<TABLE width=500>' K5 U; L0 r ?* Z. ]/ f, y
<TBODY>0 n6 P/ d# z" `0 u, R# I% n
<TR>
1 ]8 S& Q+ ]7 \# O! Q<TD><PRE>Method 01
5 |4 A C3 O4 O8 o0 M$ }: I7 H% w4 ?========= o, `7 _3 k% t& V" e* t- A; R0 h" k
4 E( F& { P& ~% `# d: M
This method of detection of SoftICE (as well as the following one) is
' |( B7 E* I2 A( ]% U6 ^used by the majority of packers/encryptors found on Internet.2 L; z; _5 G7 i. Z4 t6 G2 G
It seeks the signature of BoundsChecker in SoftICE
! z Q8 p6 e/ i* F; m/ w+ m; p4 Q. H& G6 Q9 V6 A1 v
mov ebp, 04243484Bh ; 'BCHK'
: M; b' {# m8 U* F2 Q5 F mov ax, 04h+ n, c& S, G* s
int 3
6 O# {% ~# ?- s# h cmp al,47 |9 ?5 T2 ^" v, g& I5 q1 u$ n1 L: Q
jnz SoftICE_Detected
1 L* H" [1 x( `% G. }$ }3 b x" ^2 M) ^" i$ \
___________________________________________________________________________
# C) @ w/ G+ _3 V7 S) X3 {) H) N2 g: K% t1 s* `
Method 02
2 @+ g( V0 C, j- R) y=========
. u+ \8 O0 O# P @* y- @( P( W" K
: n2 C" c' I- c$ X7 l/ _Still a method very much used (perhaps the most frequent one). It is used. Y! o9 w+ g* j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& ?# }5 x) x$ B5 J* M( U, p# B$ y ior execute SoftICE commands...7 l3 j8 @$ S, T
It is also used to crash SoftICE and to force it to execute any commands
) L" H2 ]7 e! W+ O; A(HBOOT...) :-(( 9 l0 y `% }. M) b! T
) {2 P1 A1 U! w5 j9 ZHere is a quick description:* E1 y/ |/ ]7 u( C% J7 T
-AX = 0910h (Display string in SIce windows)2 G8 i2 K6 D6 p7 A7 ~. Y @
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- m6 e) U5 C# r* d; T" o/ U-AX = 0912h (Get breakpoint infos)
. J* V. ^% j$ z& O9 h0 y-AX = 0913h (Set Sice breakpoints)! G9 }/ A3 ]6 X. J
-AX = 0914h (Remove SIce breakoints)
8 E* Q( l- w' o% Z& P1 f6 h8 T/ t) I9 ^% N/ ?1 E" m" M
Each time you'll meet this trick, you'll see:. f# J" T* W9 U2 e6 W" @5 y
-SI = 4647h: U% G$ {/ l. a; N
-DI = 4A4Dh9 Y8 E2 @8 t1 F5 x
Which are the 'magic values' used by SoftIce.# D/ ~( a0 X$ `! B& Q$ J; D; \
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ l( R" u! L7 ]1 @% Q- H" Y, U/ r, o; q
Here is one example from the file "Haspinst.exe" which is the dongle HASP( F5 I, ^3 p/ Y& I
Envelope utility use to protect DOS applications:
3 R2 T$ [* g9 s9 W6 x) C7 S4 z5 W, H$ `$ ^, x
' B' \ d! T% P' z( G; i* _' K/ k
4C19:0095 MOV AX,0911 ; execute command.
8 `+ I2 M1 e- s% }$ j1 [# Y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# [0 r% ]& V1 f/ p6 r4C19:009A MOV SI,4647 ; 1st magic value.. C. H; `) a" W; e7 u
4C19:009D MOV DI,4A4D ; 2nd magic value.
