<TABLE width=500>
: U; u0 N( d% {3 j6 s/ T<TBODY>, F# _3 J9 P K: _9 {
<TR> _. m' @3 C& u( b0 Z: { p
<TD><PRE>Method 01
5 ~! o2 |! N) | G7 e: V2 N* \=========7 `8 O- F' S8 c0 i- C
* k) t% R" L# i! l/ {% x1 WThis method of detection of SoftICE (as well as the following one) is+ X# Q' q. Z8 F N& K; ~# U
used by the majority of packers/encryptors found on Internet.* ?4 ~; o9 k. L5 p$ b" J
It seeks the signature of BoundsChecker in SoftICE; x0 x. K$ O. \2 Q) e" x
4 r- s5 b1 k9 u/ S( R& b mov ebp, 04243484Bh ; 'BCHK'# k7 m3 @/ s# \! {! B# d" k
mov ax, 04h
4 T8 W" y2 l! [+ a5 p. l int 3
& m4 ~% ?2 }1 U& {- r6 D7 L; W7 E- B( B cmp al,4
& D$ h9 R Z2 n- L% S x# x$ y jnz SoftICE_Detected1 f& I4 Z a! c# C
3 r, ~2 o; h0 W1 ^1 y M$ L
___________________________________________________________________________- p9 H) R1 }. u: d
! K! P7 f2 x' ? A
Method 02
; d' m9 [/ n" \9 Z+ i8 ^' m=========7 n; C) @. t1 c) U
2 [; g: }- t7 J/ _; ]& g; u0 W
Still a method very much used (perhaps the most frequent one). It is used
1 }! o. N( |6 M" U3 }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 {& R* t/ K/ d) ~. ~( F' z! A( |
or execute SoftICE commands.... C% z4 p, }/ t- X/ C9 f# G
It is also used to crash SoftICE and to force it to execute any commands: ~3 ^1 u; ], i7 E9 W# t
(HBOOT...) :-((
! U6 S7 }% c. G3 T- M0 a- i1 W7 P! q6 S& C* g
Here is a quick description:0 C" K% n5 ^- I1 N& z) M0 u/ ~; Y2 Y
-AX = 0910h (Display string in SIce windows)6 w$ W/ v3 M0 E. g/ q8 u8 T
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 J: E) i! z' ?; M-AX = 0912h (Get breakpoint infos)
9 f& \$ D4 M: J" x" {# T) C4 e-AX = 0913h (Set Sice breakpoints)2 R& s( t) O$ W; R6 W* @" H
-AX = 0914h (Remove SIce breakoints)' X9 K3 I' L3 g7 T; Q
/ Z+ q5 B- @2 e
Each time you'll meet this trick, you'll see:
1 Z0 P; t1 {. Q( o2 {+ c-SI = 4647h; }8 g! A v7 _6 L$ r5 W3 V
-DI = 4A4Dh
! |4 N- M! j' \- n/ ]3 S% g5 AWhich are the 'magic values' used by SoftIce.
* a- |5 e, s% s3 uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., n& S8 |& @2 L+ Q0 z* C+ V7 m% v
3 x m3 u0 S% S1 j5 {- }Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 b3 r C( M/ J2 YEnvelope utility use to protect DOS applications:9 k' q# t- f8 ^0 e/ T; ?
h* D$ T C9 T% D
# }: m2 E4 x9 b4 x) V [8 K0 H2 D4C19:0095 MOV AX,0911 ; execute command.% a7 ~3 [# x: n: ^" K4 g, K
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ B: [# V) l9 L/ t( u: {
4C19:009A MOV SI,4647 ; 1st magic value.1 ~' ` t* L, ?/ A4 M
4C19:009D MOV DI,4A4D ; 2nd magic value.: Z' h& ]- e- b6 g' E
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' v- [/ _' K4 v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& P0 H5 v+ S% R- M. t% ]' {4C19:00A4 INC CX. A6 |5 n9 @3 z+ Q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 P! @) ]% b% M z# F4C19:00A8 JB 0095 ; 6 different commands.
