<TABLE width=500>
( e) E' a i& L F% V* S# L. r: g$ C<TBODY>
" U s8 x- g2 n; p) V* ~<TR>' u; [5 o3 K# _7 v! |! |1 s
<TD><PRE>Method 01
! ~: a1 Y) F2 X! Y+ Z- t0 F I=========, Y }! r) d2 V) A; l- V o
0 e! Z7 `" ], p2 l# t" s# yThis method of detection of SoftICE (as well as the following one) is! y# a0 L4 n7 [: l5 F" _. ~
used by the majority of packers/encryptors found on Internet.
' c( ^+ {* A# O" EIt seeks the signature of BoundsChecker in SoftICE6 f9 s8 M/ c$ p7 R$ a( d: J' I
4 Z3 _! u% ^/ e2 l1 X
mov ebp, 04243484Bh ; 'BCHK'4 z m" t! V' X) o [& H7 G% n
mov ax, 04h
: h: a% q$ N% y9 R int 3 3 C; I& h: Z. q( x, D+ I0 m
cmp al,4
' w% ]4 P# a# g" M' ~, p! y6 z jnz SoftICE_Detected
) K+ o* N; x. `% ^7 b0 z" i1 g, q- w# V- D2 B# V
___________________________________________________________________________ Z c; V+ A' W7 d7 | y' X
& g, t- w( p1 E- o
Method 02
. u2 ]' ^- h# _( v=========2 H+ X% P/ Y* W, ]
! X3 W! _$ B+ }; ~4 H8 B! N
Still a method very much used (perhaps the most frequent one). It is used
% Q- E, I( F, e3 I3 I$ B3 R Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ G+ x: M. u; z( A% n4 Hor execute SoftICE commands...: Y/ f+ o# |! ]' w' u9 n6 C! j; v
It is also used to crash SoftICE and to force it to execute any commands
4 u9 m N; q5 O5 o( @(HBOOT...) :-((
3 z7 Y0 O6 @0 h7 J& j3 o% o) {4 B/ |# c# R+ z+ O
Here is a quick description:9 e# m. W; D9 l- S6 }! I( M
-AX = 0910h (Display string in SIce windows)
* d# x" n7 |8 o# F& t+ l# L$ D, m0 c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 M u1 q9 [: a/ X-AX = 0912h (Get breakpoint infos)6 p+ D8 F1 W3 O/ L" x. a' o
-AX = 0913h (Set Sice breakpoints)
% C' w3 H( n, j0 I-AX = 0914h (Remove SIce breakoints)
1 K# i: M9 B; J% m7 [3 P* H/ ]8 a$ o& q' \- d8 L8 Q" q9 z$ [% h
Each time you'll meet this trick, you'll see:. t. l# s# ^* o3 \
-SI = 4647h6 t: x! y k8 X/ P9 |
-DI = 4A4Dh8 B ]0 p: W6 h1 y, B5 q
Which are the 'magic values' used by SoftIce.
& W2 I0 F3 Y! N5 e iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 @* N$ R8 a% c# j8 |2 f& x0 [! p( F; W1 {" l+ a& e, N' B
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" x8 c: D3 n0 E; T% L5 V l; |Envelope utility use to protect DOS applications:0 j4 V7 S- z+ V* y: r6 w: b
. \1 u! c3 B+ Y8 c
; m) A" e4 q, w1 C4C19:0095 MOV AX,0911 ; execute command.
4 N" {% d5 w0 l( M) M. v4 S/ z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ }' \- n/ i# a" C
4C19:009A MOV SI,4647 ; 1st magic value.
6 p g5 ]5 F) [: ]- A4C19:009D MOV DI,4A4D ; 2nd magic value.5 K- r* n* C8 U/ U% |
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 [; h% T% J2 B) k9 @( r
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 K- R) }) c- _
4C19:00A4 INC CX/ X% m' U' @$ x( t
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 S _$ o" p9 M2 }7 @) r
4C19:00A8 JB 0095 ; 6 different commands.