2 l" t' z4 G* h8 A( G/ K1 S4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); e7 C J- @: @' ~/ Z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute \/ \ s# r( _' {+ g: C
4C19:00A4 INC CX* s! d4 b6 x- ?- _: q7 P. [7 ?1 L
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: @/ L6 d m* P8 |1 ~8 B9 d4C19:00A8 JB 0095 ; 6 different commands.
1 A% P/ K+ v- u r+ B0 V6 i6 u4C19:00AA JMP 0002 ; Bad_Guy jmp back.) X4 z% L" N* W8 z* s3 v( P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- k# b* X4 [% S+ O
7 k' w; \" D1 i. k) n HThe program will execute 6 different SIce commands located at ds:dx, which- W2 \$ a' Q* @" g. J/ L. {- `
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 h. ?6 E# I2 \( [
& m" R2 h2 O# [1 t" |3 V% n& \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 R4 \! s# L3 {/ B) u+ g___________________________________________________________________________# h7 i$ X9 k+ G) w5 U" s) F7 m4 \
. U: i8 j; I% ^# {4 {3 h5 y, X+ X; w6 c; K& c* w1 I
Method 03: U: h) b. T3 ~+ r: Y! y
=========/ x4 l3 x2 _6 @6 W& W2 Q$ O6 ?* C
5 V$ }6 a* B' U8 LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( ?. c" E# |& H(API Get entry point)& G5 m/ m( q' E4 X* D
1 i" m& g @7 b, S
0 @. J$ a3 F( _$ A0 Q xor di,di
5 y* m# ]5 n( X1 e& I7 Y& R$ O$ ]& R mov es,di
% d" A& A+ Q, k* H, R0 A mov ax, 1684h & F7 G' {- h9 ^# l: ]( `2 g% o
mov bx, 0202h ; VxD ID of winice
2 V' P. O* w, I4 p; u+ o& P int 2Fh1 _5 K5 m! m( b9 V: d& R* [
mov ax, es ; ES:DI -> VxD API entry point
' |: B" W' Q% B, z add ax, di4 n* U) l6 _9 Y6 A" ]. v% N- [+ q
test ax,ax4 M w6 M R4 n) T) V' [. r
jnz SoftICE_Detected6 X. c* ~$ H" d! I1 G8 f; b$ Q
' ?3 Z( j& E: D/ x+ e
___________________________________________________________________________# |5 o3 e/ q8 ~5 W" S# W
: n) A3 ^# s* C }. w
Method 04" @" c: H k r E
=========* c# `1 e$ D. U+ n$ }5 o
/ F8 A; F5 z+ t; m; L3 m) C
Method identical to the preceding one except that it seeks the ID of SoftICE7 M3 y+ y# C; z- N7 c
GFX VxD.8 h% ^" ~* ~9 ~; W
1 B8 E4 b4 B" ~" n
xor di,di
9 c7 F6 a/ t5 E7 C mov es,di
& t0 e* L7 U5 F5 h) z; K mov ax, 1684h
+ w9 }& q. H# l! @8 _3 C0 X5 z mov bx, 7a5Fh ; VxD ID of SIWVID
5 Y1 d' U$ y3 o9 N int 2fh
+ ^8 v O6 O! s0 ^1 M7 ~. m mov ax, es ; ES:DI -> VxD API entry point: |: ~& Y1 x2 s9 V. a/ `$ ]
add ax, di4 f ] U" I- }7 ^
test ax,ax
/ d7 l3 p# |$ \3 r- D7 L& f jnz SoftICE_Detected" y3 i* x) Q+ ^, g+ Q
0 F* l N# @! j
__________________________________________________________________________
; `- `; `5 p/ Z% Z" ]# Q
8 F. U# }5 W1 R% @) ]& C! x" Q* A9 f- C2 f- P8 b* K
Method 05
" r( P% |; B8 P=========
) j" y, @0 U, u$ |* B
" x, f" D. V* K3 H T5 |: WMethod seeking the 'magic number' 0F386h returned (in ax) by all system) q% o9 D1 l6 N4 k/ S" V
debugger. It calls the int 41h, function 4Fh.