* i7 \7 ?* H+ }$ i* t8 J+ z4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 W4 N) d% a, b0 b4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* R$ ^; [' e2 ^0 T l
" G; K# b1 o: s
The program will execute 6 different SIce commands located at ds:dx, which
7 Y- F% o$ g2 o! Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ m" ?8 L+ C6 {: p& e5 ?( m
# M% Z" j" L- y/ Q1 E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' z( g6 Q [5 ^5 m! }* `9 U7 e___________________________________________________________________________
+ v" U$ z+ T+ Q1 C; r2 l
5 E9 N4 Q/ Z7 B2 {6 ^) ~/ Q$ @
3 X: Z. u( D1 h/ oMethod 03
9 R7 V* V ^# k& Q=========* {7 J" G" |) F
- F' b1 M! J# [Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& p- c% X5 V; N0 I( V" I(API Get entry point) R; |. C* X& ~% |9 z
7 V& Z1 N) |+ ?$ C7 }
/ U2 g" J. {9 _+ C3 G. o" D1 Z, d4 m
xor di,di8 w8 \& }% X( y- l [& _
mov es,di
" C6 s( y* {4 c mov ax, 1684h 0 A8 {$ K! {+ C: |( }: y9 y4 _
mov bx, 0202h ; VxD ID of winice
, P8 C4 k' V! D; f: Y; Y z int 2Fh
$ s v* }* z% f; w) N mov ax, es ; ES:DI -> VxD API entry point, e. ?/ H; n0 S/ @
add ax, di
8 y0 U) R+ m% g6 o! B test ax,ax
7 T. m# G0 T7 K3 R- v) J7 Q jnz SoftICE_Detected
J, B/ Y7 m3 Z8 S9 R) d& R( x+ [. S3 a9 D
___________________________________________________________________________0 V; V. ]1 y/ ?" \$ m# u# |
; c: I% f( g. M# j M& k
Method 040 H& a5 y0 u d9 ?$ P" k7 g
=========, A7 T1 f/ v# n* ]# _" `6 c" K
1 A& S! \% |; n1 X
Method identical to the preceding one except that it seeks the ID of SoftICE
% d2 X+ Z2 S0 e% \8 ^4 k: L ~6 bGFX VxD.
) F, r& L& w' M# R
% _* t4 ?( b+ ?$ N3 j' ` xor di,di
9 Z' P, b$ G$ w1 ~% z& s mov es,di
: @( O3 T# b& v- I7 \- H2 l mov ax, 1684h 8 i2 p5 E* D4 U$ X% @- e2 C
mov bx, 7a5Fh ; VxD ID of SIWVID1 t' ^+ t, ?5 S
int 2fh5 V5 n2 Q( b9 S$ Y
mov ax, es ; ES:DI -> VxD API entry point
/ q8 U1 g% S, L# i, Y, @/ i add ax, di! M# z( O: n1 B
test ax,ax
& u/ |6 O0 \' r) q) ~ jnz SoftICE_Detected# ^0 N: C# z/ ?. {
5 c4 W% P a9 b+ U
__________________________________________________________________________
! A. d. O7 c! E' P6 O" a* p& P, w# n! T5 ?2 P+ L$ Q& S9 v* g
) |$ m9 i3 Z4 S% E2 K s
Method 05
O( t6 p2 K! A=========
% j4 n3 Y8 _2 {; _5 W
. K. C# h5 s1 x# h2 @. o* o8 _Method seeking the 'magic number' 0F386h returned (in ax) by all system2 V- ~5 t4 _6 V. X; `
debugger. It calls the int 41h, function 4Fh.
5 j5 a: W; n6 y% k2 ^$ d7 jThere are several alternatives.