8 q3 A4 R# ]0 S( P: \6 h+ ^4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 K+ W6 d7 i8 K- N* F4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- }) o# y. ?! y9 \8 `% B
/ u4 y# U, F9 }The program will execute 6 different SIce commands located at ds:dx, which3 r5 V; ~ g8 s y* k' y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ z( l, {; u, ?( ]+ X! Y3 j
C3 k2 H2 b& L/ g& G* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 ]! S/ K/ `4 X+ e( D1 J" F" P; c___________________________________________________________________________
0 c! k/ q' G+ h: v; \$ Y& d C0 a9 x" r" y k) r
2 |- K/ n i$ r2 C( E1 AMethod 039 F/ q b: S( a+ W; l/ {2 A
=========7 s5 u# ]8 C( ^! L2 V0 }
; G6 J8 k9 o7 s& h; s9 g/ a bLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ ~: F1 Y7 F0 G. A: d/ G C(API Get entry point)
+ Q# I5 d% b% G! g1 N- K3 v* Q 5 G0 H. \/ R7 F. E- A- k
# S; O5 R6 M$ n; l" W. p# e xor di,di
1 u. D' E y7 ^2 H5 Q# s e/ O1 R mov es,di0 x. l3 v I5 H3 Z# Y
mov ax, 1684h
: u3 }* B0 X6 V9 S, e; M, x0 I. Y mov bx, 0202h ; VxD ID of winice% W# L) ?3 z) m& ?/ Z# {
int 2Fh4 ^$ P2 U' y. a: I. J
mov ax, es ; ES:DI -> VxD API entry point
1 M9 x: t0 Q$ ~- P$ |3 i" W add ax, di; X" L% R; u" ^# i J/ N: A
test ax,ax
4 b1 O& A+ x% J, I+ e% H3 e" }/ K jnz SoftICE_Detected5 q; _/ @6 T* M1 j/ C: Y1 Q W1 p
! y( M! n$ z' O8 Y
___________________________________________________________________________5 f9 x5 o% l( H/ S+ {; G
; K( ~- x: ~# h" h$ d* q
Method 047 [6 r! j& Y8 |! o
=========
8 e1 ?8 N2 V) j/ C% ~8 f1 A! d# T7 D
Method identical to the preceding one except that it seeks the ID of SoftICE! c8 I8 K7 s' i
GFX VxD.
* j+ `; D# S3 c) o
0 h' [4 V! D$ P. L xor di,di# {' c+ M+ H7 A6 V2 U' z* J
mov es,di
6 g- u) V6 e9 q# c: p1 c mov ax, 1684h 0 j! B& q+ j$ D) ]
mov bx, 7a5Fh ; VxD ID of SIWVID
{) [4 \0 D; A1 a6 u4 p( y) Y4 Y int 2fh3 U9 V+ |- f ?( ]5 _- {- I
mov ax, es ; ES:DI -> VxD API entry point
* c: R0 v2 a) Y' Z) O; b/ L add ax, di
. d1 f2 y0 ^6 { test ax,ax% t6 M% a% ?) I( J
jnz SoftICE_Detected
& ^* U) V( f3 ^/ ^6 Y5 h+ l
+ U6 J% s" C! O8 i: ~9 `__________________________________________________________________________
; I F$ l6 Z6 S- U# F1 T/ B( z2 b* T1 B& x1 m" w+ u& P( r
; {/ @8 Z$ L/ J
Method 05& z, A' K5 g. v# z: \* Z
=========
+ L0 `# j8 T- a6 j7 Q6 O2 z# y- Y' e' }+ x, U2 `
Method seeking the 'magic number' 0F386h returned (in ax) by all system$ v C: P+ b& a8 }0 o: p! _2 F
debugger. It calls the int 41h, function 4Fh.