8 e3 B8 r e. T( \. P9 o5 NThere are several alternatives. 5 `- M7 F6 s0 H7 L, [7 v+ T
. F; e: f/ c7 X* s5 K7 AThe following one is the simplest:! ^7 I" ?( Q; {9 A' k* w
: f: x3 Y- _- n8 `+ @
mov ax,4fh
: T3 V! s3 ]. u8 @1 B* V% D int 41h$ @+ h$ `: d9 p7 M/ Z2 U ]( b
cmp ax, 0F386
; m9 a) V7 {$ d- q" ^# |2 ] jz SoftICE_detected/ D0 P) o1 I D3 U# {: O
3 i1 ~$ e& e8 q) x8 v3 F9 m
' x+ G1 o9 h. |- ENext method as well as the following one are 2 examples from Stone's
2 L' W/ R7 C; ~ d: H! v"stn-wid.zip" (www.cracking.net):2 Z, f! u9 [- R2 E
% t9 @. c7 |' j6 ]7 P2 z' v R8 `
mov bx, cs
$ W e( Z, H. q2 Y$ r lea dx, int41handler2
5 i/ d; c2 H% k6 I( \1 y, p xchg dx, es:[41h*4]
4 \ Y: ?5 O, O xchg bx, es:[41h*4+2]
6 ~8 D0 A' K4 c4 J5 N: } mov ax,4fh8 G3 s" g( ^0 S4 q: D |' U' m
int 41h, Q& z- v, A* r3 ]
xchg dx, es:[41h*4]# {2 E) Q' t ^/ a2 F
xchg bx, es:[41h*4+2]
/ ^& p* @* P, ]3 s9 Z cmp ax, 0f386h4 H L% m7 E8 D5 x
jz SoftICE_detected9 b9 }5 L# b$ B/ V
, C+ b! P5 d7 c5 I/ a7 Zint41handler2 PROC
" j4 ^+ i0 O; x* o/ \# U+ d" C% z iret
' e9 E' }! C1 i) b$ @2 ]int41handler2 ENDP: x' F2 W! K9 ^0 j- K
* [5 C7 d" ]0 ^! E
y, Z7 K: u) o3 h5 \2 t9 }_________________________________________________________________________
' z4 M5 H0 X# p: A: U) D9 o% a* }! @7 E
7 n y: S; T: H& O9 CMethod 06
$ K2 s% w, o9 d- D+ S) g' o3 `# z=========
+ C* a6 w" m6 Q2 B* y9 |; Z; ]/ x6 c, x) `/ m( p4 b2 D. w# B
+ J9 K7 @! ]# U( l7 C! e1 @
2nd method similar to the preceding one but more difficult to detect:
9 q+ N- O1 ^9 j4 B! L9 {; o
1 b! i! U4 n6 K3 ~- I, _+ |( i
# U" n, v4 K( o& Qint41handler PROC( U6 t- o' o( w; P
mov cl,al
4 G2 S/ r+ `) A; d: v4 e) t iret4 T! W* Z7 E7 M: _4 I; `0 m. o( H
int41handler ENDP" O4 X. G; }4 M9 S/ h8 ~
% d; `& f4 K' y. _/ z i& `
2 s' R7 [6 ^6 w) _$ G xor ax,ax
' V2 G3 O; W' v; M! l2 k2 p* q6 W0 K mov es,ax
% m3 I6 _# f! E9 J8 L: k mov bx, cs- K" y7 S+ _% e! m9 ?! M
lea dx, int41handler& r6 _+ y" V) Y; w3 @
xchg dx, es:[41h*4]
" R" x0 t. ^/ I$ H5 U! c xchg bx, es:[41h*4+2]* i0 b/ p% i' ^: o8 E0 h. j! r
in al, 40h
/ x4 o m' U3 y: U! W( g' Q$ o xor cx,cx6 P& w" p2 T0 M( {& z Q' @: {
int 41h. R% @7 l7 j# X+ w; p5 L1 c$ s" g; c
xchg dx, es:[41h*4]0 j; I+ M' [! _; \( K
xchg bx, es:[41h*4+2]+ t: S) J1 v& x- c" ^+ s" p! R1 h, P
cmp cl,al
* h8 q# z( {6 m1 a jnz SoftICE_detected$ h6 [5 u W7 l, J) g4 u9 C, X( W
2 h% ~- y) a: @
_________________________________________________________________________, [; q: C' F1 o& D& a
+ f# Y/ H6 }2 B s- b" PMethod 07+ r" o- C/ j$ j: N& I3 V$ p
=========
: \* s/ a" C M; |
6 k5 Z# Y/ c( Z/ z& ~Method of detection of the WinICE handler in the int68h (V86)0 ^2 {; p# H: e$ B# |4 u
) j! g2 T+ D5 o+ r4 @/ y. P
mov ah,43h' }- I( S! X4 E+ Y& P, c
int 68h8 F5 ~! y% D% O% f6 C- @4 t, g