9 L8 o( q& `; a3 ]
8 V+ ^1 F4 P% M. `& a7 y5 n5 K! pThe following one is the simplest:# Z8 R5 A3 z, y
1 G4 ~ e" S0 A; f
mov ax,4fh
$ U3 y+ g' x$ K' R7 N' l int 41h* Q. r" U# [. m h7 x6 K6 k
cmp ax, 0F386
+ b% A% T7 o6 {2 o+ T" c% ?3 f jz SoftICE_detected
4 y6 u+ G9 s- r4 G6 f/ n" b% y% V, K! Q* Y
- H. l$ n3 C Q9 d8 n
Next method as well as the following one are 2 examples from Stone's 5 O6 X: X! @/ W, e" }6 ]) Q; a/ f9 I
"stn-wid.zip" (www.cracking.net):3 |. j$ j/ |. u) {5 A& N
) F+ w$ ]8 H: [+ |9 _! u, N mov bx, cs
! k. Z" E1 P1 {- B" p lea dx, int41handler2& a, ~/ z+ Z2 I& \- }; a
xchg dx, es:[41h*4]
. ^/ n' _* Q# V* @0 z) a/ J: h, X) d xchg bx, es:[41h*4+2]
' D. O6 e% a% y1 D" X mov ax,4fh; q8 ~5 T) k+ W! I
int 41h
+ Z+ L) o* F$ i xchg dx, es:[41h*4]
8 T# b1 C- W+ x$ I$ t { xchg bx, es:[41h*4+2]
* t7 x7 x/ a; q7 {" b: \( d) ` cmp ax, 0f386h8 f5 v2 |6 C3 s7 k. H
jz SoftICE_detected
" H4 {( d9 t8 m; R
7 _: y" u5 }" U& F- iint41handler2 PROC
0 o% f" [9 D. ^$ [% Q" T; b3 K9 M iret
- ]! e( Q( J' E+ I: B9 w+ Wint41handler2 ENDP
. R3 F8 t6 Y* C" G+ D; F: S
8 X4 t2 m" O+ T2 [# H4 F
2 G7 h/ _. R6 ~+ T_________________________________________________________________________
6 B; V4 z d& h$ _+ q1 J$ m
+ _' `+ N2 P' V1 ?8 \" Y) ?$ t% I) q+ P2 @
Method 06* }- Q% @2 _ M, l" @4 |1 e4 V3 a7 D
=========3 [8 S7 ?0 t% b( Q8 K% j
% J$ p# ^ n8 a% a' e
. U) P. \1 U" }0 r& b+ _: T9 a+ a2nd method similar to the preceding one but more difficult to detect:! \: h1 `6 x4 J" e$ e) H
6 l9 `8 R2 y: M$ k" G1 F6 l4 O$ J& e
int41handler PROC- v' f8 X0 y! }: h
mov cl,al
; c- ~! M7 _8 E# M; R1 p iret' n: ?" T/ v, A
int41handler ENDP1 Z' L% m- o, Y- [8 O! Y
/ T. Q" W5 Y H4 E( b9 V H% m) V/ Y R5 j' H& ]; r8 R
xor ax,ax
, X+ g% f+ ^) `9 L2 e; I8 P1 G mov es,ax8 \2 Z" z- \" G2 W
mov bx, cs# B0 j" _* z2 H, `( i! C7 j; L
lea dx, int41handler" S3 V; ?" `$ `2 E' a5 w' @
xchg dx, es:[41h*4]
( Q# c& c* C; d xchg bx, es:[41h*4+2]
/ X) x/ {* z2 A3 Z in al, 40h+ G8 X6 }& u" X5 \& ?