# ~- C, s7 D" D4 W% yThere are several alternatives. 9 P6 m7 J' E# b: v+ V" L5 c4 G* L6 j2 A
( I, Y5 w1 F# Q$ A+ D, H: TThe following one is the simplest:; s$ @! b3 G- ^" F3 j2 \
8 J, |" Z4 P! @# D) Q. f! z mov ax,4fh
6 Q+ M# B; ^5 g- W! E8 e int 41h& y6 F6 p: ^: K* \6 t5 A5 J
cmp ax, 0F386, E5 q2 k/ D U- U% @/ O7 k# @1 X
jz SoftICE_detected
8 K, E6 f) \7 K5 V( i# ^
$ b; h5 }2 u( O% g3 E) s% m! x2 X; j
9 \! A0 X! d. X3 M; r. }Next method as well as the following one are 2 examples from Stone's
5 c/ N3 ?8 @0 ~- x# v( D"stn-wid.zip" (www.cracking.net):1 r. q5 ` y! o8 q6 F
% B: T- v% l+ f6 x9 a; }" `* a
mov bx, cs, x0 Z$ T2 X* H8 P
lea dx, int41handler2& x) W* \6 R* ^; |' H6 F K2 U
xchg dx, es:[41h*4]+ Y3 z( w0 U, n' B$ T+ Z9 d
xchg bx, es:[41h*4+2]
. b& J% m. O1 ^- y mov ax,4fh
& p, ]' v5 D7 h, } int 41h
" v U: s: R; S% D. Z$ E+ } xchg dx, es:[41h*4] k. } \4 c2 j' T- B
xchg bx, es:[41h*4+2]( y" f- p9 Q% Z3 Y4 N, ~. P
cmp ax, 0f386h. R( x: _3 E/ \/ a4 N! x c
jz SoftICE_detected3 I: O: P( M2 l( K3 N6 J( W4 K3 k% \
; Z4 {1 g) W+ P# @int41handler2 PROC
* v2 _, q: Y6 j! I iret4 \: J( ~. s, u
int41handler2 ENDP
# Q% I8 v7 j/ u% t5 L+ u& K. {7 r4 a/ j. i; O
. d) z: ?( w7 V# j; A4 A
_________________________________________________________________________
, V# z/ |. G$ f' k" I
- B2 @! P6 i: K) X* V: p( v/ L. p3 L7 L- ]
Method 06& |+ I6 B4 e+ t9 k r- B9 ^+ s0 {
=========$ V8 Q% ]( C ^" `3 W% M' O1 Q
7 U3 i4 Q6 {; E% U- `; A- D+ e( F+ u1 s( }% P$ ~
2nd method similar to the preceding one but more difficult to detect:
1 M4 U$ Y' ]! ~: P6 P# G6 Q! a& \
- c8 {2 t5 S; s& \& \3 u1 f. }2 [. G
( e5 U* q5 u& E' d# s" f J; cint41handler PROC
* H' i+ b% n& ]* O ^ mov cl,al) t/ b! u4 N" [
iret
7 w( @# {, ?# c- P7 P5 xint41handler ENDP I7 H" K/ C7 I6 F5 D7 \( [
* H8 E+ o. ]0 `' M4 O6 I) d- o
1 B6 N3 S/ \8 V9 u( I
xor ax,ax
( f/ r3 U. \. g4 ?/ ~9 b+ m3 ~! { mov es,ax
& J7 r- e! u2 V# c7 w4 o4 Z" h mov bx, cs
! `/ r# n, m4 s! X/ B5 @9 X lea dx, int41handler
* D: {) D Z; i4 a+ N4 ]% U. i xchg dx, es:[41h*4]
, Q) b+ r. ^% ~7 D, s4 {& E xchg bx, es:[41h*4+2]
* R5 p0 k$ g* P* ~# ? B: C- m in al, 40h
5 k; @ O5 a8 l1 b( B2 h xor cx,cx$ c- d% x' T3 U" w% Z
int 41h6 @) T3 [& P* k5 v. ]
xchg dx, es:[41h*4]
7 p ?% E. g5 W* ]4 I xchg bx, es:[41h*4+2]
/ A4 u# J- q' s* E, R' b. m4 B cmp cl,al
3 p2 T, W" E* }( e jnz SoftICE_detected! C! n1 G; ^) C+ V
3 ~7 R; U, `( }) u
_________________________________________________________________________
! i, |, v$ h( {5 @
4 N2 H @4 p& U" AMethod 07
) u( Q m; G5 j2 |! |=========
# o# U$ Z+ c) M( e3 n0 W+ i5 F6 ~; T0 [3 ]8 y
Method of detection of the WinICE handler in the int68h (V86)$ c7 g" w- s/ T* G+ m6 y. f& \
