<TABLE width=500>
, ~- p# K4 t; k% B, q( C<TBODY>1 a# a% n( t$ a3 n6 z' w9 G
<TR>
+ h# z& _1 J% W: q<TD><PRE>Method 01
; X) }! L; i0 `; k: ?( E=========' w$ S' w2 P4 a2 P) l2 i: k
6 j) ?% V4 f5 e3 E% |
This method of detection of SoftICE (as well as the following one) is
6 t) b. z) m, `% lused by the majority of packers/encryptors found on Internet.5 |% n. n5 h' s6 D- n
It seeks the signature of BoundsChecker in SoftICE* b) K$ S. A: I# d1 a: _$ @4 b
+ @3 O4 Y7 n$ q! Q6 s: p+ `! ] mov ebp, 04243484Bh ; 'BCHK'
; f0 A1 D' X8 [4 ]- R mov ax, 04h
! ]7 u' q4 ]. q8 y! S int 3 ( M2 J _; o! a5 e
cmp al,4+ }( Y e+ y' E, f) p( n
jnz SoftICE_Detected- w8 i6 J/ K H4 y9 t# X" T0 k, _
) p9 i1 Y0 E+ c* t___________________________________________________________________________7 D+ F3 W' C; K! ^1 R% u6 s3 a
5 B3 W. h' z' j4 t( \2 p: ^, bMethod 02
: w& L/ G% x5 l=========
" {1 i5 C. Y) u. ~1 [& s4 p/ T* U3 @. V: a, l6 @7 H' R. \
Still a method very much used (perhaps the most frequent one). It is used+ e, D2 a7 Y( x3 q1 V+ v% {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 X; P6 b+ }7 w- o$ H. f' I! t6 x; t
or execute SoftICE commands...
8 K5 k* ~/ n; z" m2 O- fIt is also used to crash SoftICE and to force it to execute any commands. a$ _4 r' H4 o) P/ F1 T
(HBOOT...) :-((
6 c1 e0 Q3 @, r$ T- v/ S* c) R' r* r' j! X( e/ O, I
Here is a quick description:" @: X" K$ v. v& ]( E
-AX = 0910h (Display string in SIce windows)' `" z% Q) Y7 H
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 K5 n% G; S, t0 t# g4 B1 ^
-AX = 0912h (Get breakpoint infos)0 X3 D8 K i* k& p3 L$ ^
-AX = 0913h (Set Sice breakpoints)$ s8 C$ t4 \! I& m8 |( a( C
-AX = 0914h (Remove SIce breakoints), s; l5 b( x( ~2 d. e$ U. _1 n- y
6 L4 Y6 `* ~9 p+ g1 n. l1 W& t- zEach time you'll meet this trick, you'll see:
: Z0 K% Q, l2 p7 O% g-SI = 4647h J) I" H" @% \# V5 _* k5 S/ e
-DI = 4A4Dh
- P( [7 ?) A& bWhich are the 'magic values' used by SoftIce.: G: w' w3 A @! K; W1 ~# `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! z3 G& ?# V h2 g
& }7 b) W, R" m+ I: j9 o7 gHere is one example from the file "Haspinst.exe" which is the dongle HASP) F2 {$ |# z) {+ d
Envelope utility use to protect DOS applications:" |3 t0 J* D$ q0 \0 R8 m9 q% W& X
v+ O" T- }: z& \% @7 B: T. M
4 ?6 k9 J" ^4 }+ m! v/ q4C19:0095 MOV AX,0911 ; execute command.
* d2 N, l4 F7 w: X" @4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 k& R) `1 p% M4 y0 U: z: w4C19:009A MOV SI,4647 ; 1st magic value.: N* w, U" {8 x3 `+ J+ j7 K
4C19:009D MOV DI,4A4D ; 2nd magic value.
