<TABLE width=500>
# U/ q% y3 e- W! b9 |<TBODY>
, o `. ]9 y. [& ?! l5 S- q4 L<TR>
) a5 H _& Y! |4 S, Z7 c<TD><PRE>Method 01
0 A4 U0 Z( r+ f' I=========
. s& l" x2 k* N
- n% n F$ b% f! n, v0 MThis method of detection of SoftICE (as well as the following one) is9 d1 q" N% e0 `. I# O
used by the majority of packers/encryptors found on Internet.0 G8 u5 O* {2 P4 ^, E" d: ]
It seeks the signature of BoundsChecker in SoftICE
( X$ c; K T0 n' ^/ O$ q
W( E% G2 H+ R- v" `7 ?* l mov ebp, 04243484Bh ; 'BCHK'6 V3 W. T8 P# @+ Q9 h
mov ax, 04h8 s( |2 l1 E- j( u
int 3 3 I1 a; Z* A9 i' H+ r* x5 f% f
cmp al,4 z" L* P! D' g6 z l4 p4 u. k' b
jnz SoftICE_Detected
1 \/ D% f, U( f' n: z) ~8 A6 Q# Y# u, A+ e
___________________________________________________________________________
Y9 R/ W5 W7 u+ ?0 m) C2 }" h2 b/ a$ Y
Method 02
5 J9 ]& L/ i9 t! t8 ]# i* L! e1 z=========
: o" U5 C5 w) j2 Q2 s: g* B% M j
+ E% \4 S/ P5 ]0 E( EStill a method very much used (perhaps the most frequent one). It is used1 ?. L' r h: q* r
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ I; e3 v) Y$ S7 ]( kor execute SoftICE commands...
) a+ j: Q4 |3 u' gIt is also used to crash SoftICE and to force it to execute any commands
, {/ Y: p8 N; n7 L(HBOOT...) :-(( " m( r0 C2 ~6 L7 M9 V
. z1 e# O4 ^ W' i. p) |- g
Here is a quick description:# W& `% `1 l3 d+ I" Q0 o6 R
-AX = 0910h (Display string in SIce windows)
0 Y3 ^# d4 l8 \6 @* G! ?-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* u5 K8 y% B9 g" `8 E8 `-AX = 0912h (Get breakpoint infos)0 u+ V- E. b |& o5 T" r, C
-AX = 0913h (Set Sice breakpoints). j% ?& M/ `8 w. ]. ^
-AX = 0914h (Remove SIce breakoints)
, B; \, y; ]1 Y8 P
3 m( O8 Y. ]9 C' K, h$ PEach time you'll meet this trick, you'll see:5 a* G1 J) \8 S* u
-SI = 4647h- y: d, P+ |( Y# O- [, M1 v0 o
-DI = 4A4Dh2 i( T; T# C8 g( J
Which are the 'magic values' used by SoftIce.
$ \, n2 @" g1 YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. L7 v. U9 A9 }
$ H2 b) x7 [- E# m! e, _. O2 oHere is one example from the file "Haspinst.exe" which is the dongle HASP( n4 j4 [/ @8 c! n, {4 G C
Envelope utility use to protect DOS applications:, ]8 q- s' M1 j" J" a! f1 w5 Q
$ W n: h) W9 r
: `- ?- a8 V# h) D' g# a
4C19:0095 MOV AX,0911 ; execute command.
1 O" r4 K' |' a) [. m2 s; P |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" ?7 w( e S0 w/ x4C19:009A MOV SI,4647 ; 1st magic value.
+ w, d1 w- k7 q4 C" A0 D1 S/ w& J4C19:009D MOV DI,4A4D ; 2nd magic value.
5 ~6 T3 [, W) X2 Y- K. I/ i5 l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 J+ T0 r m/ k" e: Q, `+ @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 F# R3 o9 o c* C% M4C19:00A4 INC CX
. {7 E- X8 e- g `, _. \+ F ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; J8 o( Z! J3 F4C19:00A8 JB 0095 ; 6 different commands.
