<TABLE width=500>
6 V( J2 Z( N- r2 z1 F* N! }& v<TBODY># P0 h0 O* {9 L( B5 {5 I
<TR>
" J5 Z2 K7 U& z3 ~2 S" G<TD><PRE>Method 01
+ R- U" i, |- U1 f$ j# s5 c: i1 r=========
0 G% Z% [) T; s# d" T
; y9 a2 I, @/ ]* yThis method of detection of SoftICE (as well as the following one) is
1 t' u5 p! u4 u% [ Dused by the majority of packers/encryptors found on Internet.2 C9 X& H w* O2 i1 K( y
It seeks the signature of BoundsChecker in SoftICE5 L% z# c; G2 l9 H* x. o
% x3 U7 A% \+ L( u1 d( R
mov ebp, 04243484Bh ; 'BCHK'
5 _1 d+ m6 ?7 F mov ax, 04h
& g: S/ H) w8 c. C/ X- r. K) d8 @ int 3 $ s2 q, e* k- z& w. w l, F1 G
cmp al,4
) [$ y2 u8 s, z' J p1 G# ^# x jnz SoftICE_Detected
2 y: M m' `+ f/ w* O( r0 q/ K1 q8 V0 J6 I/ p
___________________________________________________________________________
- q& X u$ I8 h7 H) B1 K( ]2 _" Z
! `/ U9 p7 A3 h) C) B4 ?9 v8 s/ w4 rMethod 02
7 o3 q/ R1 i" T& P. j4 H=========
: [+ F+ b0 F% H' |% \. f: ^
% E* s3 n: V/ E- pStill a method very much used (perhaps the most frequent one). It is used
/ N1 z# s+ [+ m$ f/ z1 Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,* k i% a5 s1 I
or execute SoftICE commands...
8 l) N+ o% B4 ~7 aIt is also used to crash SoftICE and to force it to execute any commands- j* b( i4 O p& ]; y
(HBOOT...) :-((
' X7 F! W: _! n3 w0 N# N/ G m; N* y
Here is a quick description:2 _- I( S# Y2 t7 A9 c+ N
-AX = 0910h (Display string in SIce windows)3 r' F' ~5 w, R# B, j
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" G( e3 l% |( O+ C) G8 P1 u) c, V1 Q
-AX = 0912h (Get breakpoint infos) E4 W# `7 G: ^6 j; Z) o* H
-AX = 0913h (Set Sice breakpoints)
7 X' { \+ e+ }8 ^1 G9 B-AX = 0914h (Remove SIce breakoints)
2 Y3 D$ D; {0 ?4 p' C" D5 p7 s Y2 Q/ ~9 d: G
Each time you'll meet this trick, you'll see:$ U* ^5 Z0 c) A7 }% P! s3 [' L+ d" [# l5 p
-SI = 4647h; {( D- \8 b5 {& J: f, l
-DI = 4A4Dh
' t* c2 e6 t, ~% Q, cWhich are the 'magic values' used by SoftIce.: ^: @% t/ d1 v0 g C
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 e# I. ]9 b6 k6 C
8 T3 I4 V4 y3 T# S7 xHere is one example from the file "Haspinst.exe" which is the dongle HASP
( q' F* {# F+ f5 _- H, vEnvelope utility use to protect DOS applications:
/ D- ~1 R0 X u3 l7 X* G: l
# Z* ]* K/ w+ y" n ?9 w/ c$ I2 D& K3 o0 E+ l" Y0 ]1 G) v3 L2 |
4C19:0095 MOV AX,0911 ; execute command.0 [1 }: n. Q: g7 y1 d& E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( y) C" @" v0 f% Y1 i) l# p( T
4C19:009A MOV SI,4647 ; 1st magic value.5 e4 }; i a( w% Z. B- Z) A