+ I& o+ C; T( E9 p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& F2 f: z6 I/ `4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 N" T7 |& L) D: v" }1 A4C19:00A4 INC CX$ y1 c& v/ @- J2 W$ |- g: ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. T8 V5 R4 y2 j- b5 D6 I, p- l2 E# N
4C19:00A8 JB 0095 ; 6 different commands.6 x0 q' V/ O% W! b& e2 y9 y7 s7 i% _
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# ]! u' H; I" a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# S( n+ h0 Z( M( ]
. i6 J8 Y! C6 _; q7 A: I) GThe program will execute 6 different SIce commands located at ds:dx, which
4 U( o+ n5 |' u3 s0 Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 D4 i# h0 [, W. M5 b9 [- h9 [$ R- x$ p" d/ ~' r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% X. X& h, L# q# Z
___________________________________________________________________________
4 {1 K, F8 ?; i5 k& w& J! f# U9 |$ P. A# J3 @
7 a: O- O- {2 N5 }0 nMethod 03
; }2 }5 c1 e; d=========' r% Y2 J7 p& R. N( r, ^
" R* k6 E9 w5 ^( @5 TLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* k1 |4 [' L. M5 D(API Get entry point)
! Q6 a1 p! n" S) I1 Z ! D" _+ b7 j/ ?2 \
9 i" D7 r7 e; Y0 A! O xor di,di
# N2 \& ]4 y$ n' u mov es,di7 q" i1 X" Y! @" Z. p
mov ax, 1684h
* S7 x8 b' [) M- a B mov bx, 0202h ; VxD ID of winice
. K6 L. j7 F7 a' e int 2Fh
% k! C! }6 Z8 d! w. F mov ax, es ; ES:DI -> VxD API entry point; C$ V2 H* \% E" u2 j4 A- V3 d/ J% B2 O
add ax, di
/ X* A8 X: c2 D z7 w, z test ax,ax
; c* b% U9 o& k2 p" y jnz SoftICE_Detected
6 |2 O% h( R+ {! K. F. I( d, M) @ x* t% e6 S* w
___________________________________________________________________________" M0 F- E7 L2 ]2 A' \
8 N. d" s7 a1 ]3 ~5 LMethod 04+ W& }. ^% o3 C" n1 b
=========2 v4 L& r% W- c/ I, `- R" M, E
( V4 u/ \+ U0 V, g& cMethod identical to the preceding one except that it seeks the ID of SoftICE& d( u+ x; G4 P
GFX VxD.# |: x' x! g6 y( S3 L& R
7 O3 q8 \# z6 b j; @
xor di,di! C) o) y- ?4 f9 y+ q4 x
mov es,di
/ }7 o2 ^- u( T2 i! H2 B; ^ mov ax, 1684h
3 F( @4 s0 E7 g. \9 m% h( k2 e mov bx, 7a5Fh ; VxD ID of SIWVID
! k# L' D( V* i ?& _* W int 2fh3 o. q& e% e! I& h. f' J' N
mov ax, es ; ES:DI -> VxD API entry point
[2 w! q# W5 D# N; u! a# n add ax, di, m1 }7 h8 J3 l& D+ b4 V
test ax,ax
/ `6 I" H; |$ {) W: {7 ] ~& i jnz SoftICE_Detected
. i4 y. [1 G: m/ x* J) v/ C8 [$ @ v; [1 t3 h; T$ h