1 C+ H( ?3 {8 S! x8 @
mov ah,43h
$ c g5 Z$ r$ u+ Y" m6 ]$ d int 68h
0 I3 ]& f2 K/ N/ n: K: d4 N cmp ax,0F386h
: h( [% L$ K9 a" B jz SoftICE_Detected$ c1 y9 u7 A# w r
. G( l3 ^6 V9 A; b; S5 e: h# u& F+ y- v' m
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# Z7 [+ e- J' G2 U6 b U$ { app like this:
/ i3 q% I- U$ d! \7 w2 Z
1 K; j% C( x1 d) k1 i BPX exec_int if ax==68, f5 X. u' k8 W- V5 |- N( K
(function called is located at byte ptr [ebp+1Dh] and client eip is* S. Q) Q6 m& ]! \* u
located at [ebp+48h] for 32Bit apps)
) t/ K$ ^* P9 B( y__________________________________________________________________________
r4 h8 l$ i. U2 x; ^1 A# f8 E: Z3 B# J- l6 y' f2 w
( M% G" P- Q" Y3 ^/ e/ n, kMethod 08
5 b- E6 E& N% S+ u) J=========
/ `0 ]' K1 A3 H8 V
3 X5 e$ R' {0 bIt is not a method of detection of SoftICE but a possibility to crash the% `! `' ]1 g' g0 o8 W
system by intercepting int 01h and int 03h and redirecting them to another% R, P; j6 e$ m2 t7 Q9 T5 H5 D
routine.
1 e% `9 f" d" V- L$ F/ VIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ X4 u& d$ a) A& n2 Ato the new routine to execute (hangs computer...)
( ?8 o/ s$ ~6 C6 I( E/ @; o7 S# y o7 l0 a E
mov ah, 25h
" \2 A/ F8 i9 X9 f* Z" Y mov al, Int_Number (01h or 03h)
' i+ ]; V: a8 D* S* |3 n mov dx, offset New_Int_Routine$ y7 u0 w) \) Z& X1 w
int 21h
1 F% Y9 x& U0 `/ f/ @0 K" h
6 S$ i3 `( f W- @( G' [6 w__________________________________________________________________________
! ~8 m! O1 ] @$ f2 j1 n! _5 f2 ?7 g' _! q3 ~
Method 09
1 h- \# v3 V6 {- T/ L=========
; C; H+ {2 ]- Z- z) p7 c. m7 H: o! A! S; i
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: w% O n! _/ r/ F$ G
performed in ring0 (VxD or a ring3 app using the VxdCall).- i. s' L, _3 _4 ~
The Get_DDB service is used to determine whether or not a VxD is installed
; Y) j' f5 K i! Q, dfor the specified device and returns a Device Description Block (in ecx) for
9 u/ f3 ]6 [* R/ g Ithat device if it is installed.; x, V+ ~- j# D% Z7 g( G- s# G+ U7 Q/ V
2 c4 v( |" a( v# t$ z6 a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 X- i' X$ g* l! Y* U
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 v6 W3 W- a$ v9 d8 p$ B/ n VMMCall Get_DDB
$ I+ n2 N2 J9 m$ F+ d9 { mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 h/ e ?# M! `# F* J; G
; [$ e" O# k" {2 [Note as well that you can easily detect this method with SoftICE:
7 B r6 u" q( ^6 e# @% S bpx Get_DDB if ax==0202 || ax==7a5fh
\, R$ X: X" W+ k) ]+ y l7 b
; R1 [# x/ F3 Z__________________________________________________________________________
