<TABLE width=500>
! _! k* R6 z ]$ ?- M- l8 G/ z<TBODY>
% ?3 m# F) N+ W" J0 F( |# v<TR>
$ t7 k! r1 q* H; F( u; u<TD><PRE>Method 01
6 b) E9 {1 z; D=========9 Z2 y9 ?. F- u% w# h8 ~: V
2 V, H0 b* {! ~6 QThis method of detection of SoftICE (as well as the following one) is ?6 t# F8 m8 j6 A* D
used by the majority of packers/encryptors found on Internet.
- Q U& i9 N$ _# wIt seeks the signature of BoundsChecker in SoftICE
4 [0 }6 {, V2 C/ L5 E7 P- O3 X5 T7 [
mov ebp, 04243484Bh ; 'BCHK'
' n5 u. H( O6 @. k+ l n" X: n mov ax, 04h* U( `0 o+ A3 Z, X: _" g/ ]
int 3
. B* ?9 }1 K; ^1 R( V% @ cmp al,49 b3 w# m" k; e. F5 W5 Q
jnz SoftICE_Detected( M: E/ g7 A/ v2 c2 K7 d5 n
+ v0 |4 ~6 i7 r- D9 J1 J2 l___________________________________________________________________________
$ t* V; _: q+ {4 M5 P$ N" D9 z: e& r; h3 k9 z. [
Method 02
* h. \% h* M: r0 I% U; v=========( G( [- ]" T* P" I: r
4 {* G! k0 u+ S; v
Still a method very much used (perhaps the most frequent one). It is used( q+ h/ w; e: a' L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ m# T# |, u! q; y4 eor execute SoftICE commands.../ X+ p* H' x9 o F8 H
It is also used to crash SoftICE and to force it to execute any commands2 o6 Q; J: k- W/ R' L+ g
(HBOOT...) :-((
' j- u; I7 u4 k3 h& E
* ` Z! m( O6 uHere is a quick description:
. |# d( r5 s7 Q5 G+ u! q5 I-AX = 0910h (Display string in SIce windows)" E5 W8 W" h/ y" i" J4 { r u8 D: e2 [
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 K9 {+ G& {7 j& }2 T4 U, V: K, L-AX = 0912h (Get breakpoint infos)
/ ]8 `# P& x$ C* H-AX = 0913h (Set Sice breakpoints)) `- w& g+ d; L8 E
-AX = 0914h (Remove SIce breakoints)3 Y2 I' v: Q/ [" o: a( f/ S
* q$ M5 |8 c) U5 D! Z5 V7 ]5 E. o
Each time you'll meet this trick, you'll see:: r" f* g0 G5 ?7 F
-SI = 4647h
/ p# y3 s3 S+ @" j; [-DI = 4A4Dh' P4 p+ x. E6 G
Which are the 'magic values' used by SoftIce.
2 M. Z2 X+ I4 B8 j; \' o* k/ j/ q \& WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
B/ G# p: Z7 U% |
2 |+ Z" t0 q) Q, H- b* R5 D7 s4 HHere is one example from the file "Haspinst.exe" which is the dongle HASP5 {4 E5 i; @, y# a9 C3 i
Envelope utility use to protect DOS applications:9 y) n0 X3 E9 i3 V
: `+ s: X5 `* J' P O- K) O" m9 x g7 ~
4C19:0095 MOV AX,0911 ; execute command.
5 C1 l- x" o3 C) S5 ]& ^) a1 N7 l4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! [. t. ]# i% I4C19:009A MOV SI,4647 ; 1st magic value.3 O; B( j/ A3 M
4C19:009D MOV DI,4A4D ; 2nd magic value.