__________________________________________________________________________0 `. r( t6 Q2 o$ }
1 c$ w5 E) W1 q. X4 }2 I5 A) c: l& Q- r* ]; V! Y% H/ F
Method 05
6 D2 K4 s5 `9 I! x) B; w7 M========= I, n9 T5 ~' | y$ A* d
/ F- p, r5 ~+ W, a7 w* zMethod seeking the 'magic number' 0F386h returned (in ax) by all system, m7 o2 R) w2 G* B5 y; X2 j9 v; `$ B
debugger. It calls the int 41h, function 4Fh.7 e) T! N$ @* m' k: F$ ?7 A
There are several alternatives. 5 G# [, y( M9 O/ U5 o; z
) |2 f9 W5 c; a, y
The following one is the simplest:
7 ]# Y) ~$ ]! U- ~; s* }4 {. c, B- T2 f" l5 P3 ^/ w
mov ax,4fh
% g6 D4 D4 e6 L6 j- ]2 } int 41h. p" T1 m7 _2 y/ H5 H- A
cmp ax, 0F3862 W* u8 L( n% c
jz SoftICE_detected! C; F: C" u- D) \
& G/ r6 l4 S( n8 U+ e! c
% S. ?; C& M: d* sNext method as well as the following one are 2 examples from Stone's 2 R7 |) Q9 P U0 _% l5 F
"stn-wid.zip" (www.cracking.net):* Q4 o5 x' r/ n7 B9 w
O; i+ N6 w$ B C mov bx, cs3 L! x5 E5 j! K. d
lea dx, int41handler2
; t4 | E5 f5 [5 M xchg dx, es:[41h*4]
; V+ X3 V# ]! \& a* m9 S xchg bx, es:[41h*4+2]
4 w6 S6 Q( O& L1 b A( L. U mov ax,4fh; G# z" C4 S9 @) G6 W4 ^4 Q
int 41h# }+ ^8 L7 e8 [- [4 j6 u
xchg dx, es:[41h*4]
& Y# }. L. Q4 q* G" \ xchg bx, es:[41h*4+2]+ R* y1 O, _' Z4 \0 P. q( U
cmp ax, 0f386h# m; w* ?* s0 A3 P* a* F: d: r
jz SoftICE_detected
2 F6 F5 L/ Y* N* e- `
# U. r$ x6 s2 h: N$ ]3 g* V$ Tint41handler2 PROC
3 {# J' w# G- ?* Z: k5 w iret
* f( d) H; [$ ?7 `4 dint41handler2 ENDP
; A3 N# w1 T2 q% m9 }" I3 Z* k( w, Q3 y/ @3 _2 B
8 k+ e- V/ k9 P$ d& H
_________________________________________________________________________
* w# J( e" u; u2 T* L( P3 o' ^
4 U) n& a( O$ N: E ?' B3 p6 \. C3 v0 T+ m
Method 06* b; o; y0 W( Y0 f3 O$ q
=========
# ~6 r% G0 Y* x3 t/ \% H, T5 P( g4 D. `$ P: Q7 r; J1 v
, e* A. [8 n, u: H' \
2nd method similar to the preceding one but more difficult to detect:+ G) T" N+ R6 K( L+ z. A
9 W2 f1 {. K4 W3 Y6 a
; S6 _, R$ M4 n% C) `" Vint41handler PROC. Z { T1 [' G4 J* }$ S1 M
mov cl,al1 a# q& j2 Y! J) S
iret
: F, L* Q/ A7 Cint41handler ENDP3 f2 v0 E5 O2 H$ R' H
/ m. Q9 F: B, v+ B B3 @
; I1 `" s9 R* ?6 B1 W
xor ax,ax- Q6 ?6 e E: Q; E+ w. N
mov es,ax
& Z. l% f0 U4 y1 \# ? mov bx, cs/ P0 w1 g# z3 d$ Y [. o5 f# p
lea dx, int41handler) g- A' c' j5 K' ]. W
xchg dx, es:[41h*4]" x9 ]% F$ t& N4 r- j* o) |
xchg bx, es:[41h*4+2]" J" I. A9 @6 B* M
in al, 40h
" P) E" N% N$ ^" A# h xor cx,cx. h; _$ F: y0 v O9 e. ?6 e/ `4 M' L
int 41h
$ X5 D1 e( m) E$ C. C9 j xchg dx, es:[41h*4] U/ ^, H }. j
xchg bx, es:[41h*4+2]