/ B5 B% H; O6 B/ ` L7 [4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' z; O3 L& b8 v- C! H' H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 @* V, h' |% e6 r9 M6 C
( S) L9 T$ R6 k3 A8 z4 C1 cThe program will execute 6 different SIce commands located at ds:dx, which
$ Y0 Z \5 ]% l4 N* e: Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
l; L( {8 M( |3 F; P
; u* m0 `9 p3 K* T* L( Q1 n- [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. w. g1 F; o; w# ^7 j___________________________________________________________________________: b- X# ~- H v4 R9 b& F0 \7 |
R8 ]0 m& R( W( ?( n
5 m+ ]9 g; N ^1 z
Method 033 `5 I" ]+ q$ h% L/ \: ~
=========# g) u% o6 Y, R8 x( t) X5 M! D
- \8 t7 w' f- HLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 n0 U3 k, G- B5 E2 `(API Get entry point)8 s% g. q; Q6 J4 Z2 }
: z6 y& Z+ u7 ]3 d1 B
; V B K. r2 ?- N- X xor di,di
: |! f1 v6 W3 A G; D0 | mov es,di
1 E* x( {8 ~. b2 H, w$ m mov ax, 1684h
- M8 Q& ]$ |7 [) } mov bx, 0202h ; VxD ID of winice) N. h- N! ^2 k* ? j
int 2Fh
. J3 A2 q5 W" B mov ax, es ; ES:DI -> VxD API entry point& b6 D) o( U' H8 S: {% T( r* R [
add ax, di
# D, r# Y( W9 }$ A% ? test ax,ax
, H, Q2 c; i, j% a) h" z) M# s# E jnz SoftICE_Detected
8 k. @$ Z& V! b3 g
; h S" _6 v% C% _# x___________________________________________________________________________
5 p: q( I" @! ^- x; K3 A' G) [7 z
0 |3 {$ d; x x7 B, iMethod 04
& H/ B% e/ G5 m2 V1 P=========5 `& v& N8 U3 f' C, g# d- m
$ I! T/ T9 z- i; T. ~- y2 _
Method identical to the preceding one except that it seeks the ID of SoftICE
$ b- \9 y; Z* F, p$ Z3 GGFX VxD.
. n) t) F: S# O& c8 `8 \* e `: x$ f& A- z# ~- |1 u
xor di,di" Y5 ?1 Q( b- H5 z/ R8 @5 Q( E
mov es,di+ \* U% _$ P5 ~. I2 T$ f7 ^" K
mov ax, 1684h
2 t- F P+ X! D/ P4 x D mov bx, 7a5Fh ; VxD ID of SIWVID- W: j% E# r5 P
int 2fh
. k: |/ k0 V# b0 n2 d( f, V9 A mov ax, es ; ES:DI -> VxD API entry point
' X' B7 S3 U- z* G8 N+ n- B; R; p add ax, di
/ y7 X! y2 E! p; m! e: o" V/ A& z test ax,ax i/ L8 T8 V0 p" j2 J
jnz SoftICE_Detected
$ D% p3 {3 i' u# n/ }, e3 j( [
: ]+ T) {* `+ L4 R- f1 [__________________________________________________________________________
, _3 l8 {7 L# x. K) s- F& _8 X! h- m1 F4 z
+ D4 N0 {3 m$ }- h3 @( H# ]Method 05
5 ~/ F' _) ]; l4 `& y( d0 F=========
1 w! `0 i. l. W1 g; F8 P A3 g. R0 c. o& S
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% ~' L }# p3 ]' [debugger. It calls the int 41h, function 4Fh.
5 ^/ a- Q. {2 X A$ N4 ?( v( PThere are several alternatives.