cmp ax,0F386h
( @+ | {! j: `2 \& n& Q" L jz SoftICE_Detected o8 V; ?% x% B8 w
1 n) f7 W5 ?3 \8 l- s2 ~; Z1 ~6 E' U
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" p$ _+ }" A: {
app like this:
9 H9 N; v4 o2 ~0 v ^& m
& h8 v; t. s2 }) @7 d BPX exec_int if ax==68
5 s+ T/ T. B, h& U! J (function called is located at byte ptr [ebp+1Dh] and client eip is& B$ g+ l8 g( K7 z$ W# x, {2 G' z
located at [ebp+48h] for 32Bit apps)8 [5 i: B3 p, f! Q3 U! T+ m
__________________________________________________________________________
& ^1 O! p" D1 D; F
! \, N& H9 ~+ [# s( D1 m O0 M8 ] _2 c
Method 08
c2 V5 N6 a/ _* w=========2 Z7 `1 X1 f- d+ f
7 e1 @. r, H$ T2 P
It is not a method of detection of SoftICE but a possibility to crash the
' O5 F1 Y% J& d+ h( K8 b( s# a3 Xsystem by intercepting int 01h and int 03h and redirecting them to another3 q: O3 g0 ~1 H9 o/ o% G" J
routine.
0 n- w, ~6 [& P7 B( mIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 r0 o! x8 h! l, d* m6 Rto the new routine to execute (hangs computer...)- ]" V1 Z+ m/ G! @9 q ?) z
3 J; F& ]9 }) Z mov ah, 25h8 K. s( {+ {5 h$ s( @5 U
mov al, Int_Number (01h or 03h)
; T! j6 O2 q0 ~/ ?2 t mov dx, offset New_Int_Routine' S* [. c8 t) w& s( ^' [$ T! K/ e+ a
int 21h+ h; b, Z: q: ^
0 F# Q! j8 b0 L& O& k' t+ W__________________________________________________________________________
2 [' U% q8 q, f/ y3 D5 z8 f6 r- r* Y. f0 r
Method 09
# E' W* w0 H3 d2 S8 |" K=========' q4 z1 i/ E% k
+ F0 h* K1 z( e7 `+ [1 Q) j
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- A/ S4 R3 t7 A$ K# {. e% L9 pperformed in ring0 (VxD or a ring3 app using the VxdCall).( K& K& ^- C9 A8 K. |+ v- j# \
The Get_DDB service is used to determine whether or not a VxD is installed
8 x6 Z7 ^- e! V7 Y4 ufor the specified device and returns a Device Description Block (in ecx) for
& }+ b/ M- D& h# n; kthat device if it is installed.( n2 i* Q4 F& s
8 t, C2 F ~+ \! H" I" [
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! z+ E7 b3 q& V5 m% K- Q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; Y( b& \1 @9 \" S. r* p! B2 r VMMCall Get_DDB- p/ R' s q' _
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 }; A1 u6 j* Z/ T* h8 _6 B/ D: v4 e( Q
Note as well that you can easily detect this method with SoftICE:
6 a" u' S, `( N8 i2 X3 b. y bpx Get_DDB if ax==0202 || ax==7a5fh0 i5 U- w3 P0 Y& h4 R
0 O: l% t- G! C! }! E9 I% O__________________________________________________________________________
: S' q2 c _4 v6 B" R& }9 t H# B- @- P9 H6 r$ B
Method 10
( t ?! t. V! X/ x* X=========
0 w+ p! k! r- @) u7 y2 C1 |5 y& A! U+ h" A i
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" h+ f% t( U/ w" k: J+ B SoftICE while the option is enable!!5 |7 ]( A6 d: u% H, N9 p* m1 E7 @
