ` T) lIt is used by few softs which access the following registry keys (usually #2) :
+ C- `4 a6 \) m% h* h9 @" s' H! }2 S; p% n8 i" M% x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 h7 d- d9 S' V: Z. p9 P" f, l
\Uninstall\SoftICE, W+ D7 H1 N2 r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
T0 j$ k7 e- ^; x6 C" Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 M$ C5 v, Z, j- @0 ^1 Z\App Paths\Loader32.Exe
! j0 O& g0 a6 T- e- s: K& W3 U4 s- H" r# e4 o4 V6 W2 }7 F
1 O0 l$ u* H) \- x2 gNote that some nasty apps could then erase all files from SoftICE directory
0 q) P: ^: w4 D4 @$ z(I faced that once :-(6 ?, l3 h3 e5 T& _
2 j$ y6 A" X5 ^1 y) [
Useful breakpoint to detect it: D* T- Y3 t0 y: |; C# h! g
: ?4 |4 j, K# K. v4 `1 G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 g) `4 t- _# [+ i) u4 x
: U1 X0 c, t0 t: N9 w__________________________________________________________________________5 R3 [$ i/ Q! l) [ R
: l/ {* A2 [0 @ L( S
: T' r+ p# V9 n# I, B8 g* WMethod 14 ( P" n, f3 K- ^9 U1 ]1 J$ C' ~/ x
=========2 }& v1 r; n7 d
; L+ ^! o1 f2 y0 ~& x* ^4 s4 ^: ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ p/ C$ _* @8 x b
is to determines whether a debugger is running on your system (ring0 only).
2 r9 V \) r3 K: @+ y' s8 |
6 f6 r& X9 _, Z, Y; C" C VMMCall Test_Debug_Installed/ X: P0 _0 D2 @# f9 ?
je not_installed) Y/ f" F- R- Z9 I2 L
- \% f u. T* L& J5 hThis service just checks a flag.' S8 Y6 y1 e; M0 f
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