1 ~1 b. B" q. H( q cmp cl,al4 u8 \% j% i& C1 M' ^
jnz SoftICE_detected& V0 C7 [6 T' o9 Z6 S6 x) ~
6 r8 w$ v* j# A0 R1 _
_________________________________________________________________________2 V; z4 Z# W" P- K; Q
/ ]# W" l, Q+ T3 O% y
Method 07& s3 f7 B0 t+ ~1 N
=========
& z* I; `2 h, [4 \
' \* ]* f% v/ S3 {! t& E% `Method of detection of the WinICE handler in the int68h (V86)/ ]0 T6 m; u' Q& L; I7 n9 \- _9 A
' Z7 q# j# V+ L' J" [
mov ah,43h
* j% H/ \) @2 f/ } int 68h' c6 o. V& X! b" ?; M0 m
cmp ax,0F386h
* O. l; B$ h; l+ F2 i w6 y5 ~ jz SoftICE_Detected. z: v' m+ E" w- ^9 F
, t7 [- b" n/ n+ y* W# f5 ]0 G
: P1 `3 o) {2 w; N# b7 s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; k4 P, g* G5 O" M( u
app like this:- w1 L: h2 J- y' ~* R- r# ^
1 K4 ]+ i! X7 S$ D. d* p
BPX exec_int if ax==68, q; X O- e) V1 K8 m g. _
(function called is located at byte ptr [ebp+1Dh] and client eip is( f3 @ k: ?# Q$ ~
located at [ebp+48h] for 32Bit apps)
. p- ]' ?# _0 Z__________________________________________________________________________
! J8 Z* Y8 G+ Q: {4 R8 x1 k1 H, x! e8 z. n9 J9 C/ [( S+ Q2 E# u
/ ^/ |7 k$ A3 M6 J7 Z; o6 h" ~Method 08; \$ v4 a+ k0 i/ t4 p1 X
=========
% k6 s% Y- H8 ]) A7 Q) J$ Y- C4 }5 s" I& m2 d: u' \+ m
It is not a method of detection of SoftICE but a possibility to crash the
" ?8 u, F( G. y0 G1 N- rsystem by intercepting int 01h and int 03h and redirecting them to another. J! W F; y" Q) Y
routine.
- f3 s; Z! I1 ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% m% Q4 I+ H( \ [. T7 Lto the new routine to execute (hangs computer...)
& _9 L6 D( x1 @- A
! }0 f2 k! ^- Z& X' d, J mov ah, 25h+ l1 e Y5 T/ L3 _6 |( \
mov al, Int_Number (01h or 03h)
$ i7 O$ F. B( G/ u mov dx, offset New_Int_Routine- E& w5 W' j6 Y
int 21h6 ]2 u& M2 [+ h- P- F
5 ?) p$ s0 s; y3 A; Q3 I+ O__________________________________________________________________________
$ j1 X% X, k( Z+ ~% r# A' t/ U5 }8 \* q1 X
Method 09
: z& I7 z" [4 ~! G( }5 W0 J=========
8 M; y) \% |8 w9 l! Y
1 c: T/ f! b0 g* X0 I& q; P9 CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! o2 V+ R) V& v7 ~performed in ring0 (VxD or a ring3 app using the VxdCall).1 h& @4 }- i: s( S; _' }# d# ?
The Get_DDB service is used to determine whether or not a VxD is installed
1 c" A* h; Z1 [9 u. l! r2 K1 ?for the specified device and returns a Device Description Block (in ecx) for1 ^1 G) a9 ^: ~/ x8 c3 J: r1 k
that device if it is installed.