4 s' I! W5 L% _/ e5 o+ _7 C& r" _
This trick is very efficient:
7 L, q3 e( u! X+ J% fby checking the Debug Registers, you can detect if SoftICE is loaded
& } G' ^6 a _. @" e0 S2 Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, K, W& g, N G" ^$ u
there are some memory breakpoints set (dr0 to dr3) simply by reading their" \5 Z4 v, B' c3 W& H
value (in ring0 only). Values can be manipulated and or changed as well) ~+ Q/ _/ X3 z
(clearing BPMs for instance)$ p3 @# ~6 D+ c' E* L/ ` p
! B4 V8 u5 x2 e- x8 L__________________________________________________________________________( ?% n. K+ c4 b, M0 P. Z
1 x ]/ M; c$ M$ B# D- v* [4 E
Method 119 Z0 n4 J6 m; [
=========
9 L( [. M# Y. O* n. r" W7 Q) F' D- O$ ]
This method is most known as 'MeltICE' because it has been freely distributed
5 _8 X/ |5 a2 s' yvia www.winfiles.com. However it was first used by NuMega people to allow
$ ?" ~; @, K, Z/ _/ u% \3 m1 `4 C% tSymbol Loader to check if SoftICE was active or not (the code is located
9 |) ~7 R: P% _# k7 L) pinside nmtrans.dll).
/ i1 I7 C: H6 W- N3 t! L8 E0 D* T2 T3 o) m
The way it works is very simple:
* D) A& Q4 n# U6 U( W: M3 O& YIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ z* b, X( Z) ~) H" r0 A) [8 C
WinNT) with the CreateFileA API.) k! \2 W2 O# g: p
4 t" z( V/ v4 H; V( ^
Here is a sample (checking for 'SICE'):% E9 e/ q9 ~2 X' C+ s+ x) ?' C
/ J' P; _5 p* X! |+ _- t5 o. b
BOOL IsSoftIce95Loaded()
6 t$ g+ E( s% u) Q0 z3 t{
5 `4 C% p/ u: y( _/ g+ g# a$ z M HANDLE hFile; . K* }+ D6 K- Z H! ]
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 w" z) t. e4 V/ X6 G
FILE_SHARE_READ | FILE_SHARE_WRITE,7 `7 z" j1 ~& r0 b, l( i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) j& S4 O$ V2 P P/ w3 `* g
if( hFile != INVALID_HANDLE_VALUE )& h7 N( ?) s2 G2 }( c
{$ g: m1 _7 |+ ^) c/ }+ ~
CloseHandle(hFile);
' l! r( ]; W$ x6 v return TRUE;
s' m6 m* u+ t. `& t* Y8 J/ w6 O }5 K! p! ^8 s+ S( B0 K) X/ G' I
return FALSE;
9 ^) r8 u0 V& m, D( X}
! g+ g& Z7 E9 O% O; R; \; j7 k, B6 m8 t/ k
Although this trick calls the CreateFileA function, don't even expect to be3 C5 x3 ]1 y, _7 U D
able to intercept it by installing a IFS hook: it will not work, no way!: S0 F9 s# p, y8 i. o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F0 e) a& S7 s) w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), n O/ S! a9 `8 f1 T7 `- W1 i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' d* }& D; _: H0 Yfield.$ w0 I9 p7 P. M, ?1 ]- w
In fact, its purpose is not to load/unload VxDs but only to send a f4 `; I) ]6 C8 v6 M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& A4 X- K# |( a! [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" g' A( C# }: C: \4 v) O; N: Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).