4C19:009D MOV DI,4A4D ; 2nd magic value., |4 ` h, u0 R9 o& K1 V1 I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 r% j7 n8 Y* z+ S4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 _ n# L- C$ s3 G) A4C19:00A4 INC CX( O7 B8 |* }8 V. |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# n8 x: j, _# O# m7 j4C19:00A8 JB 0095 ; 6 different commands." V' P2 o5 V! ~, b9 a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ R* z2 m* ^9 J" H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! ~' ?3 H* m7 r; B; n1 i7 @8 S
8 q/ s6 m. G7 F* w- Q2 cThe program will execute 6 different SIce commands located at ds:dx, which
; w+ A) M$ Z5 g6 ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ K+ K1 u0 D1 V% ?' ^# W) Y: \- w7 y( P9 f
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( j9 `# k0 P* U4 Q
___________________________________________________________________________( F8 P' s& y" S9 U
& R. K0 H: q% W
5 z9 ^, J9 h$ c4 l
Method 03
5 [7 ?" x# ?: C. u% R- E. ]=========
8 a+ p5 f; i! @8 H1 ^ q$ [, p* B5 R* L6 i- Q8 X
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. T) m" h: |7 D: j(API Get entry point)
& r$ F6 p( O% h% Z
8 m, S5 C* c1 o g- ?# E, G+ \- A8 V1 z. B& L
xor di,di
3 J# T2 B# x2 r! ~1 ]. u! U mov es,di
$ {/ z' N+ F" ]9 [$ `% w) p- X mov ax, 1684h 0 N- t: O( Z; n! N
mov bx, 0202h ; VxD ID of winice, m9 {# J: k. G5 p7 F
int 2Fh
- d# ^5 ^( G, J6 s; \7 b mov ax, es ; ES:DI -> VxD API entry point
8 a$ T+ U5 V2 q2 ~9 }1 j1 u add ax, di
- F6 K5 V7 }/ b) j test ax,ax
. {6 l4 [1 I5 E7 a9 U$ t6 Y8 S jnz SoftICE_Detected
7 d8 K% a% S, @+ a. r0 Y4 w* \
: D% ]. g, W) x) t* X+ L$ @___________________________________________________________________________
( ^4 {1 p: _5 p! e q/ a% E' t) o& ^/ z
Method 042 J P, B- l; {: R% i
=========! p' i( I+ `. p* F$ W
6 |' C) w/ r7 M* I. cMethod identical to the preceding one except that it seeks the ID of SoftICE3 a# `( C: d& Y% `6 f- R1 Y& T- y7 a
GFX VxD.' l: u1 k6 z( U9 ]0 q
) T) {+ b' P8 c* o/ D
xor di,di+ x/ M4 E% e* C9 v2 L w; H
mov es,di
) u7 L) m& ]$ y. e8 v3 f4 v mov ax, 1684h
" z8 @+ H8 |2 y mov bx, 7a5Fh ; VxD ID of SIWVID
5 w C( u$ O2 f3 s( Q5 T4 ^ int 2fh
5 n' o1 f+ ^% j C' Q6 W mov ax, es ; ES:DI -> VxD API entry point
+ U5 X- G0 s3 R# N& g- z B7 L add ax, di+ d! T" d) p1 u; r. V& k
test ax,ax
' M- o* E3 O2 K" e jnz SoftICE_Detected. h$ V/ C8 V$ P
- b& p* C3 b8 p6 C7 `: q, A- s
__________________________________________________________________________
1 ^; a) m# t" |8 u, G5 Y8 d1 c7 B7 S0 l2 M% |! D
* [' }0 n/ F" V ]8 R0 i$ X( J
Method 05
- e2 O0 Z/ L# O9 Z5 w) V- V, m4 f: ^=========
: B" K+ x; M0 \4 D+ a' p/ K6 o- p* s# l. W' l; ?