: l- ]+ t O2 K- F& I7 \% A" g7 y9 ^ H: I v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# O/ `) O& Y( s1 K$ c V0 ^
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& ?! f8 I! y' }7 g VMMCall Get_DDB
6 _7 k# k! }$ x' O" D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 r( \7 t. Z& |6 v f! O; W6 p' I% Z
Note as well that you can easily detect this method with SoftICE:! q9 q. F( h) E6 I
bpx Get_DDB if ax==0202 || ax==7a5fh6 N7 z; j' g# D) F: e6 t& _3 L; H
$ ~$ I# ~4 ~; F4 J__________________________________________________________________________% ^+ q) T, l; {7 ?2 D& A
( q* \$ ?9 v9 a- c0 o6 k
Method 106 p0 k0 x. F5 K1 b# Z" I
=========
) B/ p& I& S* |3 Z7 [
# ]4 o1 d, x- S: u0 N2 L5 ^4 i=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 m0 M) T% \' z2 G* G" v3 {# s SoftICE while the option is enable!!6 L9 s; l4 R( k; J( I
$ d: T6 A" E% Z9 F- s, D$ `# q) l9 W
This trick is very efficient:$ U" y7 q6 s- O9 ^
by checking the Debug Registers, you can detect if SoftICE is loaded
5 ?0 L% m$ v. S2 _+ m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 n; n, P) K: i, O& kthere are some memory breakpoints set (dr0 to dr3) simply by reading their1 ~5 s; f' ?; K8 t0 `0 j7 O
value (in ring0 only). Values can be manipulated and or changed as well
: S o% [6 a5 {9 i! Z(clearing BPMs for instance)
! p7 _9 r9 o0 Y
3 X+ g& W# W. _& Y: S+ I__________________________________________________________________________
3 m# C0 I# s' @. ?" e' h2 V6 E( `7 {1 p: \, r
Method 11
( K$ h' X! n( X0 q: S# y2 J=========
; L x* O. E i7 H5 l9 c, c* G- o% H& i; ^3 \5 N5 z Q
This method is most known as 'MeltICE' because it has been freely distributed
9 V2 r. k6 z& k0 o0 w9 a9 U; e( D* x6 bvia www.winfiles.com. However it was first used by NuMega people to allow+ ^% @4 u* P8 p: h9 ]
Symbol Loader to check if SoftICE was active or not (the code is located( E9 g$ A1 `) k
inside nmtrans.dll).: D( h( h$ v& u/ @
) B) [/ ^* E9 _
The way it works is very simple:
" l& z5 B, T/ X6 K. m4 OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- t1 I; a# _" u4 K7 WWinNT) with the CreateFileA API.* d. H5 f" S1 d7 |" q& u
' k. I4 L, Y- A! {3 b: I/ Q
Here is a sample (checking for 'SICE'):
6 f2 s5 L# x: ^, i, y4 x5 g+ c) o
6 W- K) T) C4 W4 U$ ^* kBOOL IsSoftIce95Loaded()5 z% D7 ^# G) o0 e% }; _
{
9 B# y1 X9 W N8 d7 ` HANDLE hFile; ' e( ?$ o' d/ |( s$ d
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 f, U6 J7 _: Y
FILE_SHARE_READ | FILE_SHARE_WRITE,
- @7 @0 f6 B. @$ {/ M$ G3 X2 U NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* U$ {) F1 ?; N5 Z6 D3 _ if( hFile != INVALID_HANDLE_VALUE )1 o6 n$ Q/ s: f
{
0 P8 d. X8 q+ D" |& c' @6 R CloseHandle(hFile);0 J1 z9 F1 n7 U7 r' \
return TRUE;
2 _0 s& p! X# G2 _ }) H p; O% a. p6 o
return FALSE;
3 L# h L9 `- b8 G1 k: ~9 {. ?9 k% h}
: r- x, L) z4 Y
6 D' [- M. V! e6 \. o3 Y% ?Although this trick calls the CreateFileA function, don't even expect to be9 M, h; w$ }3 H( G/ S; T5 M* e
able to intercept it by installing a IFS hook: it will not work, no way!
* s& x! s8 E& [2 J2 d% V& TIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) P8 N2 Z8 s6 X( zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ R5 s# Y# c# @1 K$ A1 C3 w! B* x
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 x2 H7 J5 x& f$ m
field.