xor cx,cx. e9 }5 ~/ c6 @" ~
int 41h4 S" S% n# E: q R) k2 u9 v
xchg dx, es:[41h*4]
# b1 p7 x/ A8 s; L5 d# q. P; } xchg bx, es:[41h*4+2]* B1 X U- z" }8 {( ?( t
cmp cl,al
& W/ n/ d6 v9 \" r* W jnz SoftICE_detected. Z6 c% q" I# L/ x$ r3 Z. |" ], E5 _
) b+ {7 v" y" {8 J: l- R. }5 Q_________________________________________________________________________; C* N' ~4 ?2 V' u5 {* d
- x+ P, m6 M+ C5 { d3 c3 T
Method 07# h) E. s6 ?& j
=========* r- u: |. c, [8 O. M6 T: v
1 Q- e0 a4 V/ a! ^8 Q$ M kMethod of detection of the WinICE handler in the int68h (V86)
$ w8 m2 i: F% U' d3 N" P! f! N Y; c1 b2 u2 b' }
mov ah,43h U9 C+ O, k$ A5 Q, |
int 68h9 d- G. f& T$ U( a
cmp ax,0F386h/ m; n: Q8 v# d s- `5 ^
jz SoftICE_Detected1 d( H7 G& |7 L5 b- e5 H. v; S/ {
7 M4 Z8 ^8 f% P& C$ b/ o* V* G8 N0 n5 |% B1 [' U- H- R
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# l4 M: C% e# C! P+ k6 a2 [- v
app like this:
. E' A3 h4 d- S# ~/ a
- Z3 F: Q( @" \) ?& e4 r BPX exec_int if ax==68
K5 N$ H& L/ ]* U4 e' w4 { (function called is located at byte ptr [ebp+1Dh] and client eip is
2 y& O% P8 q5 l4 ~- a located at [ebp+48h] for 32Bit apps)
! u3 V/ V) j1 k' i( X; `0 I& Y__________________________________________________________________________* ^* Z W$ i- {# A1 r8 G
0 u+ X0 y. m/ z! t* K* w% E, T" D# k) N# Q. Q1 B8 ^
Method 08
- o" U% _- @& c0 P9 o( i9 D& @=========
1 P4 k, U. U. K J9 _# W o) {2 g: R* `4 D3 ^
It is not a method of detection of SoftICE but a possibility to crash the
3 A1 e, q! {: j% f6 ]system by intercepting int 01h and int 03h and redirecting them to another6 a. a2 k; ~5 c& P; ]( w
routine.
! x) @ ?7 r- I1 U) y. Y) XIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 C& C. V6 l4 @: r( E, z, eto the new routine to execute (hangs computer...)* t3 n( ?9 t8 x
2 L' d) C8 O# s2 [ mov ah, 25h
% |3 P3 P% r% [0 e) z mov al, Int_Number (01h or 03h)! ?0 |6 l) S, b
mov dx, offset New_Int_Routine
6 G% n" b m M/ h$ _ int 21h" N j) }7 T* b" z: b
8 H+ Z: Q' {( [5 f__________________________________________________________________________
+ a/ \6 B( M- S! u$ p! v1 Z5 r) E+ V3 Y
Method 094 V9 s$ v: z% \: v, k; P
=========- E4 ~3 {' a; n9 S9 {
$ g: S* d9 q/ J7 h. ?
