<TABLE width=500>! p. A, ]1 b8 A `% X6 v+ r* F
<TBODY>' o/ Q/ b8 ~3 l7 r* @8 d2 W
<TR>/ x0 | \4 {+ U3 V# c
<TD><PRE>Method 01
. m8 h; @; }: t0 _* V=========& Y' @) S2 i" u) k2 r7 S3 o2 P
; M+ R$ C) ?$ K: e
This method of detection of SoftICE (as well as the following one) is9 Y4 L- L' a5 }" R
used by the majority of packers/encryptors found on Internet., N1 v8 I2 {0 B- R& L5 S
It seeks the signature of BoundsChecker in SoftICE% t0 ?" s7 w" e$ \) i
" _6 L3 J5 x: K& x. ^1 _- x
mov ebp, 04243484Bh ; 'BCHK'
4 a1 A* Z d# {- x mov ax, 04h y# {4 V( G2 s" ]
int 3 ' a8 t$ J3 r. f3 n1 w7 l& v8 f
cmp al,43 b9 t& i, K5 M9 [% X* _; T
jnz SoftICE_Detected
! b7 E$ G: X; y v2 `7 y5 |3 b5 v8 ^- }1 g+ a2 z7 M/ R' F
___________________________________________________________________________% [3 p8 g0 C" K' J3 \9 |
* ^; x) ~/ R1 _8 p1 c9 r$ h
Method 02
4 `, N$ H7 }" d$ q( D- |=========" Z* b$ @1 K6 l) r
9 {: @" _: D8 ]" g: tStill a method very much used (perhaps the most frequent one). It is used9 w% T$ i! M2 l; s; g q+ O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) ^; B0 d- M" Yor execute SoftICE commands...9 v9 c4 q- Z/ P* G' i5 X
It is also used to crash SoftICE and to force it to execute any commands, J1 ~! U: f( L' m: i/ m! _3 A
(HBOOT...) :-(( 3 W! T1 Y& v( S* L( ~- t$ M/ F
8 k; t) v" q: \4 b7 L8 @+ r* s5 wHere is a quick description:
& p! U$ C& R$ P8 } n$ L2 x-AX = 0910h (Display string in SIce windows)
7 H4 U( g6 x6 m( `* h. O-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- ]7 C7 {( e/ a# o# \& T8 N3 e) j-AX = 0912h (Get breakpoint infos)
3 ~5 c" M+ ]2 ^- `) x y2 E-AX = 0913h (Set Sice breakpoints)
9 A( i$ J `1 L# W6 G7 b9 ^) O! v [' d& ~-AX = 0914h (Remove SIce breakoints)
/ R# _! o+ T% }) [" n X9 q% R$ }/ V5 ]3 F
Each time you'll meet this trick, you'll see:) s: B! T% u, x
-SI = 4647h4 y) z2 ^- _5 W A
-DI = 4A4Dh9 `7 g* \, c2 a) N9 N
Which are the 'magic values' used by SoftIce.! i% ~" m, A1 ] i% B' s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, c% @" o$ b) P2 x0 C0 b
/ _& I& b- ?7 q( E2 q9 ?) ]3 q0 l5 QHere is one example from the file "Haspinst.exe" which is the dongle HASP8 q; m" M! @# q( D k9 W# s) C: u" ]
Envelope utility use to protect DOS applications:9 X7 E5 e$ b2 T" J& @: N+ a+ A0 j
; D" L$ a. i3 m" r0 R: m' X+ e% U
4C19:0095 MOV AX,0911 ; execute command.
' s/ G7 K: Z1 Y7 ^3 U" t% D4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- [ s0 `5 n' `# `( `
4C19:009A MOV SI,4647 ; 1st magic value.
0 u, [6 [; ^" N9 f5 }( w4C19:009D MOV DI,4A4D ; 2nd magic value.+ p: l3 Y' Y. C1 l# a
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 D- E# S* j9 P$ F9 T
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" z" A" s3 G, e$ \2 h4C19:00A4 INC CX" X* O. S; K }* D& X3 m5 N- v" ?; r
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 u+ R" e. [: T# w7 M- k4C19:00A8 JB 0095 ; 6 different commands.