+ r( s! h( G$ ?2 @" _. \4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ f- L6 ?6 Y0 d/ N. Z. f* K9 _9 m
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ |" C# g8 Z/ |( e/ T4 h4C19:00A4 INC CX u/ ^ K+ m4 d4 R+ I
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& g, t* c0 V+ G3 U4C19:00A8 JB 0095 ; 6 different commands.4 }2 s2 A5 a3 P- E" p8 @- y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 m8 O) G& i. e+ U
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& ]7 I/ D8 f& T7 x2 a4 Z6 o! z! |) a2 F4 k. ~8 q' o6 ]
The program will execute 6 different SIce commands located at ds:dx, which
9 l7 q1 ?4 g, j, F8 J; eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ o7 ?% ] ~" ]) H1 H P
- r2 w' f+ s/ Y( m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: m1 Z3 l0 v- U3 u, X% D9 A___________________________________________________________________________
/ `9 ^, S) s* @& k! Z& L2 z
* G& e9 B' j$ g; n3 e# O6 K0 b i |6 g, {( L- H8 z! h, \
Method 03" @5 f# j* |' t: A5 B" R- T
=========
7 H. x* f" z2 L9 O6 F) D+ X/ l* m8 o: m0 y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 k g0 G3 J' U8 Y: V(API Get entry point)
% }. o; s/ J7 G$ q1 o' J
( f: Z3 @4 b6 O
8 ^- C# y6 X. g3 @ xor di,di# k* O x ]4 {8 ^0 B
mov es,di' E" S/ r, Q6 `- Q$ c: V
mov ax, 1684h 4 c* a- X4 [$ z% [- U+ {
mov bx, 0202h ; VxD ID of winice
, L3 K7 a& D, o( p6 ~ int 2Fh* G, @! Q$ _& [ T
mov ax, es ; ES:DI -> VxD API entry point0 d, N- u; {. A. U; [: B: l
add ax, di
8 H F9 T8 S# ^) g# N test ax,ax; T! X0 y3 }% y2 `
jnz SoftICE_Detected; t4 a: ?& G: N0 Y
" ^" F( z# S7 |" Z1 ~8 F$ c
___________________________________________________________________________- v" D7 R* ~! U: b- V6 |0 Q _9 e/ i
2 A4 {$ ?1 @. _6 z/ ~) {0 Z
Method 04
J1 ^9 \' n0 m3 V=========; i4 h: r' C; _
. i2 {" i4 r/ v3 N$ J0 k& @
Method identical to the preceding one except that it seeks the ID of SoftICE
& w8 u4 y3 E; q0 g E" CGFX VxD.
3 I1 e9 W8 T% t2 |. s( w! A8 e/ }: ~% y/ F- J& y
xor di,di
, F9 q6 I( b$ l! { mov es,di
" W' @9 N$ R1 L mov ax, 1684h 4 D/ s: {. a& _$ G" m0 F* A7 T
mov bx, 7a5Fh ; VxD ID of SIWVID
+ i- L1 b) b" B6 t# C int 2fh
( W+ V! c- G, s) X" Z/ u) Q mov ax, es ; ES:DI -> VxD API entry point
" @$ J4 F f. K( ?$ c2 b9 X8 v" J add ax, di+ J1 r0 g4 X/ d( W$ o
test ax,ax
3 d, t9 ^6 ~/ } jnz SoftICE_Detected6 x, C3 p4 p) P! x7 [/ K4 d
# z1 X+ u- n' N1 x4 U__________________________________________________________________________
7 G# O1 _2 E) _3 V4 t+ o+ P
5 O& P/ m) a5 Q
S- D z7 a8 N! MMethod 05
2 H0 r4 o: f% \% o=========
$ y! ^* T8 Z$ M) D! K! G, O0 T
/ Y3 n% Q& s( T3 n2 h# l* wMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 b i7 j) {$ g& z. F' m
debugger. It calls the int 41h, function 4Fh.
