<TABLE width=500>
& M# B8 {: x8 l5 a$ ~" ]<TBODY>* L- b" ~1 X' h( l1 u
<TR>
& b/ W, ]# P x" K<TD><PRE>Method 01 ' F+ W4 V. a( V0 ~- ?' Y3 Z% A7 `
=========1 \5 F: P" [4 b3 x
! z$ R8 h0 T) s. ]This method of detection of SoftICE (as well as the following one) is
/ V0 H; ?/ W9 _& l( ^; d* X: }used by the majority of packers/encryptors found on Internet. N) S* p4 ^& K3 A9 W) z6 P" u6 T# S
It seeks the signature of BoundsChecker in SoftICE! O' b3 h5 R7 G5 P
% t: H2 m& l4 f mov ebp, 04243484Bh ; 'BCHK'
- @/ x3 ^" x, i! v* f: m7 N mov ax, 04h
0 r8 o, o& U( Z$ e9 O \% _- D) i+ D0 a! | int 3
( I: s ^6 m& `1 @8 n) E. b( G3 G cmp al,48 m7 t' o8 \) u) O
jnz SoftICE_Detected
; f2 o7 F6 V4 g e
4 a" s5 Q& A. Q& Y4 c. }___________________________________________________________________________
* o6 z6 e& s* v1 k3 X, [
! z0 z3 S- f j, E- m7 d6 P! t8 a8 O; pMethod 02. n5 o* _ z# c X8 S& Q+ m
=========
' E9 u2 I9 G" o1 G
# v3 `( u0 e) L& @* B, j- aStill a method very much used (perhaps the most frequent one). It is used0 k; m- `% O q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! ^9 D0 _& z0 \or execute SoftICE commands...- _6 b8 z7 @, V
It is also used to crash SoftICE and to force it to execute any commands
. H* p" }( b+ C(HBOOT...) :-(( % p: S2 [& E, Q8 i+ c0 R
- Y1 Q6 z, U% W5 R" n( f- LHere is a quick description:
% t, U+ H! V9 y2 m-AX = 0910h (Display string in SIce windows)
P# u0 t/ @2 A' v( M' k' B-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 E( i. v$ W" ^6 X+ h4 e-AX = 0912h (Get breakpoint infos)
" n! M: n+ @1 V: l. |- \0 E-AX = 0913h (Set Sice breakpoints)
+ D$ a0 s: {, B-AX = 0914h (Remove SIce breakoints)
8 s- a" G/ Q1 E3 h7 K" q$ V" f% u3 L5 [8 L0 ]: K7 B
Each time you'll meet this trick, you'll see:
/ P/ x! |% @! K* W `-SI = 4647h7 I1 H8 n3 k% Y, b$ J0 s; p* M5 U
-DI = 4A4Dh+ G) {! H+ f& ^5 c9 D6 L L
Which are the 'magic values' used by SoftIce.
! ]: {1 ~7 w( ^! Z% r( N! f4 CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 n+ Y, T3 ^6 L1 q+ x
3 ]( V# R" y6 LHere is one example from the file "Haspinst.exe" which is the dongle HASP. b* f. ^2 x8 s% Z
Envelope utility use to protect DOS applications:
8 a2 `6 }$ n* @* A# _3 a
' r5 o6 G! z4 t5 T) ~/ D, y& d6 r* @8 g+ v8 P" u) }$ {; P0 V
4C19:0095 MOV AX,0911 ; execute command.8 k3 C; @& Q' a9 c7 q3 `6 O! x- p/ _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 K9 y. V* i* X' n% [/ w# J4C19:009A MOV SI,4647 ; 1st magic value.