: s- A# o1 B# P. [* y) ?2 c9 w+ D( u; `2 X1 Z6 K+ ~# B) [
The following one is the simplest:
# d* d8 x; h) ~
3 X6 C9 Q' J, \! v: T mov ax,4fh
4 {! e- R3 U* b- j int 41h) Z* f: ^! i$ D6 [9 h/ O
cmp ax, 0F3861 O- G* r: [8 U: u' X; E' F( x( r
jz SoftICE_detected
2 l% q& P0 ~/ C0 E; h8 [" n# [: X, c6 S: p- u' ^& ^
4 c% U ~+ E( f0 u
Next method as well as the following one are 2 examples from Stone's $ ~5 d! K/ T1 ]0 J4 K
"stn-wid.zip" (www.cracking.net):
; d, S% w8 {2 [( e. T- U }
! M4 }- F9 x1 a9 N4 I y8 s mov bx, cs
8 u1 {% T4 V7 H2 R5 c) m% e lea dx, int41handler2# X4 F( \ N: E* ~2 f; J
xchg dx, es:[41h*4]4 t/ Z; V6 r* M3 M+ {5 t1 ?0 v
xchg bx, es:[41h*4+2]
( T- Z6 Y$ K4 X m* ^- |; G3 N mov ax,4fh
: i9 P# R( l+ l- n4 ]0 n$ j, d( O int 41h
- H% R/ y% F7 V6 m xchg dx, es:[41h*4]
; O* O6 C3 _4 e1 { xchg bx, es:[41h*4+2]
; `3 H# D8 A4 ^ cmp ax, 0f386h
) q) B5 x) V$ o5 U! W x7 t jz SoftICE_detected6 Z4 x. J) G5 A
1 ^% N& v: p( A" G: j. i/ Sint41handler2 PROC
/ e+ z9 a$ a; k/ z% O iret
( H6 w+ V) I- v6 o7 ]int41handler2 ENDP
" R- r: p# N/ s* z0 X# W, R
! F$ X/ l) i2 ?* s* V$ X: y1 o S: X
6 w9 o4 v* Y! V6 g, R: w3 b_________________________________________________________________________/ \' A+ Y9 S$ Z8 O
- z1 D, {* F# G. T" t9 ?. v; Z T6 T! v, B, B
Method 06
3 p7 |, r7 q- i/ z ]! P% Y/ R1 D=========3 d. b- F( ]4 a- y7 {) Q, j
: N) T7 j. `( p5 L0 a
5 r& H$ X5 h/ T% \- O. _
2nd method similar to the preceding one but more difficult to detect:
- @2 D: p- x; g' R0 V! @% \5 L
# F* E6 P* C7 g( B" e5 x$ f" y; g& M6 `" d+ G* n4 i" K
int41handler PROC
8 M0 W( |% B5 X4 p4 ] [! s mov cl,al3 L1 y: b0 j1 R% O' |
iret/ C7 g& f7 I+ E( m' ]/ c5 L0 n% r
int41handler ENDP& g- b$ N, ? I" n. ^, e; `
7 u4 u- i- P3 z. M6 W9 Y# o- f
/ |9 s; `8 @! J6 j xor ax,ax7 i8 E: I2 T6 B
mov es,ax
+ d) h7 T( {1 Y$ e8 h, i mov bx, cs7 l( F8 F/ k* s P$ u2 t
lea dx, int41handler& ^: w; U& O! E2 O, e) g
xchg dx, es:[41h*4]
% h- ^ w1 p7 F3 b1 |; I xchg bx, es:[41h*4+2]
; B& r) V" a" I in al, 40h
6 r# U/ G, u6 n2 w$ a3 V$ c+ y, R xor cx,cx, s* _. {. s4 t( M8 A0 c
int 41h1 c- ^5 G- [+ ]- g
xchg dx, es:[41h*4]
7 H! h7 w" Q6 Y5 N5 H xchg bx, es:[41h*4+2]" L3 {# e+ L4 l# D |3 b
cmp cl,al
" p7 n5 [9 M+ X! ?5 b jnz SoftICE_detected
8 y/ Q* e9 g/ A0 G: \+ K* X1 Q' D( a/ x, t
_________________________________________________________________________
/ @, J6 _; P# l; {; t; R# S0 s$ v; \( _( L6 S! B. [2 E# x3 ?4 h
Method 07
7 Z$ Z. B( T+ `; `& Z% Z! W=========: _. h6 @, s1 s8 C
: i k4 A) Y" pMethod of detection of the WinICE handler in the int68h (V86)0 {& o( I* ?* X7 r# e, U
+ U, N8 X$ X2 R2 o3 V# Q0 u' a mov ah,43h
" z8 F4 o: v) L4 [8 n! N, ] int 68h
7 u0 |: w' ~4 ?8 ^; N; R0 J3 S. g cmp ax,0F386h
% H/ |# ~/ v9 j7 K, \( W7 H/ s4 k jz SoftICE_Detected
' }( U* G, @6 i
* ?+ u: p. ?1 ?- V( |! c6 N, g; l1 O& U/ P3 a+ q3 l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 g6 _ h" J2 h: S
app like this:
5 K1 p) g5 h1 T+ [9 W/ r: e7 i2 a9 w% K7 j7 ]% U9 ?
BPX exec_int if ax==68
# H. B5 i5 I ~# U$ e (function called is located at byte ptr [ebp+1Dh] and client eip is
: r% W+ G) o0 n! V( Y7 \$ C located at [ebp+48h] for 32Bit apps)1 X# B, X2 V; H0 l, F5 R, b5 D
__________________________________________________________________________
- {0 {! U" W! {! A* D# q& b9 [# k; M7 a. x3 A' l; c
4 }' q8 v: y" _: a4 t' t5 d' B
Method 085 p& a$ ^+ m* ^3 m
=========1 n m2 k5 ]' q3 u, K+ s
7 P5 V: O' K( G( C2 c; q
It is not a method of detection of SoftICE but a possibility to crash the- T/ p k1 A* a3 W; ? B
system by intercepting int 01h and int 03h and redirecting them to another
$ F( ?" W6 A; {( w, {routine.
, ~* c% v0 ]& H1 jIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" Z3 s, e4 w4 ?5 u
to the new routine to execute (hangs computer...)
# }' S, t4 s3 j* Y4 x- J9 Q* ^9 H6 G6 d2 l
mov ah, 25h# {) _ y4 [, o( o6 ^
mov al, Int_Number (01h or 03h)7 c) u, u6 k. k' r0 n, h8 b |0 ~
mov dx, offset New_Int_Routine0 L* ~5 a: S- u: D! a# t4 `- ]' z
int 21h+ U' O V) x+ J' c( P8 x
( l: d9 g5 `( k2 T) o5 f
__________________________________________________________________________" p9 R$ U+ h/ E0 V$ [
l/ Q, w" c7 Q. I: q$ o% l8 T3 `
Method 094 u9 R7 B/ B; c
=========! E- l: f+ T+ u8 ^& q8 M
, \ K+ O1 k' l3 r8 ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- w' `7 w7 P2 B$ j
performed in ring0 (VxD or a ring3 app using the VxdCall).- t! H! J: l+ s( j
The Get_DDB service is used to determine whether or not a VxD is installed
( H: }* R# X2 _0 ^! y& I0 Jfor the specified device and returns a Device Description Block (in ecx) for# R3 z/ R5 h6 D7 `
that device if it is installed.