2 h6 A5 {1 h7 K6 CThere are several alternatives. ) M. ^$ P+ W+ w4 t
0 ?6 F+ _* ~% N5 H, mThe following one is the simplest:
. x3 K# Z" L) z+ p c% c$ ?& j
6 W' T8 l6 f5 g3 P/ Y# |- O mov ax,4fh4 m( i& o+ S5 t# P% I
int 41h3 t3 _% I# q. S; |
cmp ax, 0F386
% V. G% j: M( O: |, K5 ~ jz SoftICE_detected( b6 q( D) K- o, O) \( [
o0 |4 a1 S, }" y( ^. P! ?, |8 V: ~0 m/ X3 P
Next method as well as the following one are 2 examples from Stone's 1 A* {+ M% u! z9 P
"stn-wid.zip" (www.cracking.net):6 Q7 A1 M+ R/ F& C, A: D
( d$ C$ B0 o7 p) b0 P, z' ? mov bx, cs! p g" y2 V% l% K- u8 d
lea dx, int41handler2
- o' o8 M4 W, O4 \ s xchg dx, es:[41h*4]' I, I1 \) O3 A l
xchg bx, es:[41h*4+2]) Y$ E! R: t( l6 r% I3 v
mov ax,4fh8 g9 k8 l& i2 g) u% v' v4 M
int 41h# y+ l# {9 L( N; O2 j9 p
xchg dx, es:[41h*4]$ m0 M; {; c, i9 `+ T- c
xchg bx, es:[41h*4+2]( T# k! @' p& K e$ K; t. q
cmp ax, 0f386h
. V2 b- H! B1 s7 F0 ^$ t8 v+ k7 T jz SoftICE_detected
7 v! e- S5 R! N) z! O4 v
/ o& @% `0 W" A' d7 h T. J! s$ h! {int41handler2 PROC
6 {+ I$ K, R8 {3 ^+ Z! a' H iret n1 u7 y* _( \( e+ R/ P
int41handler2 ENDP
F6 t/ z: ~8 ~' J1 `0 M; g+ v- N/ J5 w1 j7 v' t6 K
) T8 b! E9 U2 d4 y
_________________________________________________________________________% ^* x% B; K/ {: K, I
3 Q$ Q7 l* q9 p
+ A) @4 f: C" x# n* E9 ]
Method 06, c' J. r }4 d
=========
+ m* w) A3 C5 [# W% W" N% a# l) b$ {5 e1 y8 p# w+ Z+ s) `. \
* I7 P7 u% Y# ~7 J# }. m2nd method similar to the preceding one but more difficult to detect:$ ^ G4 A; L* T$ T9 ?( L# N# w
( r2 L/ G6 j6 m; S! ~ D0 P8 m( v0 O/ ^8 q
int41handler PROC
" k/ ~+ x$ [8 B% Q g# U3 A+ Q mov cl,al! ?5 ?& u* W7 E2 E4 z
iret3 } p+ a6 V8 k: `
int41handler ENDP
4 e, [7 x& T" J5 ?9 Q6 h. W' w7 c `1 j4 N7 M/ ?7 H" b6 r- _
$ B8 b6 h, E9 x xor ax,ax
* B- l' b1 Z6 H0 Y$ w mov es,ax* S! Q( p Y, R1 w1 j; E: ^
mov bx, cs' Z8 @( \: Q; H# Y( Q% b4 `
lea dx, int41handler
- V5 Y' y2 \' t0 {; f6 S xchg dx, es:[41h*4] M4 ^: S( x2 B7 V
xchg bx, es:[41h*4+2]- K2 B' q. D( S9 x% K7 Z) a
in al, 40h
& V0 U. @4 B& F: Y; w: w, m xor cx,cx
6 A: m1 z) ]* K6 E* K int 41h0 n9 F; a; P& V5 T% z
xchg dx, es:[41h*4]
9 C/ |+ P+ T3 J# ]/ V2 b1 x) u/ J3 S xchg bx, es:[41h*4+2]: }) {3 c1 T( |7 t7 x$ u5 S( x
cmp cl,al* C. a5 W/ H. p+ _8 T
jnz SoftICE_detected: e6 a# l% I) u: z
+ R/ d7 _2 [: _# t4 W5 l% b_________________________________________________________________________& `& @- r+ e1 K
% c) e# z9 v4 D( a, ?7 w
Method 070 @9 x2 U8 e5 |9 f) }5 v4 s5 L- g
=========
7 |' e5 C6 ]9 g3 U% n
. k1 D+ N: b0 ]# {Method of detection of the WinICE handler in the int68h (V86)