5 s% B* }" l8 i; J7 @; O: T }4C19:009D MOV DI,4A4D ; 2nd magic value., [( L0 F* p6 t6 a: M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ k- u. A' t3 g, }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: O$ n3 z U4 K1 L4C19:00A4 INC CX1 X* o8 w3 j$ ?+ }/ L: \6 d
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 S }8 x |3 j" Z4 `/ x4C19:00A8 JB 0095 ; 6 different commands.' R; x- T' ?( [5 D+ |7 X+ V
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" }' K& |# o# z& e, n y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* Y7 m5 m0 X! ]7 M
7 j; k% N2 p$ x+ ~2 u# ]The program will execute 6 different SIce commands located at ds:dx, which" _7 [2 ^4 K! x, Y2 y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. i0 d0 ^5 [" v) H; `2 @2 c6 q1 \7 L# p1 c9 r2 K c* G, Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ S/ A* K- q" b A2 u___________________________________________________________________________
! H8 G, H- u" h: [( j/ r
+ L2 y- a# c$ |7 Y3 Y- Q" o T3 J0 ^& G7 C
Method 03
" Z3 B+ v" }4 ~# h* l8 D: c' o=========5 ?) r+ U% o) _- z+ \1 A$ U
3 a/ ]) K! s* a# Y2 o: ?- _: JLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) `# C7 R' |! p8 s% ~(API Get entry point)6 p: R! c4 M% ^. _0 @
0 K: x9 y* J1 v9 g3 f# i
, W0 o. T" w! {# h! O r3 t xor di,di
1 h/ Q% v1 P, G4 L* V; P mov es,di
- e4 p9 p0 o, J* W! o6 J O& k mov ax, 1684h - S4 U/ B' s0 \# c# N
mov bx, 0202h ; VxD ID of winice
, M3 S4 e D5 v& t# A9 t int 2Fh6 D* y# @" F( l# z$ s9 w% D
mov ax, es ; ES:DI -> VxD API entry point) B& T8 C' [. V2 i/ r7 O
add ax, di
6 N5 {& v7 Y+ W) Q1 ?, y test ax,ax1 g6 s6 u6 m8 B: Y! b
jnz SoftICE_Detected
! J" B) C( U% I9 L) N" {2 v; b
Y1 ^9 f9 H% s7 @; ^___________________________________________________________________________# R; I/ y$ P; L" y
+ u9 M+ a8 |- q- `% F: s# c! T
Method 046 J+ G9 J$ i2 e1 I! b+ d
=========
+ T. W( V1 u, n% [. w, B# h% @4 P# F: Q% `
Method identical to the preceding one except that it seeks the ID of SoftICE
: q/ d- w0 P" d/ ]) W2 CGFX VxD.
) a1 u" F, z# C4 @/ A1 t7 J
* L5 _! c8 k3 ^' j3 v3 u- t xor di,di6 ]) s* B8 ]% q- h
mov es,di/ z! ?; j8 ]: }% C; P6 x7 P9 l0 y2 o( f$ ~
mov ax, 1684h
5 f9 b6 ~% i1 O mov bx, 7a5Fh ; VxD ID of SIWVID
; B4 k9 j0 L5 }: @/ N6 Q int 2fh M4 j0 [' w: N3 x
mov ax, es ; ES:DI -> VxD API entry point2 `% n d% b) v! ?5 g2 z
add ax, di: W9 m* v. ?7 _7 t5 a& w: R+ I. t( {
test ax,ax
# p. {+ v6 x" [0 T7 W5 h5 k jnz SoftICE_Detected. P' E5 K( l9 e! T& c) r8 N$ G
& g- A5 i& P) A) X2 ___________________________________________________________________________, `3 V2 T7 R* `) a5 \+ [; x
* }5 ^) R6 L& h2 u1 v6 h% f y& I
; B" o; z5 a6 g# W9 _- a, s sMethod 05) b1 F4 ^" t: H* n
=========* `: U9 u. Y- [" r
7 d; w# `3 W+ C% EMethod seeking the 'magic number' 0F386h returned (in ax) by all system- N' W' \) g$ w |0 q! i# B! |+ q6 r# p! z
debugger. It calls the int 41h, function 4Fh.