& G# G8 |, ]* W0 l8 o) g: G8 n4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# I5 q" Y0 N7 R! E) o# [! L: p6 \0 v7 e) n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& C1 X; U( B( C: ?7 U% u4 J/ x. c7 l
/ g/ R' V% x4 t7 l% Y: r. _The program will execute 6 different SIce commands located at ds:dx, which# m- M6 _0 ^; x4 P& w- m1 G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: @# U$ t- b) B. d
2 S/ x7 Y$ w4 [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- c6 g3 m) y5 Q* I6 h) _
___________________________________________________________________________7 v" U$ g2 h. ]& q; U! [* b4 k
3 G* B3 {( g |+ s7 }# C+ H. \7 l) ~; j$ W8 x9 @, _" j: Q! ^
Method 034 i2 @ ~' A$ [2 O( E
=========
0 N1 w6 F/ p+ ^, M* ^7 k$ t/ w) O. d L: X U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" z9 i7 o) B+ B* ]4 J
(API Get entry point)6 N# f+ F* @1 Y9 ]$ T2 N
, k, F( b$ u- [$ e5 i) @) v7 |/ z6 Z: y/ I+ @
xor di,di9 k# P3 n. l! L# g k
mov es,di
8 R2 Z: p) m6 t; H- p mov ax, 1684h
K a/ N. g5 _( E) K: u mov bx, 0202h ; VxD ID of winice( o* y' u' }" U/ m1 l4 E* f I/ H1 l
int 2Fh
# P$ D7 h/ e1 m& u- i9 n mov ax, es ; ES:DI -> VxD API entry point
5 @$ r& ]3 [6 b9 u+ H add ax, di
9 p- u! N/ p% Y) | test ax,ax5 o& ]4 T, S0 _
jnz SoftICE_Detected. L4 N3 D; ^' m0 T4 t6 c
- D: \2 T b( a8 E/ f( i# S
___________________________________________________________________________
" C# W& ^9 P: G1 f+ Z5 X" u; I2 }6 c% @1 i$ ?5 j7 D3 w
Method 04
; c s; C0 i: T) A=========
# O. ~5 B6 G* N0 S. h, ^4 }8 k5 A* I/ W0 P8 ?
Method identical to the preceding one except that it seeks the ID of SoftICE
/ i4 G; C9 o" l7 X u PGFX VxD.( \; I, }! O4 p6 g1 P, `- D/ g7 `
4 `- v0 w$ |2 J xor di,di
1 l) {- p* u; F: K9 x' a mov es,di
! f2 z& W: W, r. i# H mov ax, 1684h ' C0 J' @9 J( z" P2 ?
mov bx, 7a5Fh ; VxD ID of SIWVID
9 F# E; d; Y$ q( _1 ]( J2 W. R3 ~ int 2fh
: l1 l" R2 Q U3 @7 G+ E; c1 z mov ax, es ; ES:DI -> VxD API entry point
; u2 r& w+ J* ?) l add ax, di
/ q" h( |# t$ S2 R. ]7 U8 a* w ]4 B test ax,ax$ x7 E4 ~$ q" g: y
jnz SoftICE_Detected
) g. A, v$ x% ~: c9 ^ d
% K6 _' _* g @* p# G- o__________________________________________________________________________6 Q/ O5 H! F; i- {2 h
E$ m8 c. H+ B: @9 }$ v) g
) @8 I& k8 F/ s/ _% _: ^Method 05/ p4 ]2 ~/ a) j# J6 [- q5 {
=========
7 ~7 F5 u, a0 B( r1 c4 C1 |
( y- `8 o; m8 a4 A" J+ MMethod seeking the 'magic number' 0F386h returned (in ax) by all system
$ d0 c3 w7 P+ u( ~8 A1 W# Y1 Tdebugger. It calls the int 41h, function 4Fh.
. i) G4 O/ s; bThere are several alternatives.