: ]' j1 \) ?+ a: K, K9 z0 o: R) a" W6 a$ I- q" W
mov ah,43h
2 t9 J/ ]( H0 o h int 68h4 |! H3 k, b: t! [
cmp ax,0F386h& l$ `* d3 y$ ^0 @6 F, n
jz SoftICE_Detected
' D+ A% T" b. k+ N2 j) p: Q* p1 h, p# {
0 a6 x4 S1 j: w1 o/ M
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 M& q' ^$ j) f I
app like this:9 f, @3 {; k0 L- q0 k- J j
# K& L$ z' w' y5 n r BPX exec_int if ax==68
/ s1 P$ R. n0 Q8 c, o* J Z (function called is located at byte ptr [ebp+1Dh] and client eip is
1 s$ k- ^) b) c# D located at [ebp+48h] for 32Bit apps)+ A+ S) K p4 j! |) j% ?1 S" j
__________________________________________________________________________
; d' `, B1 A7 b6 i! ]6 [' f4 r' X# _% B4 H3 O
5 o! H, t2 x# X+ K' j% nMethod 08/ C/ _; G$ `: Q$ D
=========
/ D7 z, g9 C* Z2 x* k, F% g* D7 H2 u0 N- o
It is not a method of detection of SoftICE but a possibility to crash the
& U5 u1 n' J4 C+ @system by intercepting int 01h and int 03h and redirecting them to another" |: f' n9 l1 ~- v2 Q: b
routine.. f; k9 a0 P! W
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% |, |2 u5 Q. r0 X
to the new routine to execute (hangs computer...)
$ `( @+ z/ G, E; e& H( K- w& y$ C# q5 p% F
mov ah, 25h' {1 k* w- w* L
mov al, Int_Number (01h or 03h)
1 q7 E* j( b2 I, z0 @ mov dx, offset New_Int_Routine
: o/ Y) I% v3 v7 j7 Y% S( v int 21h3 h# z: i3 Y1 D. y" M
6 m5 M. w9 \' r/ T. d0 A__________________________________________________________________________3 V& b) J0 c; {) R1 z) w* U0 g2 Y
# Q1 q) X7 A4 E7 ]+ J( L8 ?+ r2 u! w
Method 09+ q, \8 J# _. I3 B$ Z
=========9 f2 A9 M7 {) d# I2 t: A
2 O' f( r) D! T- P4 Z1 Y1 K0 @This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 J. W; x2 X2 \ s0 z2 ^' n2 Y
performed in ring0 (VxD or a ring3 app using the VxdCall).
" p1 x- C5 h% y( X% C1 ^The Get_DDB service is used to determine whether or not a VxD is installed
2 B4 V3 T; {! O: H7 [for the specified device and returns a Device Description Block (in ecx) for
: g1 w9 L" m$ t* q6 m4 h2 Fthat device if it is installed.
, J% N: L2 r; z+ S' n1 ?& f2 g5 \ ^! J4 l1 T- u
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 D6 R6 [) C6 @ c5 q- K" C* o- O/ N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" T+ D; k6 ?" ^( C4 J3 v! ^
VMMCall Get_DDB0 C7 r- L4 K. Q. `4 u
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, Q! @% {$ y. [: U. O8 A, r i# G7 Q
- M# y. C4 T2 Q) ~( p
Note as well that you can easily detect this method with SoftICE:+ s m! C, T. A' i
bpx Get_DDB if ax==0202 || ax==7a5fh
+ v' k. F) T H: Z4 ?