@7 u- N- [7 `' ?In fact, its purpose is not to load/unload VxDs but only to send a , H4 @# G5 S& H' W) Y6 K
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- F3 {# O( f3 Y; }7 Q( Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( C8 d' R1 f4 m; j
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 L1 c; }! |0 H+ p, q7 UIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 _& N5 N) k9 R, ?' ]3 D# v( @its handle to be opened and then, will be detected.
& D8 s1 t; {, J# A1 m$ ?1 o UYou can check that simply by hooking Winice.exe control proc entry point1 C/ z2 M! |5 ?3 c2 h' Z# @8 y" ^( C
while running MeltICE.
& L: |* q, V' ]* T
6 t+ n; u( H3 F+ @5 l9 M. @9 j8 f- t5 B- B: k
00401067: push 00402025 ; \\.\SICE" N9 I0 t& x* m0 H& P
0040106C: call CreateFileA
/ X U& I, B: g' s5 a 00401071: cmp eax,-001* `. ]4 P3 Z4 h M* q# A5 w+ C
00401074: je 00401091
6 T" r9 |' ~+ X+ p3 U: s
# Z: Q4 Z/ H6 o9 c' z
8 V' R. a8 d6 W0 B8 t0 h4 `There could be hundreds of BPX you could use to detect this trick.
; f, g0 c! c6 U3 I% ]-The most classical one is:
# j2 T- T: z t" O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 x# l, I: q- r# L. ] N8 D
*(esp->4+4)=='NTIC'
1 l% }7 y! |0 ?, E; W
* S1 ~4 r: z" h% U0 y1 \-The most exotic ones (could be very slooooow :-(0 M, \! U6 c. w$ E1 w# o4 z0 n
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * ^% l5 M* z7 B! O3 f
;will break 3 times :-(
& a/ Z6 @# w; D( K/ u9 Y5 c, ?) t6 P- F2 b% m
-or (a bit) faster: / [+ Z1 u3 M% `/ N9 y4 x B: J
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; H; p/ C2 Z% p2 h
: O% V9 Y1 W0 y" N _ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( |% [7 w- `: V2 _+ b3 S ;will break 3 times :-(9 n+ y8 `- p3 m0 B& u) T; }3 e
5 ^) U3 }. N q) {-Much faster:
2 g7 A9 k" q- [4 @2 W9 s# e) a1 O8 v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' g0 N3 \7 o4 k% v* ^( M
& Q1 f( C1 K/ G: U- s2 G, J6 H2 w6 |2 }' J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 T& g! R& Z! n2 ]function to do the same job:, M! l8 o+ u) W- g( h, @0 I
- u5 e) q- \' e3 O
push 00 ; OF_READ, O7 |/ o" ~. k, c: r
mov eax,[00656634] ; '\\.\SICE',0
: v+ }3 x* u9 G, U4 S2 U! |; A6 A push eax/ {) j3 P2 Y1 L( X& s S
call KERNEL32!_lopen
+ A* |& K9 D( }6 d. K inc eax
3 m8 _0 Y+ @$ w+ x% b$ W jnz 00650589 ; detected
: s( B' c# ? Y: Y push 00 ; OF_READ& s" `+ L& ]% M- T4 k% k/ s* k4 D, \
mov eax,[00656638] ; '\\.\SICE'
% r, c0 Z: s4 A, o, c" ? push eax
: C% K2 |# R$ c6 | call KERNEL32!_lopen* f6 W5 k1 E) W, V( w+ ?1 n
inc eax
( P: F) F. y$ Q jz 006505ae ; not detected& k1 q5 o4 C$ u1 z }2 `# Z
' V& g+ ~+ g: v0 f3 e: H: b
1 ~0 d M' r7 U7 j+ B+ ^& S( T" p__________________________________________________________________________
* n) q3 F/ a2 `
* P: W) H5 b' |Method 123 J: ~8 r# g# P2 m- h5 e
=========
" `! e, E9 S2 W2 n( e
1 y0 K" R# ^4 D5 Y9 DThis trick is similar to int41h/4fh Debugger installation check (code 05
- e1 f" o! `, d# k- q' B& 06) but very limited because it's only available for Win95/98 (not NT)