7 d5 u/ ~: z3 W* a: u' w4 G1 ?+ g( u+ E/ b: q" A
The following one is the simplest:3 o& s, K; o# T) ?% j& e8 H) A2 X
# H! t' U' z1 O: H: `: c4 M
mov ax,4fh
6 i u) n& ~ o6 R5 l/ i6 ? h, D int 41h
7 O9 c1 H6 ~- j+ k: |6 k cmp ax, 0F386/ f0 ~6 W9 M Y& l, G" R
jz SoftICE_detected
* i5 s) ~ q% w( f" A8 ? L) |3 {/ t) R( i
3 O2 }6 I5 [' A8 zNext method as well as the following one are 2 examples from Stone's - V) t8 `% G0 m% u2 q( q
"stn-wid.zip" (www.cracking.net):
2 F1 q0 q: ]7 T+ E/ Y( g( O% |& k4 \/ d
mov bx, cs
- c, R m3 U& e/ C5 [ lea dx, int41handler2* g! P/ c6 t9 }: J1 Z# p
xchg dx, es:[41h*4]+ D3 w3 T( [6 j" H. t, L% X! ]
xchg bx, es:[41h*4+2]
& {. ?( y" H! ^ mov ax,4fh: y ~1 ?3 p/ c! ?
int 41h1 I! e# n( u' |3 D0 G
xchg dx, es:[41h*4]
4 Z( _2 r2 A' G xchg bx, es:[41h*4+2]
% n6 c# b- _/ u0 h cmp ax, 0f386h
! U" o$ X# z7 P2 R jz SoftICE_detected
0 \" [$ M1 X- N
5 n4 {4 D9 W1 k8 ~int41handler2 PROC3 X$ @0 o. c- S n$ g7 |5 y( _
iret! i9 t0 L% R8 g0 w
int41handler2 ENDP
8 G$ u% \( h/ [3 \4 L q
- G' g4 [8 ~ _; [- X1 K% ^: r
8 r# k$ S& `6 C% w4 y_________________________________________________________________________% A1 [9 N6 t8 d# o1 X. y
8 F: o3 ]8 q9 O+ ^0 e1 ^' u4 o
( O6 a8 e* j7 R- r# k3 ?Method 066 }. }. U% j, U
=========
# ?: Z; i# E6 i A3 l$ s$ H- q
+ I' A" q# m7 f( V" L) t) [
- p* w+ `2 q. K; s2nd method similar to the preceding one but more difficult to detect:; ?7 c) C& o& f% d
. C& [+ [+ W& F9 L3 |5 W8 p
! X" J. l! Y/ T) hint41handler PROC
- o+ G; m3 ]0 t i* c2 u. v mov cl,al$ O1 M9 s0 ?0 E8 Z3 R$ L# D
iret- w. k4 u; z1 q- W/ G# X" ]
int41handler ENDP2 N, I) ?# I+ A, m- l
/ d+ o- E$ T2 @- G( i) X( ]1 Y
3 m4 `0 z8 i& y; S' y
xor ax,ax
% u! t( B( x- \/ P7 o2 a1 ^ mov es,ax
) q/ b, a6 f2 q* @& j' c mov bx, cs
+ S% D0 ?. x: t& E* M" e lea dx, int41handler |9 Q7 c' x) n: ~( y; r* W6 A
xchg dx, es:[41h*4]* q4 n4 P/ s% ^0 r) W, v" A
xchg bx, es:[41h*4+2]
" B7 e9 V9 |. S* \' j$ u6 f in al, 40h4 w0 H1 F0 M& |, ^
xor cx,cx
1 E# u6 t( _4 A, P/ _7 f int 41h
8 l2 c0 N2 L* D! s) C! D xchg dx, es:[41h*4]
# B8 z: k5 D0 @1 U xchg bx, es:[41h*4+2]5 a7 S, Y' g/ y- R9 Y, m
cmp cl,al
6 G% F7 s- Y; W. l jnz SoftICE_detected
9 T; |! A0 F: o. G
, l$ v7 p; s6 Z- Q_________________________________________________________________________! L+ |+ m2 f+ t" ^
7 s0 ~/ ^' F2 Y; R/ l* {
Method 079 x, ?4 ~2 g$ H' Q! r1 P2 n
=========
3 K9 s$ Y* v: ], o* P
; s# @7 K0 f! F( P5 y, CMethod of detection of the WinICE handler in the int68h (V86)5 n5 s) M. \' R0 G7 C+ j' B
: [6 P3 ^" b | \! O# U, p- r
mov ah,43h
5 {5 i# x- |" |* O0 J# c int 68h- {- a9 P# L# a. l; ^- `0 O
cmp ax,0F386h
$ Z: E! D) m( ? ~; S jz SoftICE_Detected1 t: z$ H- y& a: f$ _. G
7 P7 ^4 i8 L- G* b
" U; j: M, |6 }4 h$ @: Z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ v! {$ q% A* S, \) W, p# P( } app like this:0 }) }: t' f. P0 S( n0 x
9 ~, V/ z' d+ q2 E5 ?