. h" E) S' k2 U! V. h oThere are several alternatives. , f" X. q$ s6 G* |9 U
, \2 f1 a- w0 }/ C$ q7 BThe following one is the simplest:# \+ }. u6 a: S$ q
! L2 q3 X' q- s4 ?7 c9 W* f# W. M( g
mov ax,4fh: f J9 v0 Z3 ]7 @( w. I
int 41h
6 B7 i- @' D4 O: A cmp ax, 0F386" H/ F; r2 o8 \, I$ ^$ G3 h
jz SoftICE_detected
9 R D2 ?) O/ @% g" O1 l) o* N0 e8 e; A) w. y$ L4 R3 R7 W/ {; M5 q
: V4 X5 q% b/ o! W% BNext method as well as the following one are 2 examples from Stone's - |, D, C5 x% B* e4 c3 x, j
"stn-wid.zip" (www.cracking.net):
6 d4 A1 f- E) T: i" I7 N
r4 E( @/ v; z+ W) N mov bx, cs
- w4 S( C) u! M6 ?- u+ y8 y lea dx, int41handler25 Q! L I2 N3 r3 Y6 y- h8 s( o3 p" P
xchg dx, es:[41h*4]
5 G1 q0 ^1 b5 k" {8 S) D5 J xchg bx, es:[41h*4+2]" P L/ }( K+ _: k) l
mov ax,4fh; E$ v! K0 b+ V2 E/ r& z) z0 J5 ]* [
int 41h# p2 D( {- r' b7 ~$ J
xchg dx, es:[41h*4]! r+ D7 G6 {1 F$ p) k0 q6 A2 Q& a' t
xchg bx, es:[41h*4+2] g4 j$ }- q9 `; R4 E8 p* e
cmp ax, 0f386h
* L% ?1 V v% }) G jz SoftICE_detected4 p1 i& y4 t, T+ c( }4 Q2 {
5 q; I4 n" J4 F" U& c- W
int41handler2 PROC
0 V$ ~8 W/ g" C3 y3 n# Y, i0 K iret' o( K! x: @5 r* I. ^
int41handler2 ENDP
$ f7 v1 ?2 U7 d, k2 k9 r: q" B0 B9 M( V8 ?/ k' u% b2 m9 E' T! U
: F- ~: x& s) B5 D_________________________________________________________________________
( i* }: D1 ^( s& Q5 v8 n/ M1 z! N" i% g" X8 g5 @
. f5 a8 m3 R$ j0 T0 M% ZMethod 06; m/ Q4 D- a; j! C4 w: F
=========
; i! _" y+ y) x4 v, o3 a- x3 ?- }
3 F9 J j, Y, `* `" |1 s
2nd method similar to the preceding one but more difficult to detect:" Z, r6 v9 ?+ Z2 j
# y, `6 g6 [( a& b1 p5 Z
& ?# m: \, w/ L2 K- ~int41handler PROC `; \9 G& X% l) ?; f) r- f+ w
mov cl,al2 \8 I& O7 k, s" ?) m
iret
" v5 K" A/ w- s. B8 p& Qint41handler ENDP
' A6 f0 y3 T/ V: [7 M
4 {* Q" s+ M+ l0 l7 L- v8 R1 I* J
xor ax,ax
/ v6 Y6 r; ?! r7 l8 [ mov es,ax# N. Z4 {6 }' u0 X6 b9 W+ z
mov bx, cs
1 d4 l1 B$ V$ y2 H. s6 ]: |& V8 h' A lea dx, int41handler
* M& o) f" g- e xchg dx, es:[41h*4]$ H0 ]- S! D4 E* L7 A, M
xchg bx, es:[41h*4+2]% H6 L( f' ?6 _6 I. |$ p5 n# m
in al, 40h2 y+ J4 J: w$ {& Q# R ] b
xor cx,cx, c: {# U1 A( M' {5 w* ~# @
int 41h$ S4 {6 g9 M# W/ l% l
xchg dx, es:[41h*4] N, K2 j2 i5 ?) d6 O8 y
xchg bx, es:[41h*4+2]8 ~- H; D% n3 q7 J
cmp cl,al) A9 ?. h R) C6 h+ B% z
jnz SoftICE_detected
4 k8 p) T* N. ^0 E
0 z5 Q$ t) a l_________________________________________________________________________
+ S+ w+ c+ }+ P( t. L4 ^! S7 i( o7 ?