/ D4 E% e) j2 {1 P
" o/ V# g% a( i4 e7 yMethod 10
8 M/ {: d1 v! Z& b4 o0 B1 ^=========6 m" k# ^4 \: C( w$ F
2 a! u& X5 z5 x2 F3 o {/ A" y
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ {* R* x. s/ g
SoftICE while the option is enable!!+ F" v" l2 X- b9 m9 Y
+ o) E, p9 F! j
This trick is very efficient:
, w# l0 _6 X9 E5 w( B1 ` Y9 h7 Eby checking the Debug Registers, you can detect if SoftICE is loaded
: [* C( |0 \3 a% W2 P" \' a, c/ f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 |* I2 v4 j" w! p! ^6 t4 r
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 f% Y. O5 H' g& lvalue (in ring0 only). Values can be manipulated and or changed as well9 T e! B) C2 R
(clearing BPMs for instance)
1 X& x! m8 D- b) t4 J/ x+ s/ N# h- G; C3 T1 j- D4 q
__________________________________________________________________________
2 S6 Y0 q( _- w5 P, v3 y0 d/ e3 z Y0 r# {1 ~, S' n
Method 11
: d+ \. q- H: [( D: j( o. B=========
7 k4 B) h" b+ j5 q- V- C/ B- b+ ^
This method is most known as 'MeltICE' because it has been freely distributed2 ~( y X: X% J' {4 c
via www.winfiles.com. However it was first used by NuMega people to allow Y' J. X' ]- \. i
Symbol Loader to check if SoftICE was active or not (the code is located
; ]( A' j5 O; [7 ginside nmtrans.dll).: x; g; D3 W) N
' N$ J+ U$ w+ Z7 |The way it works is very simple:
P3 p5 `8 L5 }- KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. x' e8 e$ Z8 l, e. j8 @
WinNT) with the CreateFileA API.6 W/ u/ o' c; y+ _
; Z, X) @6 M9 m2 H5 cHere is a sample (checking for 'SICE'):
8 x" t& h. z7 T& m
/ Q) T% T! L8 zBOOL IsSoftIce95Loaded(); C- F4 A8 n! P) ?' {" Z6 R
{
& a6 y! ]/ R2 D HANDLE hFile; 7 u D# ]0 J/ F4 Y3 M
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 |% Y. N( b. n1 P- H4 u8 ^, Y. o
FILE_SHARE_READ | FILE_SHARE_WRITE,+ w. _2 W) L z: F5 g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); J/ l: p/ x, \8 `: u4 Z
if( hFile != INVALID_HANDLE_VALUE ): J+ A# h" U. O* I8 d- f
{8 ?8 i% [. Y7 j+ O
CloseHandle(hFile);& d+ o& d' i3 P: e3 {& ?$ g l1 V
return TRUE;
) Q7 T( K) M/ o( Y9 ]" s* U* p }8 b2 [6 t' \ |$ c
return FALSE;
5 p9 U* j. S+ T; g; b}2 z7 x# j% w7 o0 I
2 x" l, m$ T5 b N5 E( I
Although this trick calls the CreateFileA function, don't even expect to be8 \! Z7 {* X/ d2 h
able to intercept it by installing a IFS hook: it will not work, no way!6 _9 P# d6 Z0 U9 [8 f
In fact, after the call to CreateFileA it will get through VWIN32 0x001F C& o( x+ A6 P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 }! g2 N3 o6 a. M$ |
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' O0 R, `; P% xfield.