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ S, d5 N& Q# W) `: L# E6 @' ^debugger. It calls the int 41h, function 4Fh.& P0 {6 r! |2 H3 P ^
There are several alternatives. 0 O) Z# m5 X- o! ^8 {
5 g3 L$ k6 x/ s0 V# u6 ?The following one is the simplest:
9 f2 W. ]1 t, _3 ?+ n8 I; p9 Q. R. Q1 M0 h. t
mov ax,4fh% Y: q: t/ t, {& ?
int 41h# S1 u6 j) {1 M1 `2 v
cmp ax, 0F386, T; t4 l0 N* M' g/ E1 q8 B
jz SoftICE_detected, {; Y' `; f% y9 u, m: s2 G8 \0 z! P- [9 l
* a9 V1 j* x; P8 Y1 {1 \
% q3 U+ d7 v$ B2 O$ b. BNext method as well as the following one are 2 examples from Stone's
3 `4 n. J) O+ R B% ?"stn-wid.zip" (www.cracking.net): m' e, Q( f/ t8 G! K0 u, C R
) _# j8 G& r1 s mov bx, cs9 P# g S* g% z* U/ V; J; f1 i
lea dx, int41handler2" F- [( ]' j7 `+ f
xchg dx, es:[41h*4]
& O: s7 a" ]- p' n5 Y xchg bx, es:[41h*4+2]
- _' Z. u/ K/ g/ Y/ Q0 V mov ax,4fh# N, Z# D; ]' q8 q
int 41h6 e3 N* [& V2 b* b. i$ g
xchg dx, es:[41h*4]# U0 T0 w& V0 L( c
xchg bx, es:[41h*4+2]1 I' j8 O6 g7 `8 ^5 o
cmp ax, 0f386h5 y9 f8 X q* i9 q* t$ ]/ L
jz SoftICE_detected
( U: F7 @& g2 J+ ?, V3 n. {. _6 l- h5 p, C
int41handler2 PROC
) T. y( `- W$ u4 r iret# r: |6 t9 F* h- `, E
int41handler2 ENDP: D: \3 `4 j. w K/ b
2 J! v# k9 V& h. ]" Y# S* g N. J8 ]& T& M. k+ A0 s" K0 O& h
_________________________________________________________________________
' H9 U3 u0 n( T
g8 |2 n7 {+ b+ t
9 v- L1 I& d3 d5 D2 g7 l+ ]8 QMethod 06
: c( `- |1 y$ J1 G1 b* W4 v& [' g=========% b# j: C- G8 j+ I
. u3 k8 [; |; e: r+ @2 g) H
# |# y4 E0 B# r4 e
2nd method similar to the preceding one but more difficult to detect:
8 F8 P, G. }5 W7 A
* V* F7 W9 x" n* c/ v3 ]# X$ M U# y* R! t
int41handler PROC# D% S" W4 ~+ h$ q
mov cl,al8 m% Q2 ^% x* z) T" c
iret
; x% P. y g. e' N; z2 ~int41handler ENDP
) c- M0 c; f# o b0 a& R- b
# |! s& j7 x7 K4 G! }
! k- p9 l2 y4 K+ T xor ax,ax
! N! x8 E0 o% A' @, J9 L9 O5 | mov es,ax
- M/ o# ]$ y7 b$ Q6 u mov bx, cs+ W: W' k( D' q3 ^/ S3 q, N" z* P
lea dx, int41handler
5 D$ z7 M' e% N4 v X xchg dx, es:[41h*4]0 T; U# r* T7 H' G! M9 C4 i: {
xchg bx, es:[41h*4+2]
' K+ Y' E" q" ?- V in al, 40h! h7 ^2 t; p0 r1 D( @0 @/ I. H0 t
xor cx,cx
% ~/ b& _/ W* t, z( }3 N* L) B# ? int 41h8 I5 z: t/ Y e2 [8 o: j
xchg dx, es:[41h*4]$ L9 _- Q; Y$ e+ b9 Z
xchg bx, es:[41h*4+2]
: ?; H' Z) ^/ U, A cmp cl,al( F% _: f: {# e8 B2 e
jnz SoftICE_detected
; P" O6 j9 e8 S( ^" u* n* Z0 _