0 V. S5 Y- A* [' ~/ t
6 O3 ^* \: F6 C) z1 s mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
m( g* h. B8 i- t0 ?/ ~& l mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 r) k' N$ |- Z& @6 i [ VMMCall Get_DDB9 o+ c! S$ A% m' {( K4 I1 D% J, h' w
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. U, {" [* I% w" p6 \- r* W6 a( o, M" n1 }! O! s( U
Note as well that you can easily detect this method with SoftICE:7 ~ g4 t0 H9 i3 V! @' I- d
bpx Get_DDB if ax==0202 || ax==7a5fh3 y+ J) h' [, f+ K, F; r( G1 e
. d: D8 y4 V# C" L8 _ C1 y% K
__________________________________________________________________________
4 o J& b3 o3 L7 |1 `$ G$ S
: H( S7 q9 _0 u+ W1 @# e! l) vMethod 10 a/ |4 V8 l/ w* Y) K, }2 c8 H0 J
=========
% r( T6 z- f7 N9 A' t! n, ]
7 a; i1 P7 Z" ~ s$ {4 l% q=>Disable or clear breakpoints before using this feature. DO NOT trace with
& ^# {7 b3 \ o, E% c) A% [ SoftICE while the option is enable!!- a' c3 a' I! ]- V0 q) o6 b
# j V" T. x' J: E! _! I3 T
This trick is very efficient:* s, b3 J/ Y6 M. |2 Q5 A
by checking the Debug Registers, you can detect if SoftICE is loaded
4 B: q" v V/ y: u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& q8 G/ q. j6 G6 i; R0 \there are some memory breakpoints set (dr0 to dr3) simply by reading their3 h! D! W0 U e2 @4 b! _0 e0 o
value (in ring0 only). Values can be manipulated and or changed as well; R1 H- S/ a# F) L& J
(clearing BPMs for instance)
6 \0 i& _4 ?7 y0 r& W( ~5 D i7 y
__________________________________________________________________________
9 C l' A# V7 m O0 h4 i
5 T* A7 Q1 j" YMethod 11
9 S" w# K4 @% s7 D=========2 m' ^% \$ u0 i; I5 F# P/ w( {
' L+ {0 u$ n+ s! IThis method is most known as 'MeltICE' because it has been freely distributed
- D1 g: l' b$ D) Z" @8 M2 t( q* }via www.winfiles.com. However it was first used by NuMega people to allow
% E. ^# l6 R, d+ |0 [. D2 O: gSymbol Loader to check if SoftICE was active or not (the code is located
+ S7 X# ~1 i, ^+ w! O7 I0 binside nmtrans.dll).
, `* n r$ n' R( @! ~
" V% C* n; @+ p9 d1 q% M$ k, o8 `; ]The way it works is very simple:2 a4 j% _+ c$ F+ b6 x' K. X; S* A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' C6 ? W- b8 j- E9 X/ _7 }4 j
WinNT) with the CreateFileA API.
) j! ?9 v, Z2 H3 L1 F5 C8 a8 } \1 X
Here is a sample (checking for 'SICE'):" }. W# g' P. s
8 B' F" k, k3 K$ l ~* c# C
BOOL IsSoftIce95Loaded() C" J- P: P. G8 n8 B3 |
{
/ X x: l& \: ]' I HANDLE hFile;
; L: b$ r5 l. s# Z0 Y4 [' ~6 Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ D! h5 J! _0 n" Y$ e2 E: W# B4 |
FILE_SHARE_READ | FILE_SHARE_WRITE,
/ z# _0 v3 y3 V' e4 s NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 J7 |! U3 @: H/ R( [" [ if( hFile != INVALID_HANDLE_VALUE )' ]& u+ d4 a4 L" k! M" ?
{
' M6 _+ o9 b1 Z$ J; s( z CloseHandle(hFile);
) r& @8 d! K3 }4 n. @ return TRUE;
) P7 I5 R/ e; N }
7 a# R* ?, M& N- Y return FALSE;) e' z4 V7 r2 f2 ?
}
2 S p0 v# ^3 T. k# @
/ B7 {+ D2 ]$ NAlthough this trick calls the CreateFileA function, don't even expect to be/ s4 K7 k; t7 n% r
able to intercept it by installing a IFS hook: it will not work, no way!/ p- E9 T7 R1 Z. k
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ |9 U' Q6 @. j; P. _! B* v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 O6 N9 \" N" b, K4 G, B# X' Z3 n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' \( \6 e1 b7 S7 z$ y" _
field.