9 k5 j/ O) z$ Q! k0 B$ V: M3 e__________________________________________________________________________
' f+ [8 F1 S" I& Q( t
" o2 O+ M) ?5 C4 D% U8 YMethod 108 J) P' s) y: O* A8 Q5 I
=========7 K1 [" {/ B3 A. F6 {% o5 q: L" i6 s
9 ?& d2 w. H W; k! b: N4 g' y=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 z% Z1 c1 y! [ n! |& k% { SoftICE while the option is enable!!
% k q0 M1 n N/ c3 @( Z/ {
3 V+ Q) W+ U3 X( U+ R8 ]This trick is very efficient:
" G+ {; Z; x$ Q( Hby checking the Debug Registers, you can detect if SoftICE is loaded% V2 w; l/ A; x6 }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' f+ {) O1 u; pthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 T6 v; Q+ N; e! }/ E* ?& j( E5 ]
value (in ring0 only). Values can be manipulated and or changed as well
# ^7 p8 J/ p. \7 X! M6 d8 t(clearing BPMs for instance)- y+ ^5 w3 {# S; @9 e5 `" S
0 g! J7 t& Y3 v( d9 G+ r# F. d__________________________________________________________________________
; f1 t! y& l$ D2 m) Z3 g' O
: v& I) ]- }& a) U$ v) p; jMethod 11
3 y) @! {1 N& }; s, H=========) b) |( v& ]" J$ q. x/ s |
8 p5 y( w; b! H% X! j
This method is most known as 'MeltICE' because it has been freely distributed- G, q/ H2 n4 T% {: E
via www.winfiles.com. However it was first used by NuMega people to allow# T4 _& D/ v/ |& l- E( L& t
Symbol Loader to check if SoftICE was active or not (the code is located$ b, D3 \6 H8 o" e
inside nmtrans.dll).
5 q A8 U- f2 y G' {! P8 v( k* ~ W- c7 ?/ k/ o3 b% R* ?% e
The way it works is very simple:- e5 I0 U8 }' j2 p/ j" J( r8 i
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 q5 C. N( J; m- [3 n4 L. S' m+ K
WinNT) with the CreateFileA API.
% P G6 g/ c$ c' h, M3 ~( c; X. M
0 l, V- G% k ]( _# _ C. z# bHere is a sample (checking for 'SICE'):/ f( j; H6 M7 L! I" j
. {9 r/ S7 A1 I9 X) S* z6 z7 d
BOOL IsSoftIce95Loaded()
( b. Y+ E v; O2 ?6 v; d{# F' a$ K. _! K; o" u, S
HANDLE hFile;
; E( [* a5 X9 p: c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& v |* W& Z. U FILE_SHARE_READ | FILE_SHARE_WRITE,
. a1 w: Z, C: H0 {9 m$ O+ {: E NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# t" j# r" Y' V" Z( j% S5 h if( hFile != INVALID_HANDLE_VALUE )
+ c4 J) @- d! ~. Y7 Y {
9 u9 l1 N$ T) f+ f CloseHandle(hFile);5 W" p1 P8 E, ^; G3 z* L a
return TRUE;
9 p9 c6 @. ?' p6 k. n# ]# U }
! i Z$ X- p+ w6 S return FALSE;
+ ~* Q: T7 {" M5 U3 W}# b) A* ~8 _7 V/ s6 s# J
- D7 W$ g7 X* h; o' _) ]Although this trick calls the CreateFileA function, don't even expect to be
. w/ V3 u/ h3 _/ sable to intercept it by installing a IFS hook: it will not work, no way!, p- R8 D2 Q) M/ ]% k0 c( Z/ a, a
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" |8 R J% e3 L/ ~, V( Q8 z5 m) f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 v/ F# z" P) i3 r& pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
: W- N A$ ]) `9 V2 a% e+ f+ S5 |field.