Method 07& k3 Y! n2 Y; ]: {* F: K# T
=========
' }& L1 z l- @5 f. j: P8 {
, x# x. _0 Q3 O% R# c# @Method of detection of the WinICE handler in the int68h (V86)% M" V1 }' B0 i9 L
7 b- f5 b4 ?4 x3 H& j& R: B
mov ah,43h
+ P5 u* r7 ?2 c/ X1 B, i" i7 i int 68h7 M; R3 M' p7 s5 }
cmp ax,0F386h5 V8 H# [* I, Q @
jz SoftICE_Detected, e* R, d1 {$ |% q
1 D$ N) y0 s# N8 b8 O# H
7 `, j7 C; I2 T* X p- N. F=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) [" o% g% @- e0 Y app like this:
6 x3 S% `/ k1 f; h( u8 r
/ o! w( |: o- }1 K' u7 n/ O BPX exec_int if ax==68/ K( r* j$ \- g# {- D/ Z9 O
(function called is located at byte ptr [ebp+1Dh] and client eip is0 }* [" n* _8 K6 M7 P9 n
located at [ebp+48h] for 32Bit apps)
- N, V( N$ ^& Q1 m( ? G2 X9 N! M__________________________________________________________________________
. i6 ]" p& D$ m& }& l! r
( C" n+ [/ r' g/ ^$ X$ h
" ~/ V8 X3 Z3 b0 ~$ j4 ?% QMethod 081 v) l3 o; }2 \) G; G# b
=========- z1 ]1 D4 Y4 v5 F& C
8 b4 k4 q" W1 @& E* @
It is not a method of detection of SoftICE but a possibility to crash the) l2 B2 i, ]0 v$ `9 ] {: [
system by intercepting int 01h and int 03h and redirecting them to another, T" |# U; c( r1 U* r& C$ o* t1 ^
routine.+ c1 `' m8 e. v# Q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& X/ }+ i1 d4 n, L' x, ]
to the new routine to execute (hangs computer...)
. D* H8 f* d( o5 P8 l1 m
( w! D0 A! P% m, P' g mov ah, 25h
9 e9 x4 F- {: M) b5 v4 y mov al, Int_Number (01h or 03h)' {% d( u! w3 e+ X" ~5 [5 a9 |0 U
mov dx, offset New_Int_Routine
( O9 J* G- r1 l/ n int 21h
/ s3 [1 s2 |- _! D" V3 P
! ^2 J; P& O8 H2 s__________________________________________________________________________# M8 G$ C0 C ]
% K* b9 ?+ K) T/ HMethod 09
" G; L( ~' M, p=========/ K6 e1 e1 N' w" K: b' ~
, ~9 @# T2 O# S8 p2 Y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; n- N! I6 J) I" a6 c& G
performed in ring0 (VxD or a ring3 app using the VxdCall).
1 h2 n c& i; E9 X( l: Y& ]The Get_DDB service is used to determine whether or not a VxD is installed
( W3 S* f% p) dfor the specified device and returns a Device Description Block (in ecx) for
8 q2 F1 A- w% f! `$ bthat device if it is installed./ j. |+ a! J5 s' F5 p6 Z6 X& ]/ r
, ?3 a$ Z& T2 _/ r( l mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- [5 ^# W6 I& _3 ~6 @: D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), ]2 ~- N4 {6 d6 x6 w
VMMCall Get_DDB
8 |8 k# V' \) u# ] mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 G! v& r. T8 q: H
; @: r) i. x" Q; Q! @2 d) L/ x; o
Note as well that you can easily detect this method with SoftICE:
7 U5 F' J- H4 @( O O bpx Get_DDB if ax==0202 || ax==7a5fh+ D) t1 t* C; a5 S2 V0 Z0 M) I) X
. Y* A$ S3 T; V' U( p6 ?! y$ [
__________________________________________________________________________
6 }6 ]/ u9 Y: i3 E5 h+ v3 p; y% C7 e
Method 10
( x2 n5 b3 O# \/ ?; Y9 I4 Q. q=========
# l- r6 P& @0 x/ N$ c2 ]* n
" W. `; z9 {* X) v=>Disable or clear breakpoints before using this feature. DO NOT trace with. N2 G3 \! b7 R, y! \
SoftICE while the option is enable!!