7 x4 K5 q& l+ W6 W' bIn fact, its purpose is not to load/unload VxDs but only to send a & t0 `! [& ?+ U4 ^# y; Z! Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% M0 V) ]" r+ A; K. rto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 L& f% n- c. s/ j& L" r; L
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ S* @2 N: y& u8 z' C" {( iIf the VxD is loaded, it will always clear eax and the Carry flag to allow3 _' c) M: S ]/ D1 h
its handle to be opened and then, will be detected.
) k9 h4 t# o5 d7 M! r* }' z8 z0 cYou can check that simply by hooking Winice.exe control proc entry point
& K6 `# {- w M+ Q& \while running MeltICE.
) T/ s: Z1 N% b- i; W1 p
5 ~1 D' M" T0 J; W7 k* j* e5 I# D/ ~" Z0 V# E/ i
00401067: push 00402025 ; \\.\SICE
% G0 x1 ?; E% M | 0040106C: call CreateFileA
" A6 v( m0 V: `3 M6 e 00401071: cmp eax,-0012 H2 }; m% j3 p/ M$ e: S
00401074: je 00401091/ Q0 F$ ~- ^1 V* [* t3 w0 t" L
: E) d% y/ I# j- v. H
4 b! U+ O) F) r: dThere could be hundreds of BPX you could use to detect this trick.
; v4 k- f. v0 e: j-The most classical one is:
5 m6 ]( k7 F' R. }% m7 {, M BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( j6 P" h1 B. ]0 Z *(esp->4+4)=='NTIC'
. h$ X& c$ `+ ^, [
' W: S7 j9 c6 i' g. c$ n1 z3 p& R-The most exotic ones (could be very slooooow :-(* M: f y" M* _0 j/ {0 i# m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + b" H* x1 p' Z
;will break 3 times :-(% M5 Q M3 o. _( F* B, p6 N
# K4 ~* H6 ^" \# r4 }
-or (a bit) faster: ; N( Y; d& H* R- w( \
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ g" e1 f* l/ c& v) \' A4 z4 `! D C7 A" l: ^" ?8 z: G! h
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 d2 r8 n$ @9 z% Y5 N3 u7 G3 `
;will break 3 times :-(
[$ T. c8 P" m) T: w! y: H C: V, D8 v4 q- I8 ^8 [
-Much faster:% ~2 e6 j% e# ?9 E
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' R; ?( ?4 {' | { b5 I2 V1 C1 R' k3 i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen2 `# U" Y- O8 T2 D5 T
function to do the same job:' _ E4 j' ^. {) M" j0 q, ^
4 V* l4 d% ?( g; C$ g, A/ Z5 ^ push 00 ; OF_READ n. A; {& g* O7 n
mov eax,[00656634] ; '\\.\SICE',01 Z d' C: }9 d: a+ i9 b6 x
push eax i# k3 k# d0 ?# N0 I/ k
call KERNEL32!_lopen
5 t3 {3 E- |$ s) v& g# I4 F inc eax4 i7 ] ?, l1 @. ^6 r0 N
jnz 00650589 ; detected% {8 C- ?" u; u' U
push 00 ; OF_READ6 d/ P2 ~( D( a; I+ `
mov eax,[00656638] ; '\\.\SICE'5 b: L7 W( P! r- H, t3 W7 y
push eax5 i3 K# `: S$ v
call KERNEL32!_lopen
- R& ^* `% H' o inc eax
{, @9 U* |% |" c jz 006505ae ; not detected9 ?( y0 r' q2 ]- E9 _: x
' {- ^6 \' E; {4 f( k* j; z* e7 N! l6 {
__________________________________________________________________________
8 j5 n, y' _ K6 O" P/ _/ Z7 w9 U+ b: ^, J
Method 12
8 O4 f) ]6 E' }" Z/ p8 o9 J=========( r! l- o, J8 @4 t+ {
3 F" j, P8 G" p0 f# g' ~" YThis trick is similar to int41h/4fh Debugger installation check (code 056 l' @# c, v n/ p4 e% e$ C! \: |