BPX exec_int if ax==68
. W+ S+ m) O/ S) a (function called is located at byte ptr [ebp+1Dh] and client eip is7 X3 h& h; \" a" N) J, ~
located at [ebp+48h] for 32Bit apps)
0 S5 }/ C& f$ X2 E# M, I; Z__________________________________________________________________________% v5 O6 Z5 U6 O( Z& e
& P/ Q7 x# t1 ]/ N. V
- E8 L; n# H7 }: i n; x- N* h5 bMethod 085 V% l0 ?/ q* W7 m) b5 U2 o
=========. I% T8 q# Q+ V
0 ], { h6 j! }+ _ J* o9 VIt is not a method of detection of SoftICE but a possibility to crash the
8 g" _" N9 K4 Z6 H; v8 ~" l0 Asystem by intercepting int 01h and int 03h and redirecting them to another6 \1 w- t3 n |# n# G6 j
routine.
0 l" t. p) w$ ~& U. YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# s1 i$ }/ E$ m+ h2 ^to the new routine to execute (hangs computer...); k% {* |. o9 h4 Y; T! K
4 c/ I6 E! w2 c) Z' e) a' ] mov ah, 25h
( I8 {9 A6 U& m2 O% ]* ` mov al, Int_Number (01h or 03h)% Q/ M8 z7 \+ t+ M% b( \- D, g, ~
mov dx, offset New_Int_Routine6 S: D* o) {5 d( a: R
int 21h9 t0 ?! O8 A! J, E0 q
+ D' [. n. A7 B' h# p, Q
__________________________________________________________________________
6 F3 p$ a5 S" a! s/ k3 K! \( y$ [. Y& r8 R
Method 09# |7 U2 K" Z; g% T7 q8 o3 @
=========
$ d. F+ q: Z! | C3 w1 b E& f6 f1 a) h! ]/ W
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 s- l# {: c* L4 _- Operformed in ring0 (VxD or a ring3 app using the VxdCall).# z/ g, ?) o' s4 v8 O
The Get_DDB service is used to determine whether or not a VxD is installed
' b5 E5 E8 f5 t. w/ e& m2 Ufor the specified device and returns a Device Description Block (in ecx) for
) V* e. J* K1 Pthat device if it is installed.