! l# Q; ~' g9 ]. p+ M_________________________________________________________________________
* M( U+ N6 l6 C8 x" Q' K$ s' h( ~3 |, W+ \
Method 07
4 Q+ w/ U. Z8 n+ V; m- x6 j=========9 K% K4 g9 j( T' c
2 \% s7 U, A' F
Method of detection of the WinICE handler in the int68h (V86)
* L9 q* @/ l' I- U0 i
; w7 i9 s( |4 G1 ^0 g mov ah,43h
) [2 ^' n q9 c" x, t int 68h
+ u6 m" {4 l+ \/ b9 N( R: u cmp ax,0F386h1 b/ i& q9 L. W8 |5 ]1 r
jz SoftICE_Detected# N' @1 r( M6 R
) C# {" P/ X" F% w6 N A6 C
3 M, R. g3 W: s
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 w$ A' L. J( ^5 A j! L; [; J2 \1 M app like this: u2 x9 c; } E; p
$ w/ k* C1 d6 \/ O; ]4 [ BPX exec_int if ax==681 Q( Y$ Q$ U* i! V) Z8 c
(function called is located at byte ptr [ebp+1Dh] and client eip is9 H# F; }2 b' e- _3 t
located at [ebp+48h] for 32Bit apps)# g- G3 q* K5 f8 Q, m( ^' \4 k
__________________________________________________________________________
, j* G3 v$ d$ D! M3 k# f
) u# V3 x- h1 g' T" b$ h1 y+ K/ N7 u0 p5 F5 I ^7 \# l: K- C
Method 08
5 a4 {. {6 g5 E+ ~) `=========
@. t3 C$ [* v, t( V" I# w' v/ d8 J6 A9 u2 H1 h5 H5 J& A4 o3 _
It is not a method of detection of SoftICE but a possibility to crash the; w: C+ }$ m( p+ u
system by intercepting int 01h and int 03h and redirecting them to another& F0 l' j; T1 f5 P+ `+ A) Z1 R2 |
routine.
" K. z0 ], l' p% A+ l& M# A4 NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& q* L6 b! A3 u Q G( q
to the new routine to execute (hangs computer...). I( ~7 _' P6 g( _; V+ q
5 ^ c* @7 I s5 A6 E% C mov ah, 25h, \) T, w1 ^6 x5 {( D! d
mov al, Int_Number (01h or 03h)
( h" p2 n( F0 Q/ u6 }) p$ c3 k" q mov dx, offset New_Int_Routine
0 r7 |; k5 Y) D' o& S- [ int 21h
' c0 p. @) W j! C2 ?3 j5 c g% o: f7 z3 R# z2 Z1 b) i: O. H G R' W
__________________________________________________________________________6 G; i1 C8 K, _. |2 L
- b i7 E9 h- b
Method 09
8 ~5 f9 A, w n8 k( G0 f=========
* d9 v: G$ m( d0 ^: c/ R" j: D8 Y a, N" N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 b" h% m) f' V" fperformed in ring0 (VxD or a ring3 app using the VxdCall).) S/ t2 `& \- g+ _& ~2 D8 o1 W2 N8 C: n
The Get_DDB service is used to determine whether or not a VxD is installed
' F3 E& w6 s g$ i$ [' P$ U, M# Mfor the specified device and returns a Device Description Block (in ecx) for. q: d1 L/ Z; B1 Q) n4 z# c& b
that device if it is installed.