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 }. b: x- v* P# [: ?" S; l+ W) Y
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ z( @* D& }& [; |2 G% [" R6 KThe Get_DDB service is used to determine whether or not a VxD is installed
; S' K+ E6 [# K4 Q2 _2 a9 C# i" sfor the specified device and returns a Device Description Block (in ecx) for$ T% S( o! h3 N* G; u! H
that device if it is installed.& Z% H0 Q2 Y5 G) w1 V, \
5 ]+ O" n8 v7 O& k4 ]' X$ P. I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* l9 f d. S, @7 Z. \& a mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" ]3 P( h+ K" J1 {
VMMCall Get_DDB
* g( }( ~* ?1 q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( C$ I) s1 K2 o: y7 ]
% \; ~ o. }3 M3 @* m( fNote as well that you can easily detect this method with SoftICE:8 N+ ~! x5 B) @: g$ B
bpx Get_DDB if ax==0202 || ax==7a5fh
' }: J% g! b3 \$ |* O& d
0 G# ^4 S( _: m7 q" t. ]__________________________________________________________________________
7 y% [" u9 G/ {( {* i' O2 c; z1 N5 z4 w3 x9 D
Method 10
0 ?# S2 P, [$ U6 g4 u$ `9 l6 z. \$ O========= V0 r, T$ p# Z& T ^2 l
1 ^" @! o: a' i q) j8 \9 d" b$ l=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 K; P. C# |& z3 M! A& m SoftICE while the option is enable!!* G$ |; b* P- ?- L% ]; C
! c6 B* _8 z* j, g/ N8 G- ~This trick is very efficient:$ k, L! v, _8 D2 u9 g2 a
by checking the Debug Registers, you can detect if SoftICE is loaded: @' F3 R4 s* s' x& D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* [ p! @# B) H j0 K# }4 i
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% A+ ~& k* M9 a1 u& Ovalue (in ring0 only). Values can be manipulated and or changed as well2 e! @1 b5 x5 I0 Y8 u: M O
(clearing BPMs for instance)! X$ k' F, x, e9 E8 D" o/ M
( X3 Q1 ]+ d' \' M' V' [__________________________________________________________________________
, T# \, y, H ]0 }' F: u) `8 v @; `, }1 R
Method 11' K4 P( y( w2 `. v
=========
% p( f, v$ x0 T6 d d; b6 E$ F0 R4 N" [: h- x/ r2 t2 [5 |2 \
This method is most known as 'MeltICE' because it has been freely distributed
% F( l4 _. F: F! {1 Xvia www.winfiles.com. However it was first used by NuMega people to allow1 j I3 R; G; p+ g
Symbol Loader to check if SoftICE was active or not (the code is located
3 W" v# B0 X* |) Uinside nmtrans.dll).
3 C; u' n7 c2 g1 O0 G M% Q* Q! g& e) o+ ?5 C8 M4 F7 v+ v
The way it works is very simple:3 g# @. ]8 X9 C) y1 |( \1 {
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' t: Q) @5 }9 L) Q+ X% e4 ?) {% ZWinNT) with the CreateFileA API.. o& J7 z" _% l7 V, g- ^% ?/ n- \
, \) @6 D3 L9 NHere is a sample (checking for 'SICE'):# O- }4 U8 M0 ~/ N- l
# Z- I" J/ c/ M( z
BOOL IsSoftIce95Loaded()
! ^, u. O4 u5 f$ V8 L% Y{
) ^2 w2 ^* T) w( { HANDLE hFile;
3 b2 h$ _5 u0 m7 \3 S hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 j: g* \8 w+ _$ G4 ]9 ]- ^
FILE_SHARE_READ | FILE_SHARE_WRITE,) G2 Y+ h9 n/ z# M" _
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 E/ ], ^8 E4 u7 a if( hFile != INVALID_HANDLE_VALUE )
- P7 |5 f9 [: D# h, J+ c5 Q2 d {
8 ^* K" `1 \0 ^" k* ~: s! m2 f9 n CloseHandle(hFile);$ }) t. J! L& s' @* `; D- R; c6 C0 ^, [
return TRUE;: M8 d# F5 f: ~& A) E
}4 q2 g- y. N& R+ R6 r* c1 \, L
return FALSE;) B% M' Q* |' Y( t. ~
}
* w+ q v, l& J( D U) q d
3 H, z4 @: b4 ~6 s- qAlthough this trick calls the CreateFileA function, don't even expect to be
~0 d! C# n4 V; f O0 ~# Zable to intercept it by installing a IFS hook: it will not work, no way!