' T2 p8 o2 _2 {# t7 `1 w
/ {! B8 q- ^8 p4 T p1 I4 U mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- U8 Z- `2 M% W% L5 i/ T( a
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, ~2 p6 O5 U/ K VMMCall Get_DDB
+ S: M9 b9 _) O: \ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# M' i. |3 s3 u5 K; S5 G! R" k! C
0 t8 N8 g; q0 ^$ ?' z
Note as well that you can easily detect this method with SoftICE:
: w6 B* `4 o/ C3 c bpx Get_DDB if ax==0202 || ax==7a5fh
- G& O4 |6 y p# @& X& v8 I2 u7 M0 k' s% s4 ~! `
__________________________________________________________________________( A( n" m; v+ A G
6 \, Q, O- u5 b4 ~$ n
Method 10
# v6 C9 C* w; g0 i4 Y3 b, p3 G=========1 B& @5 t5 Q2 v7 }6 g
1 G7 m- ?5 c( C7 `) ^
=>Disable or clear breakpoints before using this feature. DO NOT trace with6 k- h# @4 R; Q0 g" A2 Y# v9 b/ i
SoftICE while the option is enable!! H2 D1 X5 g1 z! S; @8 ~5 Y& R7 ?/ o
: z( {5 s3 p8 m2 ]" C" g
This trick is very efficient:" H# v: r- c- x* i5 ^1 N4 k
by checking the Debug Registers, you can detect if SoftICE is loaded7 `2 O, V* w& C* g( c4 j
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 \" p G. E0 W2 U0 O" X r% E6 jthere are some memory breakpoints set (dr0 to dr3) simply by reading their% z! ^. ?: m) T( {! M' U% x9 k
value (in ring0 only). Values can be manipulated and or changed as well
: _) S; ]7 l# V c7 U! F9 j* V5 Q(clearing BPMs for instance)4 P6 x* F. p' v7 ?6 o3 j
8 f7 N1 B6 w( M: I' Z3 B5 D__________________________________________________________________________, H4 G* @5 S! F2 N* M% o! R
7 w* z5 ^0 j4 U8 _* t" p; fMethod 11
1 @2 J7 L9 q0 f5 c& Y" ?=========9 @, `% t% M& `' W/ E
6 T4 M( `4 ?6 @; R, BThis method is most known as 'MeltICE' because it has been freely distributed0 Y5 ?( |3 x9 L+ |# b' i
via www.winfiles.com. However it was first used by NuMega people to allow# { m7 p1 U1 H+ W- P; o; x n
Symbol Loader to check if SoftICE was active or not (the code is located1 {8 ?: ^2 A# Z+ O
inside nmtrans.dll).$ g1 }7 t+ g) w& e
1 H" I+ D. |4 ?8 i. K1 ^; UThe way it works is very simple:
3 S9 _8 m4 Q: c, b9 Z# Z3 l1 FIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# T" N/ _3 V- S" e
WinNT) with the CreateFileA API.
9 d9 b: r3 o9 s V0 }) `3 Z4 `# `( R1 _& V! k2 N* v
Here is a sample (checking for 'SICE'):
& L* P/ D' B( t3 t; ?3 ^! }. a* O
* z3 T, s3 j# V8 Z( V9 U. v; ]2 lBOOL IsSoftIce95Loaded()
# W6 P+ f# b3 a! P; F7 `{
8 T7 |: S* l" b I HANDLE hFile;
+ r7 d/ M0 u0 q/ X9 P4 o hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& w& k7 J0 T: R( L8 j& n" Z* S FILE_SHARE_READ | FILE_SHARE_WRITE,. Q1 D7 b+ S5 j9 K1 N% `
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& g4 r9 q3 V2 T; _( c9 _
if( hFile != INVALID_HANDLE_VALUE )
! L8 D0 a2 b/ l: K/ O& c {
4 u" U7 ?% q! n* F' P; k4 D CloseHandle(hFile);4 I1 r% v' D. k" |
return TRUE;
9 O6 E0 z" |7 Q }! G6 ?# F. A) G2 V9 ]
return FALSE;
; k* V* `, }; Y) N" o/ q' s}2 X; u/ E! F/ ?3 x4 k1 e$ v
7 i: B! J$ X3 uAlthough this trick calls the CreateFileA function, don't even expect to be( R& x7 t) b( i1 N
able to intercept it by installing a IFS hook: it will not work, no way!