! n# |, v# k: e+ h! }& fIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ F# g1 e6 K. b- a, P
its handle to be opened and then, will be detected.
9 C1 ?; ]* ^; OYou can check that simply by hooking Winice.exe control proc entry point! c2 X! K/ o6 y5 s" S
while running MeltICE.
V0 t" a5 E9 R8 K2 w6 N
( p+ z+ |( H+ x; Z1 l, J! f) h$ M# X
00401067: push 00402025 ; \\.\SICE
% d" F" p" G a# {4 X C( y6 h 0040106C: call CreateFileA0 V9 r4 e: I6 J- C) w) ?. s
00401071: cmp eax,-001' `/ [" n9 s) K3 I" `. J5 a
00401074: je 00401091
( e" I, s# Z& m. ^
( ^) T6 T8 W' u3 h! o$ U
+ p" P% E. q: s# H! OThere could be hundreds of BPX you could use to detect this trick.
. |( R4 F3 G. `" w7 C8 x3 L- N3 ?6 s-The most classical one is:. O2 X* e1 k5 {) }. u: @) y7 R" g# t
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( o9 r# Y+ Z: T' t+ q: f4 s
*(esp->4+4)=='NTIC'
' j- R; d/ ^3 |% I3 }: K a3 ~
, B9 ~ W8 Y. V- C1 `$ M; ]-The most exotic ones (could be very slooooow :-(! R% ]9 c6 \0 a8 e% b
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * m* F/ s+ d m5 z, ~
;will break 3 times :-(
}$ y1 K9 W) ^9 V; ^7 v _! |5 H$ Z! M& ~, g! P8 @7 j
-or (a bit) faster: " F8 Y' J1 E& v6 W
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, ^7 o- c+ ~& F$ u+ @9 I0 [2 r# D
+ x3 q) h/ H& q+ y k% w BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( ~: ^9 V# B/ v P4 M
;will break 3 times :-(% G7 O( z! c, R/ j
9 ^$ J. G5 a2 A$ `& z) A
-Much faster:
& t3 ^7 H0 u/ R# _) d/ x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. N' T) t# }% S$ x" h
, Y/ r" ~) K( _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ O! N! J+ ]1 k* l7 A5 cfunction to do the same job:5 R% E6 n1 h& Y! m& A
`5 [, L8 r6 p6 ?: T- m- }
push 00 ; OF_READ( U1 a7 K; v Z( \ _
mov eax,[00656634] ; '\\.\SICE',0
+ a6 q2 i, m0 G) ^! @* w push eax1 }5 f7 k7 I, I6 P
call KERNEL32!_lopen `" P2 i# K% o
inc eax. C% B( L5 {5 _) o0 W
jnz 00650589 ; detected+ I0 V1 q7 c' ?