, _( b c8 [* a% N/ Q4 E% BIn fact, its purpose is not to load/unload VxDs but only to send a , s0 l. l8 [# C5 u8 X) P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 b2 `6 {, [5 b$ R1 ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 c" v9 Q) h' m: Sto load/unload a non-dynamically loadable driver such as SoftICE ;-).) u8 p, D& z8 B5 D0 b( b
If the VxD is loaded, it will always clear eax and the Carry flag to allow1 n5 z: Y4 t, ]) Q; B
its handle to be opened and then, will be detected.
! h2 s( x5 C$ l/ u* ]: R; \You can check that simply by hooking Winice.exe control proc entry point
% {4 }2 m1 c) s$ X) zwhile running MeltICE.
' i" J! o+ C1 ?1 K: T" }$ p2 @; `+ f( C
' R0 w$ A' t5 ~; } a; p V 00401067: push 00402025 ; \\.\SICE' z- w; w J- o |8 r3 p
0040106C: call CreateFileA% C6 I# u% ?/ [6 A
00401071: cmp eax,-001$ |: y/ l& i7 E4 L" w2 R% z
00401074: je 00401091
9 Z1 x4 q& R3 Y X$ M
. }3 V% K, S! i8 @6 m; l: _3 T/ n2 }/ v- x1 C7 e" g7 g9 N% h0 {3 n7 k5 z
There could be hundreds of BPX you could use to detect this trick.
& n6 l( Q# h" |0 R5 Z-The most classical one is:/ V& ^1 L+ c G! D9 j4 V' T7 c' I
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& s6 t3 _8 n; U l7 S *(esp->4+4)=='NTIC'0 }# P) H" ~' J5 l. X
4 a- N. a& D' X* @: M0 ?: V5 h-The most exotic ones (could be very slooooow :-( a8 R; n; F5 H6 R9 H/ [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- Z& ]2 d1 O( s! J+ a ;will break 3 times :-(
* n3 v( u+ q6 B; G3 e8 l8 J& ]2 Z, ^- [5 ?; e
-or (a bit) faster: / v$ |& y2 R& j+ o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# P X R. P! @- P0 t' g g7 ^ j5 l% P- u7 G: }
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 o7 j; m; Z, ], ]4 a, b
;will break 3 times :-(
. ~* H3 X5 e; z& z8 l! ^$ C! @3 {- S: Z, ?% d
-Much faster:0 H' a+ u* Q% w/ N* x
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 a5 F; \( x2 d6 L0 S3 {3 ?" W0 G1 j& V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
O) ?$ J' H: L" j) b. Y+ ]function to do the same job:; {/ U+ r3 w% x. t
9 ]# \) p% @$ E1 @% o: z o push 00 ; OF_READ
. ~, P% w5 O5 s mov eax,[00656634] ; '\\.\SICE',0, w. ^1 o6 O2 i' R7 r
push eax
1 J: B) K( d- E) Z1 ~& N- j! Z8 R& J call KERNEL32!_lopen
, r6 y- W+ @' f inc eax8 J2 m/ T* s; m7 |% p
jnz 00650589 ; detected
& R3 V/ @/ n; `3 w( E+ V2 o push 00 ; OF_READ
/ N/ }' {+ ~( V% e5 M mov eax,[00656638] ; '\\.\SICE'
& k/ g2 J" C p: l+ m: U push eax
8 _8 p3 r+ Z0 `* O$ _ call KERNEL32!_lopen; i7 h! d0 w3 ^! c. h
inc eax. `7 Z* ^. D I* E
jz 006505ae ; not detected
4 a) @9 y1 n' L
4 Y% ]: i4 j% U1 k/ N+ w; r; S$ z
/ X# @2 S( s9 h__________________________________________________________________________
4 P5 \# T5 \3 W0 L( Z8 U9 A+ k0 v+ ~0 Q! F
Method 12
, t4 o/ E3 V( l! ~' G) h=========
: ~1 t. L5 z6 l* D6 I, ?5 y6 @4 q4 {& @9 \3 z) n( J9 m2 M, A& p) U
This trick is similar to int41h/4fh Debugger installation check (code 055 t( x x- w; @8 L# |. Z