& 06) but very limited because it's only available for Win95/98 (not NT)
- v! n' B ?4 H$ kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 m) J0 q2 P$ \3 I. _: k1 ^
7 K7 p, k' R, H/ r/ t3 c6 ~' K' ^ push 0000004fh ; function 4fh: q* S1 w( x: Z" L% m
push 002a002ah ; high word specifies which VxD (VWIN32)
6 d/ z# y5 E7 i2 y/ h4 _& f6 C9 e ; low word specifies which service
: }9 R8 m" C& t7 @ (VWIN32_Int41Dispatch)
5 f$ n! e4 |6 N" r& c& W6 c call Kernel32!ORD_001 ; VxdCall, Y. U' `- _6 ^' H1 N" s
cmp ax, 0f386h ; magic number returned by system debuggers
% }$ B* u$ z$ Z7 f, R jz SoftICE_detected3 ~& C2 R) b4 ^
4 M6 Z6 H1 P# J m- p
Here again, several ways to detect it:2 z! u8 a; t* c4 Z- |& C
8 N% Y: S1 @6 w6 a; a' W$ ?1 a
BPINT 41 if ax==4f! S1 Q0 n& ?. g
6 P9 r6 Q" `8 D2 z# |; p* T BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ g& J# g* f- y' t- m
+ u# F- X/ E: Z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# t2 _/ W) K6 ~8 N1 R
; V, ?$ d6 C+ k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. t$ E7 X# W1 v3 K
& \* L* B M7 h( f9 f
__________________________________________________________________________
1 }: o# j) D3 Z& m# T1 N/ h8 A* K1 ~/ M1 d% I
Method 13
7 F! _% _. p/ ?* u/ u; y$ t" s=========
, t1 f9 e9 n" K1 k2 H
2 M9 d9 Z4 h i* f# PNot a real method of detection, but a good way to know if SoftICE is
5 O7 H* e1 e& J3 S1 I. }installed on a computer and to locate its installation directory.3 Q7 k5 l# e, ^0 ^+ X
It is used by few softs which access the following registry keys (usually #2) :% J! R4 c) h, {/ R6 G/ G; e
. e _4 p1 }" f v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 n) r. ~0 ~# \& B6 `& a" o
\Uninstall\SoftICE
8 {$ f6 a5 V# W& o/ h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 V @/ y6 W2 F# P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 y% m8 D& q: D* c$ C2 ]" Y9 a\App Paths\Loader32.Exe
. V: Y; _; k" T3 \+ M4 d4 G
5 ]+ l5 _% H. W$ N) x+ N, Y8 z+ b3 ]) k' ]; k& R% c8 B! j
Note that some nasty apps could then erase all files from SoftICE directory4 t. A, v; [0 R0 ]% k% }
(I faced that once :-(9 L/ H( X4 J- G( _0 y" l: T
$ j7 {7 r" \+ b: ^% I% }" s' j5 IUseful breakpoint to detect it:
, X& n; r8 F9 I' J- p( M; L5 q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 g* ~! K4 X6 `
3 \3 |8 b" T2 s4 V3 v__________________________________________________________________________
) c! _ W6 h% G, E2 F. n3 B/ ]2 N; p
- {+ |& I m: f0 d+ ?+ n
Method 14
9 H% @7 ^" G' J3 k7 `" |=========
3 {3 F$ m, D+ O x* y1 D2 y& G8 q) K0 Q3 |5 `5 ?# j" w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 S+ H+ M% Y6 ?+ j; Q! D
is to determines whether a debugger is running on your system (ring0 only).: ?1 w- w% I6 v
- M" O U6 m( `2 i VMMCall Test_Debug_Installed/ s. w8 \) n, a
je not_installed
9 t+ Y$ |1 T2 G) E0 h& l3 T+ A7 G& `( |9 @9 x1 o3 A
This service just checks a flag.7 P @+ }0 X7 W: n$ X( d @
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