1 j( P1 p+ p* s W1 W" z3 k" u& DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
C8 Z" }# A( Z3 i$ p0 J jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 W2 Y- c9 \ L$ Sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 P6 q7 ]- n" K7 X4 @; C: Ufield.9 Q- i- t* R/ u0 ^
In fact, its purpose is not to load/unload VxDs but only to send a ; k% m: [8 M* L3 R4 Y) r k- K; C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ t% o( I8 w" Q# S& [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
- Q. e/ h0 I' ?3 ]9 M- Xto load/unload a non-dynamically loadable driver such as SoftICE ;-).; u" P" f% `) z# C
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ P9 Q" S+ ?9 ~, X7 e3 I
its handle to be opened and then, will be detected.; k8 d Y2 w6 l* A4 z( p; e
You can check that simply by hooking Winice.exe control proc entry point
) M$ y! }6 {6 X) swhile running MeltICE." j* c$ A9 E8 ~9 ?% C
@( u4 d7 S3 o& \
1 K6 u& u$ l5 H' D2 B3 K, _' b
00401067: push 00402025 ; \\.\SICE9 O9 f' B j. |3 s N3 l& U e
0040106C: call CreateFileA* C& x0 Z- ?1 u- ]
00401071: cmp eax,-001
: l, e n" q4 L 00401074: je 00401091' ~7 `' t9 p/ ` e* `# O
4 P; U3 l4 {. w! r
) v' S* _ j6 D+ t( f* e f/ _There could be hundreds of BPX you could use to detect this trick.8 G; S( k* |; G5 Q- ~
-The most classical one is:
O/ n( q; W; N( r3 Z4 S0 Y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# ^) L, @! c* Z *(esp->4+4)=='NTIC'6 r- j# w( d6 H( L
. ]+ F# G' {6 I8 p
-The most exotic ones (could be very slooooow :-(' t) D2 L: A! }$ N
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 W `! [9 G6 d+ F/ ^8 q8 [; Q( \
;will break 3 times :-(
9 W& P% l% u) O6 D' S& V
- c h6 _) _ a) E. F8 I-or (a bit) faster:
& Q8 Y+ v+ p$ N8 T8 ~2 C BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ G4 `; D7 ?' ?, ]# W% z1 P9 @9 e8 w( D& T- K6 F: ]$ w! ~
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 K9 Y8 Q) }! x- @! d9 R ;will break 3 times :-(* K/ r$ Y% [$ r+ ?) r3 U
0 |5 ~) k/ `9 _- }( ^& `) f
-Much faster:
8 s5 z2 J$ q1 m+ x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# k% a- Q$ g v9 I4 `% t# H7 s; M# a" h6 |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 w) S+ u) |' O' F* t6 Tfunction to do the same job:
! [6 \6 { H5 Q3 y3 W4 U$ r6 B$ o$ B$ e3 x
push 00 ; OF_READ* l4 a( _( |4 j5 o. H% Q' D
mov eax,[00656634] ; '\\.\SICE',0
4 z9 t. S3 m- g+ {9 p/ b$ ] push eax. {8 A6 d1 t% q b" M, ?6 M2 r8 l
call KERNEL32!_lopen
# q1 h+ W$ K, h1 |6 w5 m: g inc eax
5 D' N# Q1 R& E. j9 [ jnz 00650589 ; detected
# y" x) J& Q+ d push 00 ; OF_READ- |; |- X r- T0 [3 ]& u
mov eax,[00656638] ; '\\.\SICE'& X! }! u. g0 @5 x
push eax8 p7 V% _, l8 w6 J9 w
call KERNEL32!_lopen
3 d9 B4 g* F; p1 Q inc eax( \2 u6 w" G4 d' W& p7 T) U- t
jz 006505ae ; not detected
d8 j% b" L5 ^* _; Q2 h8 ^3 u' n+ U0 u( J; H- l* Q- E _- u8 Q
- s. b; F4 T5 _6 m+ J8 l% W9 P- n__________________________________________________________________________
4 C0 j( _3 h4 W3 a2 n
4 z9 u+ R8 t5 S Y2 GMethod 12" Z* r5 Q% J+ r0 q
=========
7 t' d& J# O$ Q% G" x& O; G) Y4 m3 Y