4 }0 y1 u9 j8 W7 E- I& {$ Y yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# n! \ m! B8 {' M% c. N1 G4 Y2 N+ x! {
1 V1 K# X: {+ y" m8 a push 0000004fh ; function 4fh
9 O @( ]# k! G: F" q8 ^8 ` push 002a002ah ; high word specifies which VxD (VWIN32)* A0 x. Y" [9 b j+ O- T
; low word specifies which service
: j( |0 l& w+ Z, X" v6 ~ (VWIN32_Int41Dispatch); A# t. l+ ?1 h; G* l- W
call Kernel32!ORD_001 ; VxdCall% [0 N n4 d. S' {) n
cmp ax, 0f386h ; magic number returned by system debuggers
' s- [! A/ h% T, c jz SoftICE_detected; ~6 @& V. e/ D" ^
. v* ~; ?: t0 I# w4 qHere again, several ways to detect it:) Q, B" i' D$ [, G7 A
$ N4 C6 Q9 M# r1 P% s
BPINT 41 if ax==4f/ C7 t7 j4 M: L, H6 j) T [" k
" [8 [% ]8 }1 }2 c# r6 A$ _! R BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 U: s' Q9 X& k/ Y2 J3 H# a. w' p2 }6 R. D9 p3 b A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, y8 v- |- o. g
; u2 d. t: u3 q' @3 k BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 G L$ }- v' x W, r
+ r; d8 A9 z6 E3 C9 J3 G' q4 u__________________________________________________________________________- T, m& ^! s( A
# c* b: |4 h% X6 x( i$ wMethod 13
7 A9 R2 C/ ?# D7 U j& I=========
+ ]) f) O# V0 K' ?* I5 D
w) j3 ?( @$ J" `& M' D4 gNot a real method of detection, but a good way to know if SoftICE is5 o1 d, t b# c
installed on a computer and to locate its installation directory.
6 O x3 g' v3 NIt is used by few softs which access the following registry keys (usually #2) :: l3 X f6 h4 y1 w
3 N# M. {2 g7 G( H-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 ]. b2 R; [; e, ?5 t3 A
\Uninstall\SoftICE
, A- Z; _" C7 Y# ]! B- n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: ?2 X# d" L) o) d4 H% A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 r# R- _$ O/ q\App Paths\Loader32.Exe0 p8 k9 s0 F( x5 `) @7 `3 g6 a% y
9 h7 y* C% }6 z1 \; }
`! A' { _ y6 HNote that some nasty apps could then erase all files from SoftICE directory
! z" k3 ]& P' p6 S) ?(I faced that once :-(
' Y: m& H5 ?2 _* c/ _1 H$ {; q" a4 C
Useful breakpoint to detect it:" R2 i% l0 o( U# G2 l
$ X% w! U1 _$ p BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, F; ~) r) R- w: o4 N
8 n/ h& c& H6 P5 X' t- j) d% V Z__________________________________________________________________________
3 Z% ~8 m! u7 S6 W7 j, u, f, r' w% g% J; w; U
& ~& W2 T. X- M( Z5 v. _0 q4 _Method 14 $ v% W2 }0 R+ k# O1 K
=========- K; K7 f! m+ e+ g3 n" I) i8 b& l4 X0 `
- F+ Q) L: p- V* G+ G+ V M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 q" S6 w+ u2 B6 q& Y3 {6 z: E+ D$ Wis to determines whether a debugger is running on your system (ring0 only).
# U5 k8 e, o, x2 X( p* I$ _
" }. T# c) u0 }, s6 c8 s O* h9 i VMMCall Test_Debug_Installed/ Z% k. u: k1 Z% M: v% z6 s9 |
je not_installed
' e7 a/ x3 F- W8 P" f* c
! g6 u) {+ ~5 h. t0 m1 AThis service just checks a flag.
5 K$ }* p; K! M |& f* J) x</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