) \8 @( X+ k* S0 K7 GIn fact, its purpose is not to load/unload VxDs but only to send a
% B8 S# `( e: u' y& f( `- CW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' p7 Y" c$ |+ }$ p9 o2 i' mto the VxD Control_Dispatch proc (how the hell a shareware soft could try+ z" j. @8 M! N( I* k% E/ b0 q4 `( J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# X- f) [ f( @- E
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 s8 B& K9 c, \5 {2 U$ g- uits handle to be opened and then, will be detected.1 C \, q+ q1 O
You can check that simply by hooking Winice.exe control proc entry point
. U$ w3 o0 f0 J/ e& z) [while running MeltICE.* ]- r8 D$ W' p( G. N# ^ b( n
5 x+ p8 r3 J2 I# w/ y. C1 M* l) B" T* i7 p& T! |+ j' J! O
00401067: push 00402025 ; \\.\SICE
: S8 r- \' T+ g) K: q3 w 0040106C: call CreateFileA
) f3 s) f7 v4 h9 ] Q/ T$ o8 n. t9 n3 \ 00401071: cmp eax,-001
* z1 \3 x# R" i& K- G6 q 00401074: je 00401091
. T# k c: j* S$ q2 _- R. t/ s
) r7 ]- `2 p, c; s W2 |, u3 R$ U7 L2 G
There could be hundreds of BPX you could use to detect this trick.& v, ?( I9 B3 a7 m' T- z6 v3 Z2 M
-The most classical one is:
- t. Z4 j. m, V7 s% S- j BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ ]" y# ]# Q3 f: U
*(esp->4+4)=='NTIC' g; I5 Y# x+ E: v% X7 a( L
$ j" ?% D0 Q4 V-The most exotic ones (could be very slooooow :-() ~) W8 `: l: g9 s+ c
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - N( J* n! x+ s/ v2 R
;will break 3 times :-(
0 o+ e' }! Z& ^4 K. P0 }: @0 f
l$ T2 Y- d4 U7 [-or (a bit) faster:
9 k5 T4 V2 r6 p BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. Z+ C7 {; c2 w: M. P$ o4 e& ]2 v! N! }) [1 ?7 ]2 X9 }! w
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% e( |) j( f5 {8 @( n+ n+ {9 h5 u ;will break 3 times :-(
; P8 o5 V) T' q3 l2 ?: W
* Y6 @- g3 C' D0 m W9 Y k( h-Much faster:- p) W/ s3 |2 U* @# D
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 d0 r' u* @, d" `' Y- U; ^9 }# x/ M- Z0 `6 T6 @' J* U1 g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& p6 b& C( M# q& cfunction to do the same job:* o6 h6 @* P/ C# J* [; e
, |) J3 S ]; A. i0 Y/ l
push 00 ; OF_READ
2 F/ H; c; W# A mov eax,[00656634] ; '\\.\SICE',0
: c* J" c- v/ s( y6 n1 z push eax/ w, c& M4 ?, d+ S/ ?, u
call KERNEL32!_lopen9 ~; N6 ?- e7 d/ e1 A, t) w2 y
inc eax
- \: u: C" Q" Y* h5 {; p jnz 00650589 ; detected. x/ ^$ m& B+ e) h
push 00 ; OF_READ1 v7 X4 C6 a( ^% v/ ~! n' w2 g7 C
mov eax,[00656638] ; '\\.\SICE'
2 J( Q& {- C1 X push eax/ c" h3 R# L5 B$ i2 p/ T' d3 T# i
call KERNEL32!_lopen( ~# w: q' b0 w3 I
inc eax
. O$ M/ m5 @1 v( g" U: K. J$ ^ jz 006505ae ; not detected& a: n. s* T! G" T4 R* } [
2 t# v: t) e9 _4 u4 T
4 S1 s7 ?) k* Q9 n! e
__________________________________________________________________________
0 ~+ B5 q' K4 R4 ^5 h0 ^$ T ?