/ B0 v9 [! @) j9 U; Q& kThis trick is similar to int41h/4fh Debugger installation check (code 05
+ j3 u& S: {1 V& 06) but very limited because it's only available for Win95/98 (not NT)
- p+ y5 t; z/ v1 Y3 V7 k# q! ]- aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' Y8 E2 }* Q+ S( D0 x
' Z. G) h* {4 v! u& G Y
push 0000004fh ; function 4fh
\8 o& [: ?) E" m push 002a002ah ; high word specifies which VxD (VWIN32)
# q; `( a5 `" D2 k6 F" `: y ; low word specifies which service
! D% C( q3 |( W7 c (VWIN32_Int41Dispatch). k+ u' ]: j0 m; r+ t8 X% a. x
call Kernel32!ORD_001 ; VxdCall% e1 I0 ^- S$ D
cmp ax, 0f386h ; magic number returned by system debuggers
0 r: n/ ^6 [! L jz SoftICE_detected* s# @$ y9 F+ O; |% n2 k
! Y5 u3 H3 d0 a7 a
Here again, several ways to detect it:, X6 O" U4 l" K- I
6 L$ b1 y& X/ ]
BPINT 41 if ax==4f
# M; p) a& {, b& D. B% l" g4 j' b5 b' H, `" a
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 Q, m1 R% D7 W, N
D& Z# M* p& y+ T5 \ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# i3 g, C- H* P$ b6 a1 Q$ [$ T- Q4 z: x2 x5 m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# W$ U& @& C* p( B5 U2 a) p. ?& g0 H* v9 p$ T- m* F# t
__________________________________________________________________________
W* y* q# l, U) u8 |$ J8 n- q) R) {. z
Method 13
. q0 @' N# ]6 B9 D' ~6 q& s=========
) |+ P) i, N7 s$ F+ J h6 A1 P
$ u: [9 c- v! {7 z. C9 m, hNot a real method of detection, but a good way to know if SoftICE is
0 j {: y, x: f2 e* j/ D: O- n8 |3 }installed on a computer and to locate its installation directory.. J' y, d. F6 j- I4 c
It is used by few softs which access the following registry keys (usually #2) :8 O' g- D5 |. s. F9 }1 g
4 j) q+ f. O' R9 L' M6 O$ V% @2 O" l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ A# q# A5 n! G( ?. T# w% ]\Uninstall\SoftICE( e& M; e! ]% H# W( |# X% r. \
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 h0 Q' j9 B: c1 E+ Y) t8 o% e! B4 D7 Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 L$ V- }$ I: o: e) `' h2 F
\App Paths\Loader32.Exe
1 ]. H+ S6 j! u- v
n8 p9 w) B' T0 s& |
: \& q& O# w1 t( h5 H" VNote that some nasty apps could then erase all files from SoftICE directory! {8 P7 u! N) Q* }
(I faced that once :-(! n4 n. q% o0 J* Q' j. H2 A
' ^3 `. K- }$ a/ I7 rUseful breakpoint to detect it:3 C9 p1 @2 ^; D2 O
, \. ^$ j; B; r' Y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
N1 k9 C& y1 n8 t
& S2 ^( i5 i/ l! V. c4 [! M" o) u__________________________________________________________________________
q/ m+ x6 E( J1 c1 d4 i! |% E: q' d, K* w# e- j& O( m6 T q* a' U
' V Q. h" Y& T. `/ k
Method 14 1 q6 e$ D& P; l# ]
=========/ D% u$ R; G' v+ b
0 x5 A5 j6 S2 T3 t% y5 x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 ]1 \+ {3 j9 A# P. V6 n% d& u9 l" X, Zis to determines whether a debugger is running on your system (ring0 only).; j$ a, @* r3 x0 z+ t" G0 d
/ m+ i# r: n7 J& A* F) I3 g
VMMCall Test_Debug_Installed1 N2 k, M5 Z Y! D% n4 i+ a& c) j
je not_installed
' `: M" ]' a- ]8 \. j* D Y1 |; P# H3 k7 s
This service just checks a flag.6 a5 v! C( R# O" @' G
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