# R) P& a! e, c, B) z. j
' a' Z4 M- n. p) N5 m, S8 kThis trick is very efficient:
1 Q0 L% w: b; Z }$ v5 e4 ^by checking the Debug Registers, you can detect if SoftICE is loaded
8 V1 l% y @7 U' @% r(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ k/ X/ A8 \7 H" r+ X# Othere are some memory breakpoints set (dr0 to dr3) simply by reading their/ t' U( k" u7 W* d, r
value (in ring0 only). Values can be manipulated and or changed as well) g' r/ {0 z: a4 @1 K9 E( o/ n
(clearing BPMs for instance). Z' {$ b, |6 X# G4 `
3 u: H; f/ \% E. F! X6 o
__________________________________________________________________________3 H& X% _' b8 S0 V1 W+ Z# ^
+ [4 y) k5 A" N9 m
Method 11
1 `2 }* c. |" l3 t$ @, V$ _=========( e7 W: e2 m' g
2 P( j4 x. A- W# J
This method is most known as 'MeltICE' because it has been freely distributed* F, t4 e7 B% A( a" a; D; Q K, `
via www.winfiles.com. However it was first used by NuMega people to allow
4 @. w+ n/ ^% Y, K- V" VSymbol Loader to check if SoftICE was active or not (the code is located
9 Z( K' l# Z- L" ~inside nmtrans.dll).: K: [, X) k# }- j$ s
% s$ X' l$ \4 d: G
The way it works is very simple:
4 e' T! J) N8 g3 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 k2 s% G8 j7 f8 I+ } a
WinNT) with the CreateFileA API.
) X' \( f* Y T$ y) ]2 f: Z* `! m, O8 }. x( m
Here is a sample (checking for 'SICE'):
+ `$ e# W+ X% X2 p H$ F; G6 B4 ~; J2 ~* z5 n7 v7 T1 Y u
BOOL IsSoftIce95Loaded()
8 q3 z6 w- f4 k6 Y9 J5 R+ b{8 g% l f! c* ]4 \- |. B
HANDLE hFile; 7 Y4 D: x- q4 u
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; `* u' R1 {. w# P1 |8 y- Z* b
FILE_SHARE_READ | FILE_SHARE_WRITE,
" g+ z+ B5 l5 _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 z0 x, _4 f7 ~& P7 O5 m# j( Z" B if( hFile != INVALID_HANDLE_VALUE )3 m7 Y8 u) H! r" H& P1 S
{5 ]3 w; l3 H% r3 s2 C
CloseHandle(hFile);
1 o' k# G, u9 x return TRUE;. s8 |# Q6 I) u5 X2 X9 U0 K3 J
}
# g6 w% b! u- _# L: l( `# \$ [ return FALSE;
- l8 y1 Z) U S, f}
1 R. C' D4 M, a( N5 I( [' ]* H
; q! O: L. z( h bAlthough this trick calls the CreateFileA function, don't even expect to be
; s) P/ q% e# \able to intercept it by installing a IFS hook: it will not work, no way!
& D1 o1 u8 b. y! i3 [In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 w8 {: e4 Y8 V. J+ qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 T' B, [; [$ n7 ?and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ L$ h b# c* q7 s/ \1 c% Lfield.