, @# a' G! t/ |2 D5 k1 vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F% I6 P j6 w( e/ J2 L3 N4 L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! q3 ?1 q! Z' [( b1 ]. |
and then browse the DDB list until it find the VxD and its DDB_Control_Proc& K$ i f4 c7 Z, q# b3 t
field.4 P1 o( g* V* ^1 c0 U8 V3 t2 B
In fact, its purpose is not to load/unload VxDs but only to send a 0 ^7 F7 }3 ^- X* q: M' g0 w
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 @! L) _" G: `9 O! k8 f: o3 l8 t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* L/ m- {5 ~7 D9 E2 p9 X! fto load/unload a non-dynamically loadable driver such as SoftICE ;-). P! @; p6 R! w9 z" M- v/ O0 \
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 p/ Z$ ?' \* W2 t
its handle to be opened and then, will be detected.' }& Y8 v/ A, b: g
You can check that simply by hooking Winice.exe control proc entry point
- r& O" u; u6 _4 _" g+ O% @while running MeltICE.
4 |$ R% Z5 _7 p
$ z) k# a5 h# M/ W
4 E( p6 U- C3 w) Z* h6 J7 Q 00401067: push 00402025 ; \\.\SICE* W6 |4 I& n: o# G5 q
0040106C: call CreateFileA
& a8 w+ d6 `: t5 u1 F4 Y. ^# C( ] 00401071: cmp eax,-001
4 N" ?$ }4 S: H1 z9 {2 C 00401074: je 00401091
7 A9 z+ `, V' F/ ]( M$ [+ |) Z6 B5 n2 b9 q1 n
P! D, e. u7 j/ e! n) p/ B/ E- UThere could be hundreds of BPX you could use to detect this trick.& V& X4 E6 N% z9 F4 I* [
-The most classical one is:2 O! ~+ \, Z J! ^7 K
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! H* r" U; S- v, ~0 m *(esp->4+4)=='NTIC'" E; [' R) s9 l+ ~
2 Q2 _6 Z. E6 @8 c! k
-The most exotic ones (could be very slooooow :-(
1 ? Q4 ^ q$ E$ V Y& } BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; G/ Q ]5 G9 ?, N- l' }) X j
;will break 3 times :-(
5 O( ` K& T% |7 E0 x" h9 x( J" C. L3 |% j9 h
-or (a bit) faster:
0 t8 W5 h6 ]$ D. c i$ _ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ F3 d4 f# R- k, X* \4 F& N
, `. v2 `# `8 V+ l) `' v BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 o; y0 a+ F7 O& t) |/ O* O ;will break 3 times :-(
$ Q& C5 d0 F1 j, d
& I. W; r8 f9 q4 f0 c9 O+ L7 B-Much faster:
: v# `0 j/ i: t" v+ s% i0 s% k& g- D BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ ^8 m. ~+ C" j
3 `. e' a, I8 J% j& ONote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" D9 X/ F# u! a7 p# d7 Efunction to do the same job:) t% g# ^- Y- E- u) q
+ `$ I* v. S ?% m2 X( f push 00 ; OF_READ, w9 m& L! b, @3 `0 c
mov eax,[00656634] ; '\\.\SICE',0
: K: I- B8 z: x! A# k; [& P, E push eax
7 _& [- D( u* W; p& v+ v0 b call KERNEL32!_lopen
$ P" G( A0 A" @' Y5 u$ M inc eax% f* A( w+ P! W" E
jnz 00650589 ; detected1 R5 N) }. f% S% p
push 00 ; OF_READ
0 v/ w, P9 v- c* E mov eax,[00656638] ; '\\.\SICE'
K9 c7 j4 L( C1 j push eax
a, D4 ^' [/ a: Q- j3 Z3 ^ call KERNEL32!_lopen
% u6 R8 s# r/ u5 ]/ ?, f* I inc eax% Z7 K" b; M% |) c0 X, u; e" v0 {
jz 006505ae ; not detected6 |) s% j4 h0 [& F- c
% I, L: M. H( C/ ~
( ^* _0 A; V. j! P" M4 @6 O- ^__________________________________________________________________________1 J& A- {$ e0 B- `5 z! g
& _. i0 Z0 `8 {% \9 u/ _3 e. e. Z
Method 12
, D; s2 V+ b$ F4 O: M=========0 \* ], n; r1 ]' D' x9 k5 p