( |% x& L4 U! X- {! R! L! i2 k( R" B/ \/ a+ u" _
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& r5 \) x% c9 x& C" A M' @3 Y1 R m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ z, h( v8 N( w1 K
VMMCall Get_DDB# e2 j7 o2 R; x* _" w
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% \! X' q+ V, {) N& ?% h, @% X: J. o- O
Note as well that you can easily detect this method with SoftICE:
/ g$ M9 f7 V+ K bpx Get_DDB if ax==0202 || ax==7a5fh$ B; y. D7 U) f. v0 h( d K5 G7 L
, u1 K: Y" f3 E T8 J
__________________________________________________________________________: p/ z7 U7 A' H: F, t0 P0 _
! p- c. A& {! M6 [Method 10" o: Z* O+ ?% U+ x3 E) A
=========) k/ n7 M u% |9 m% k8 T" k# r
% U" p3 M5 i) J$ z=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 ?) N2 R2 d1 H SoftICE while the option is enable!!. Z. ~/ [7 Z! k! v
3 `$ }& s2 a/ l0 g3 XThis trick is very efficient:/ l. J% }) Q; _4 W& o! h1 |8 Y$ \. {
by checking the Debug Registers, you can detect if SoftICE is loaded
; ~9 D9 s% K" g: F+ r! E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ r% ?3 o/ L: _- V
there are some memory breakpoints set (dr0 to dr3) simply by reading their
- {. L$ V6 d& R8 Y8 e1 G* G8 @value (in ring0 only). Values can be manipulated and or changed as well
6 N& N& v3 p8 z& @9 j(clearing BPMs for instance)' A+ T$ Y* q5 ^! i4 ]
" Y+ L1 c) A' k4 I& i__________________________________________________________________________0 e- a4 e9 H9 w7 F, B% f
& K$ p5 v" O, M4 S$ T
Method 11/ k7 W2 b5 ]) t1 B
=========+ [7 Z8 i( K% _0 ~) ?: Q0 r
; D$ |; T% {% W0 `. v" gThis method is most known as 'MeltICE' because it has been freely distributed
3 J- F! S0 T0 Pvia www.winfiles.com. However it was first used by NuMega people to allow
: @' Y7 Z. j& pSymbol Loader to check if SoftICE was active or not (the code is located
! H0 h; J" j0 {$ y5 V2 U9 pinside nmtrans.dll).
' M4 X0 R# f, B7 p5 f8 v0 a; `8 R+ t) j1 H2 ]7 Q
The way it works is very simple:/ [# v9 n+ L) n# F8 m3 x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( I$ p) Q c9 Z' mWinNT) with the CreateFileA API.5 s. [% X5 D& w
2 J) Y/ Q. W: I4 y2 f& t# [Here is a sample (checking for 'SICE'):
0 C3 n( B% {* N2 E( I7 |- n# I1 G) S5 O% U
BOOL IsSoftIce95Loaded()5 n. X% J3 \% j1 N
{
6 A3 X/ d+ x) \2 n0 E- K3 J* S2 I HANDLE hFile; 8 k2 Z1 y9 p% I3 R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 Z& H5 ~' @) h6 e9 ?( d+ r( M
FILE_SHARE_READ | FILE_SHARE_WRITE,
' P) w* G' ?: }- \4 [ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 M. ], \ x Z; V* {0 a if( hFile != INVALID_HANDLE_VALUE )
7 \! e' [& i _" W {
& c4 T* L3 ?6 \" Y2 k CloseHandle(hFile);5 g" g" c# s- f9 r
return TRUE;9 I# g* E4 g/ ~# W* R7 m
}
# a$ h1 ?4 Y& s: e# K0 Q- j& c return FALSE;
' u. Q6 Y! _9 l/ W& I: m}
+ {; i3 L* W( k
9 L) }7 r& @$ C& n$ U( q9 A4 EAlthough this trick calls the CreateFileA function, don't even expect to be7 R7 K( X( Q7 C0 o
able to intercept it by installing a IFS hook: it will not work, no way!; N5 M; k& t- m3 X: [6 e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 k* A% K- W2 ~' O/ {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 R8 _3 f% Z/ u2 k; rand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 T. ]4 a$ n* M7 Q+ K5 w2 E7 L
field.( H' N+ A, v" Y, I& C% a1 t
In fact, its purpose is not to load/unload VxDs but only to send a * v% P) L" [; _2 @$ F+ K2 P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ T9 ~2 W. N9 Q7 Rto the VxD Control_Dispatch proc (how the hell a shareware soft could try; ~4 K# ^" u# V7 k: D; y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- t- i6 Y3 c: c8 C8 a: T& @' jIf the VxD is loaded, it will always clear eax and the Carry flag to allow J0 Q6 B! [5 C2 J& D" l
its handle to be opened and then, will be detected.