& 06) but very limited because it's only available for Win95/98 (not NT)' l9 ]/ D$ g# F$ w+ K! ?5 O3 U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; |: d- J0 k- Q/ u* F, {6 d& R# E, I
2 y" E: u+ G+ a' P0 f) n push 0000004fh ; function 4fh
- w6 K: `! f6 P/ X push 002a002ah ; high word specifies which VxD (VWIN32)9 [' O( ]' I( G3 S- Z
; low word specifies which service
! v% I" s5 a. ~ (VWIN32_Int41Dispatch)
2 s* G2 H7 q: p& _ call Kernel32!ORD_001 ; VxdCall9 z. Q- H( d. A* g
cmp ax, 0f386h ; magic number returned by system debuggers
/ h4 e* }6 y K* v jz SoftICE_detected
6 d3 d$ H* N( A3 Q& G. Z$ D# s7 x2 y- t" Z; a' m6 h$ a
Here again, several ways to detect it:
. L" a$ i% m6 F0 ?: m* s
7 n0 c9 |2 U. U8 V BPINT 41 if ax==4f
0 l; @; f$ h v% @, c1 z- o% U; e, J; N5 Q8 K: [+ s+ n6 z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# w; f' _' O' D/ _2 |
7 W# z+ O1 k! J/ {5 S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ R& f) K- y* G1 Z8 u5 |4 f
$ b! C' h0 s8 x# m9 H5 v BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& `; L( @* H7 D- X
9 K: E) s a5 A8 C" G% q__________________________________________________________________________
- R2 x( Y1 O4 n# ^ _+ g6 f1 V3 Y1 y* x( Z
Method 13
, S8 O( j" t/ t% G" e P5 n=========7 J" L+ i, {" }0 D1 m$ k% M8 ], @" T
/ L9 J# ?7 `* t) LNot a real method of detection, but a good way to know if SoftICE is
, \, c/ j) E5 C) g! `8 Cinstalled on a computer and to locate its installation directory.& `1 |: p( e1 y6 x+ f
It is used by few softs which access the following registry keys (usually #2) :4 I7 W% s! ~' J/ v6 y2 V* }/ }
- z: F# }, x7 ]6 d& }2 ]; U) x" K
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* n* @# }4 |+ k( q) n2 Z$ Z& i
\Uninstall\SoftICE
9 F9 ~9 y& _" y" y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( t" l8 ]# `$ g7 S2 V-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ a) ?2 V$ ]. t; @0 I1 E3 j\App Paths\Loader32.Exe# A# q5 Q' ]( m' Q( s7 I& P
( P" w* ]5 b% ]6 A- Y+ O) v% l7 w
Note that some nasty apps could then erase all files from SoftICE directory6 F3 n" |7 u% }+ _- P
(I faced that once :-($ b1 N) r) T" d i& f0 I
1 `7 ]% {; v- g- V( _
Useful breakpoint to detect it:
# s7 ~; ?7 G4 m: f1 e
" p& L- t7 E/ n5 P ^ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( g, R" X+ I/ c8 c8 D) Y% M8 f( x% b0 q! w4 T: z
__________________________________________________________________________
, ]. |' y% s6 K" @% Y1 H: n
/ h/ ]5 L4 H% k; L
& e _& @( ]' w dMethod 14
+ v/ v0 V$ @9 ?% @=========
: E2 ~2 n8 |; ~1 I) a: P- u* k& W7 I4 ?4 Q' B/ V8 D
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ E* f% T2 H0 f7 w
is to determines whether a debugger is running on your system (ring0 only).
6 @# a9 c1 n# h
9 r5 b) b d6 A* u# n VMMCall Test_Debug_Installed% U$ x8 i/ l8 i0 X* H# n
je not_installed
! ]' g- O6 L7 [4 q
' P" j6 Y% d3 S. S6 o- B$ f9 ^This service just checks a flag.
8 A% {$ M$ h' O5 T2 V( d3 ^</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