push 00 ; OF_READ o/ k0 M# K9 j) r/ M" o j
mov eax,[00656638] ; '\\.\SICE'$ O/ v. S5 U1 G% D
push eax& ]+ q( S: h; P, _7 j5 r* l
call KERNEL32!_lopen8 _5 H7 P5 ^6 q/ D
inc eax
' m; j8 N7 Z R2 W jz 006505ae ; not detected
" x. R( f! t" c* e( n/ F5 |# s( d8 T A9 S1 O0 k0 V( v5 n9 c
7 p5 X& |1 |+ N: j( W
__________________________________________________________________________0 {( ]* N- m% l9 d' ~. B# D
4 W& p0 `3 |$ B# r8 ^# d$ T
Method 12
) k9 i2 j/ c0 I3 O=========
- X8 e v% Q* t5 D: q
( A) B5 ?, ^. w( ?+ D6 m% VThis trick is similar to int41h/4fh Debugger installation check (code 056 z7 c: ~/ f# d2 o& \
& 06) but very limited because it's only available for Win95/98 (not NT)
! ^1 ~7 `8 u" U# [- j. Oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.( o0 p6 i( a' H& @! L
/ f+ H* s0 U; J push 0000004fh ; function 4fh
9 @, F% G! A. w7 a: S9 f$ b push 002a002ah ; high word specifies which VxD (VWIN32)* D' O( q) w1 r: c
; low word specifies which service
! z/ G X' C* m3 {( n! t3 T; | (VWIN32_Int41Dispatch)
4 [/ D9 b1 G: T call Kernel32!ORD_001 ; VxdCall$ _; Y9 c1 z/ W& O3 _1 G; a7 C6 X
cmp ax, 0f386h ; magic number returned by system debuggers
! ^2 F' F6 v/ o% C: U6 q" S jz SoftICE_detected* L+ k9 }# D6 b
3 m5 k. {$ ~8 H
Here again, several ways to detect it:
! q, K" V( V d5 ?% Z b8 a/ v3 b
" d" u* x$ ?( ~$ G( |3 \) ~ BPINT 41 if ax==4f
, _6 f& S! Y- z: A3 z/ K" U# m# M. y" m% v& F G+ {
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- e0 c* q. W' g
- f0 h' H5 f) [# q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 Q2 R; {+ `/ @
( \. {* h8 A! v6 w BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 s3 D8 h; U1 ?1 `" e+ q2 {7 b2 e+ p
__________________________________________________________________________" c7 I* G) M0 d' p) v( k
5 R- A, z: H0 ?! G8 |7 mMethod 13( ?* {4 Q; {6 j$ |
=========
/ p' ^3 w. v4 _- O; A5 b$ A: t
/ `" U6 C& E5 y( |/ r+ J, kNot a real method of detection, but a good way to know if SoftICE is
8 G$ e1 l' z, R1 c7 f. {installed on a computer and to locate its installation directory.
; l! e& p. I( t YIt is used by few softs which access the following registry keys (usually #2) :
8 U r w2 ` _ l7 d/ E
; m8 A0 M' N$ g5 K9 o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# V/ d% S( D+ ]5 y6 U\Uninstall\SoftICE
3 Y& P& J: |( v( T: ^-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 _3 S- P/ s5 p. _1 N5 ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 x+ X- l, [3 W; _. h! a8 ]% R0 h\App Paths\Loader32.Exe; z& m/ C- j) Q0 I$ |+ s* U1 h
5 n% H% K- k8 `
# k' m' U% c4 g1 wNote that some nasty apps could then erase all files from SoftICE directory
/ f' p( E# a" ?# b' q- Q) j(I faced that once :-() N9 _ I$ V! d2 B
6 \% v" V* H8 ]; `Useful breakpoint to detect it:
+ V n& h3 a. M% Y
+ Y! \; x3 q1 a1 c BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 O: c8 W7 }0 ]4 ^/ s- P7 N9 u
7 E- }0 G+ ]) i__________________________________________________________________________
! X. a' Q9 r! F1 b2 t; W8 l$ I' N0 J& B" j4 ^* X/ f
/ Q5 e t7 j1 N( v8 YMethod 14 ; w$ s4 r# j/ A9 p5 M% |0 E
=========+ k3 W( u% P4 Q7 ]! v
: e% y' T8 `& I. [; X; n* KA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ R6 V$ A5 _( s1 ?' f: Tis to determines whether a debugger is running on your system (ring0 only).2 {" O- {2 j* n/ _& g! m# I- \
! s1 ~* R+ Y( \" O; q
VMMCall Test_Debug_Installed0 i) `4 a- I2 v6 W$ v8 ^1 |
je not_installed
" B& V2 ?+ u0 u/ e/ H, z: ^& S. q" \$ R8 C! d
This service just checks a flag.2 }; Q7 F8 l8 K# J
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