, N: b6 R+ L' Z( Y4 A9 O2 zMethod 12) B+ _. N- H, ?5 g& |" D
=========
! D5 ^/ g- `* c+ ]+ B$ j
1 W) E6 @( M$ }" ^* e0 WThis trick is similar to int41h/4fh Debugger installation check (code 05
) Y! a6 r% [/ G, i6 \ C+ t& 06) but very limited because it's only available for Win95/98 (not NT)
' H6 X3 }* A6 {6 X. _9 { h+ e+ das it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ s, B- H3 F2 U# b X3 Z W& J9 E
8 z8 }# q! z6 K4 w4 \0 n% G
push 0000004fh ; function 4fh
# m% O. D& o) i4 Z1 Q1 C push 002a002ah ; high word specifies which VxD (VWIN32)
1 H; F" h1 t, K7 C ; low word specifies which service
) R. p" |; N ~. j1 I: u. J4 s/ W. L# k. a (VWIN32_Int41Dispatch)" O. n, F2 ]$ A( k8 Q
call Kernel32!ORD_001 ; VxdCall
, `' n/ W0 y% b) H cmp ax, 0f386h ; magic number returned by system debuggers
5 O9 {) S l- X8 O& f jz SoftICE_detected! r) C& i( G3 x3 k( n) E. ]- I
, e6 _* e8 V4 r% L
Here again, several ways to detect it:
" k/ ^& G% w8 o; f3 j4 b+ x
# \* e( x6 \+ S3 [ BPINT 41 if ax==4f
7 ?: |) e3 p. r) Y% i0 c* }. X0 @$ ~ ?
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. M5 Y* p8 { v4 G
8 \ e$ e' O6 m8 W1 F9 ]/ Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, I7 r" B9 u6 |& t% s1 o# @
5 Z( y5 a& S8 J! c' V$ p BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) r- f' z- L, O
7 |# Q- ?: S: U# U: b! }__________________________________________________________________________
1 [: o T8 Y* T+ f8 r! g
3 W s9 ~* f1 E" ^% fMethod 13
, W d. O2 K5 Y, B; i$ ^+ e. W=========
' }; L5 f+ j: C' c% V5 ]& J% n- s' B4 v+ B* ]5 Y
Not a real method of detection, but a good way to know if SoftICE is
; ]; f, m) \5 l) u5 ]0 Ginstalled on a computer and to locate its installation directory.
( ]2 Y9 S- E3 m8 ]! r4 kIt is used by few softs which access the following registry keys (usually #2) :) B) u7 D" I; M2 \
0 m& p* Y+ P7 B9 M% ^-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) l+ \( a2 o% G' w9 i/ V
\Uninstall\SoftICE- n/ o. |" {1 i! [$ m! B" g/ E
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 k. A* _0 r D' ~! p" ^& h- j; O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 B$ `% z4 N V" v7 Q7 R\App Paths\Loader32.Exe/ W ?9 G. r4 N" {; S! T: S
- D! @$ }; J" j, T
/ x$ R; }' m! _! E* MNote that some nasty apps could then erase all files from SoftICE directory
& C6 } H1 O w6 s+ v; }(I faced that once :-(
! h0 e+ [3 O% F. o3 y# Q$ A, e
' ^: q' n4 s' B. e/ U( F0 J) FUseful breakpoint to detect it:
1 K, O- h9 B; C- n- E1 r6 N, V" |7 G) e4 B: `, F
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% b4 l& Y a {" P
2 a7 E3 s' V, v' l$ V__________________________________________________________________________
- t! S c% ^8 Y
. U$ t4 m# |' z( ^7 g$ E5 @7 g( X% T& N1 p% N9 p* A
Method 14
/ _# ^" p1 P" W/ I=========
2 {+ [* k9 |& r& }/ c- I
+ s% e4 x0 ^& ^( C3 y' B O; {. H' Q% [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) T* t' {* X; f
is to determines whether a debugger is running on your system (ring0 only)./ m8 `$ c. l2 j6 E5 N
3 `8 \ Q1 A6 G7 V, j0 f
VMMCall Test_Debug_Installed" w5 r: ` v( o" O) {( \: u
je not_installed+ G: g4 g1 ?, i% N
9 p) J ]) S# R- `
This service just checks a flag.
9 _3 D, ]6 J8 J3 u</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