% C4 Q j& X m* X& J9 v6 DThis trick is similar to int41h/4fh Debugger installation check (code 05- ~/ f) l% ^9 a
& 06) but very limited because it's only available for Win95/98 (not NT)0 a* y. D* I, ?; ]7 ^; ` H
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* Z' l0 ^$ a5 a/ X" j. B; P
) N$ [+ h( j& T5 ]4 ] push 0000004fh ; function 4fh
% _& l: l) J! E& g! N" a push 002a002ah ; high word specifies which VxD (VWIN32)8 R: R7 N- K9 r* e) C% x3 n
; low word specifies which service {. G3 v+ m% T5 B& L/ P3 L
(VWIN32_Int41Dispatch)% j' w2 k0 n" R
call Kernel32!ORD_001 ; VxdCall
; t* J# `# o2 O8 `# { k cmp ax, 0f386h ; magic number returned by system debuggers
% z* k) o8 b" ]) {* @* ? jz SoftICE_detected4 k8 _+ Z" ^! z# w" b- F
0 T! }' B7 u+ M$ K+ ?3 ^0 hHere again, several ways to detect it:9 w' P$ ?# ?4 u, A8 a
]2 s0 j- F9 O* Y6 w BPINT 41 if ax==4f1 Z0 b. C/ Z- t
# V% h% r$ L4 t" Z) {
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; l0 L; F* [4 a3 Z3 V+ E H
3 [2 N, [1 B6 B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% }: o& d3 A: D) R; g1 b" l6 ]+ Y4 b' v6 t6 W: x
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" g9 p, W+ p; W8 k- j3 d
3 E8 G' e/ k# Q1 c$ q/ `4 L1 D__________________________________________________________________________/ g" a( h& ]3 Y
4 U/ G- S: B4 H1 h: L6 H
Method 139 O, Z! f, W' r H* y3 k
=========
* x/ u" i) h! Z5 E' D3 R9 @; }9 b: T) U% r' F( K
Not a real method of detection, but a good way to know if SoftICE is. h6 {9 o, f% k$ K) _& \
installed on a computer and to locate its installation directory.# F. e4 J. l, o4 [; F+ p1 Y
It is used by few softs which access the following registry keys (usually #2) :& q5 h- p+ y" B5 R
2 [& w. p5 U( F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: ~2 n2 t- ^% o4 ?\Uninstall\SoftICE! H. D4 O* b! v3 n3 J- I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ o+ V7 h$ R- {! h
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" _2 E5 P8 w$ h' V* j
\App Paths\Loader32.Exe
& e( |% ?" S* p3 d; p$ k6 D/ e5 @! S
^) N- N( P, C& ]! u% t
Note that some nasty apps could then erase all files from SoftICE directory5 W5 ]! P3 Y' S$ @$ H
(I faced that once :-(
0 F4 Z/ h5 e `) Y Y
( q: |- w! y3 j- l! uUseful breakpoint to detect it:
* ^9 h `( g: A1 p/ p
2 Y% d% s b% s6 Z* z5 z0 v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 E" X- M& G) V. f8 z
: n5 a9 C' w. t' ]__________________________________________________________________________: ]" L& H( ^9 S* c: d [
& H; d0 K' s, g+ `9 V' q! N( b9 Q
/ j7 e: p. I' j5 O2 v% h
Method 14
; v& Q5 j' _4 S- h. t5 M3 G1 T=========
& @8 n- N T5 I+ G+ \: B; v9 m7 w* z+ J' k3 ]; e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; ?5 J- \) b; R, e, x/ Dis to determines whether a debugger is running on your system (ring0 only).9 s1 D4 t* s C# r2 ~" `
" b6 ?+ ?5 g! d8 ]; r
VMMCall Test_Debug_Installed3 \; d0 k5 O7 ]2 ?% q& @0 _1 X
je not_installed& q+ \7 z4 h: [& V$ X! S- X
4 j+ S& |' O/ |2 M" e0 x& WThis service just checks a flag.2 e) ]+ I: D0 t! q6 F
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