, O$ v6 p3 U- b& J, hIn fact, its purpose is not to load/unload VxDs but only to send a 2 v% {- G8 \- L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" f+ Z7 e- r4 W" C7 u+ z6 j
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 e& t( t% b/ ^# dto load/unload a non-dynamically loadable driver such as SoftICE ;-).4 }4 C3 z% m1 S4 G
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 \! N% ?6 z% V* b/ B' v
its handle to be opened and then, will be detected.. G: Z+ i9 q2 }$ J
You can check that simply by hooking Winice.exe control proc entry point; ?* Q' f$ g$ Z/ w8 u0 q9 C. k
while running MeltICE.3 |5 P+ K% R2 H, g5 W: K
+ C" ^# \6 C1 z" f' `& M9 H
( w! i( I# \: p& t2 a 00401067: push 00402025 ; \\.\SICE
, g* V, N$ [$ `3 N 0040106C: call CreateFileA
. `- P0 u: [1 ?5 g. C 00401071: cmp eax,-0010 g& T. {$ X1 q8 B; r
00401074: je 00401091
! j: v: U# N4 z0 g5 e8 w0 Q! ^) A: c; A. ~! z, U
+ \; E/ i7 K% y4 L5 k
There could be hundreds of BPX you could use to detect this trick.! S$ Q$ w. L3 r" P& e3 n, C
-The most classical one is:
, G+ X3 z% e9 |8 p$ {8 B' g BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; h1 S& n) P$ b! j5 I
*(esp->4+4)=='NTIC', p2 E6 {" `1 R$ R" k6 U3 B
2 L/ u, R8 k) Q2 |- q8 Y
-The most exotic ones (could be very slooooow :-(
, a7 k/ ]3 { l( ]9 F% @& Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& \4 G% T3 n5 u1 T ;will break 3 times :-(% J, _1 R! h2 f9 q0 S. {
" @% O X" A8 e6 w* r P7 Q* U% E-or (a bit) faster:
+ @& j0 i I( r9 ~" A* z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 I( W4 H2 N! y& d
) R0 V6 r* V& {; p
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / j% B4 q( r& O+ ]5 h' ?
;will break 3 times :-(
; W3 k$ n$ W) J& I' L3 y4 e( h( l. H' k" g K3 s# U$ t3 f% j
-Much faster:
1 Y/ X3 Q) v0 O5 b, X' C; U2 i BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 Z6 K' A7 E4 ~1 t6 a. ?! E d
8 j# k4 U" r8 O+ n$ u' X3 vNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 {+ G' F+ p1 F5 I+ Q- k3 yfunction to do the same job:
3 j" P% X) I( O# Y; J [" ]
0 w. Z; m, B' ^/ b+ L0 U% A; u push 00 ; OF_READ5 K. ^8 J+ {; j1 N, `+ O% U
mov eax,[00656634] ; '\\.\SICE',05 w! @1 V {5 ~, m
push eax
, T; K" b; S! X( v! B' M9 H U call KERNEL32!_lopen7 j* o- |: h9 i4 Y, s' u; j
inc eax
9 z3 k d2 w/ _: Q) P' \& a jnz 00650589 ; detected# s, I6 b' S3 l9 L8 U
push 00 ; OF_READ
* j4 n& ^/ t1 L- U% u# J$ h4 ^ mov eax,[00656638] ; '\\.\SICE'' @2 \1 _9 h! i- V
push eax2 v! E9 ~) l3 d A
call KERNEL32!_lopen
: Q8 }& e( ?' A; K, S! w: [ inc eax
; X+ p: O. L3 @* P- x( x7 c, O4 }% r. e jz 006505ae ; not detected
2 \+ Q. ]# F2 {
1 ], S1 R" P. u, |' `0 O' I2 b5 r! ]+ D) U! h0 e! d
__________________________________________________________________________* j- ?. c4 G. M' `6 I' x
1 J' n5 R3 s8 d9 L
Method 12
8 b, r8 W" Z4 u; e# J& p. c1 M5 e) _=========$ q3 [+ o* r/ W/ e4 D
# T. v- k a1 I) J( k- ?# P0 K* d4 s" R
This trick is similar to int41h/4fh Debugger installation check (code 05
3 F6 [, E9 E; `# n& 06) but very limited because it's only available for Win95/98 (not NT)
# [ `5 E j7 K: M) y2 d# h' Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# {3 \: a" t; ]8 {
E9 s/ @6 D2 M/ v$ _# f) h. P0 k
push 0000004fh ; function 4fh
- V' b) z9 [( J8 ^9 W push 002a002ah ; high word specifies which VxD (VWIN32)4 r& i1 H9 |5 Z2 r# h( o& H5 L
; low word specifies which service# a4 @" f) N; Q3 p' P
(VWIN32_Int41Dispatch)
6 w6 x" F. Z1 h1 y2 f! W+ A" K! [9 D call Kernel32!ORD_001 ; VxdCall, [0 ?# |' X1 [/ B9 k2 U
cmp ax, 0f386h ; magic number returned by system debuggers: [0 Q8 a, i w5 w: t
jz SoftICE_detected: j" c1 a0 H6 e4 }. T+ P
" |# s: e+ ?! N% w$ u6 o
Here again, several ways to detect it:8 v' c: s, D0 M! k- P0 p/ B4 X
5 v R4 |! [' O% o2 b! `
BPINT 41 if ax==4f
! H4 Q9 u, A0 X) C) | {. M/ h9 X* y9 }2 }- D2 s" [% u
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 S5 b3 M' v% F6 v$ @! v; P; ]$ e0 y0 u
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ X$ Z* A2 ?; b S! J. {) D
9 F+ j& ]0 @ D# b3 n- d
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( |9 `, Z9 v1 H5 c+ ~3 t
& \3 ]: t; O6 L& V
__________________________________________________________________________
! B M: O% X3 G1 d4 @! H7 n* B- z1 Q' i7 p
Method 13: V8 v3 ] o! r$ E- k: N
=========
( ^9 r! b9 o- U7 L; x' @' e. d9 e$ m7 A! m& F1 z
Not a real method of detection, but a good way to know if SoftICE is
! ?4 f2 N, C2 b8 `* k* {5 ainstalled on a computer and to locate its installation directory.
4 \, u7 G( X2 z/ |It is used by few softs which access the following registry keys (usually #2) :
# H7 F' @- I0 A3 ^
; ~$ \, \( Z& S9 l- G: w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 `2 g6 @% `2 N# B\Uninstall\SoftICE
1 P! j2 O2 j( B; {8 w: q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* R4 b. K. h2 O1 j2 U l7 I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: s/ ~; j$ K. A l2 A: \: l\App Paths\Loader32.Exe# j3 h) \6 {2 i, E! U
) e; \0 l9 E. _- X" K$ @2 ^% h
; V+ y6 g W9 K. q8 n, o$ j2 r
Note that some nasty apps could then erase all files from SoftICE directory
! ~2 K+ S) }8 E2 P0 p(I faced that once :-(
1 L- A, ~$ p U/ I' U
" `) c* F* ~, kUseful breakpoint to detect it:& l% n) A& n" I, a$ O8 g' t" Y
! @, _: Z. K1 W
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 \, ~& K8 B: m) D7 k' h1 D" u( L: e' c- _. W) o" ?6 r( k
__________________________________________________________________________8 l. W5 @& s7 x# J z4 U
. B8 l& n+ E5 @3 i4 o8 B _4 ^' Q- H3 J8 h8 n7 ]7 p
Method 14 ' r- u0 q# Q: a- _' N- D* S
=========6 ~% P& D( o# h; Z
7 c: i/ F3 d3 d/ ]$ z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 N# M* r9 c' I# O; x
is to determines whether a debugger is running on your system (ring0 only)./ s7 l$ v- ]9 [' A& x' u q8 b8 p
* T8 X6 l0 _9 f4 d VMMCall Test_Debug_Installed
0 G9 l/ m& G3 L" T i" m je not_installed% s# e+ f$ V5 ~) m+ C
! ^. X. P0 s* j4 I' a* L8 xThis service just checks a flag.
$ W2 N8 R. k. |</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