' j" \& U1 n- h0 YYou can check that simply by hooking Winice.exe control proc entry point3 T) D3 D3 S" I H4 d k4 U( [9 J
while running MeltICE.2 r) v( H0 p( V' ^. c
' A5 s6 |6 m/ Q& ]2 j
, V4 K M* M/ S5 s3 |3 ~* k6 {
00401067: push 00402025 ; \\.\SICE0 m3 v1 o! c( i- |3 V
0040106C: call CreateFileA9 v9 s; D" l- S& u4 H
00401071: cmp eax,-0010 s' Z5 s: ^% Q2 P; d( i' k& w
00401074: je 00401091
& I! O4 c& b* ]
+ X9 M- I# m6 l
`1 u( b' s7 f' ^There could be hundreds of BPX you could use to detect this trick.
6 u1 f+ M2 e$ [- j+ D0 h-The most classical one is:+ p" I9 ~0 F2 m( [$ |; B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% ]4 |) ^( ?3 V( R& m& A *(esp->4+4)=='NTIC'/ n) @( ?5 f' ?
0 U) W3 X# s3 s ?( \6 d% ?-The most exotic ones (could be very slooooow :-(
( c6 O. R5 h& O4 g5 @9 |/ C* }" G/ {& ?* j- s BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; {" F/ P" ?% s* @9 y! l% B% v
;will break 3 times :-( l5 q! t5 i- z- C- R/ ~3 o9 }8 H
( `. ]* w: ?5 ]; l/ H- K2 R7 f* z-or (a bit) faster: , L0 v. d$ @$ r2 j" _0 S
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 g* j9 Y. |! H w- E$ {3 ^
$ R7 ?0 b2 Y9 x9 \6 }$ B BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 s, r, b9 N4 l9 l1 U ;will break 3 times :-(
6 V0 p: v. ~+ M+ P0 Y$ J( y, z+ h/ Q: p
-Much faster:9 {4 r- l: V; c* h
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 j" Q5 d5 x$ Q3 G. r, B+ j4 i
3 O; Z$ |1 I& S: ~. J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) l5 Q& |! p! D, Bfunction to do the same job:" T5 ~" h7 Y) c
; y1 u: T4 ?" N
push 00 ; OF_READ/ e. C1 z7 [: I: u& h, s/ R
mov eax,[00656634] ; '\\.\SICE',0' i5 [* ]! t$ F$ S
push eax; e0 V8 t6 F# y; j" U7 f
call KERNEL32!_lopen
8 x; I3 ?% m+ L2 w9 K) ]! \ inc eax- y& J, \+ X5 J6 e6 m
jnz 00650589 ; detected
' i$ q# x/ a2 q6 }* y% _% v push 00 ; OF_READ
. z# k, l& d- [- k7 ]4 [, B( g mov eax,[00656638] ; '\\.\SICE'0 x. w. N: O; ~$ N
push eax
3 f7 e' Q1 R9 G% T" W# y call KERNEL32!_lopen
. I; f1 A8 J2 `0 {' E2 g0 i inc eax
- _; [( Q! Z+ O- b jz 006505ae ; not detected. s+ x$ C# e; c8 p
* `; L6 T* K2 a0 ~1 c* P
! P# q3 y+ G) t+ T: K) m
__________________________________________________________________________9 i* A) E) z% [2 o0 i1 q5 @1 z
; C: }1 Z$ I" Y7 p4 g F
Method 12
0 m/ b# A9 B \6 Z( c=========0 A$ \) m: u. x: i: @
& T# B/ H- v3 W. L7 |, V
This trick is similar to int41h/4fh Debugger installation check (code 05
; Q. [! \& @: |/ t( ?/ }9 p/ U8 b& 06) but very limited because it's only available for Win95/98 (not NT)
7 k( c+ M& f! s! w& v Kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% i: S! }& v; W
: ]6 c( A; \0 F U push 0000004fh ; function 4fh2 I( i- m- u: f: ?
push 002a002ah ; high word specifies which VxD (VWIN32)$ e( M& B+ I1 e! `* R, H
; low word specifies which service9 o- A9 Q/ r$ {8 Q! Q
(VWIN32_Int41Dispatch)! q6 q" ~! t( i f; J g0 {6 o
call Kernel32!ORD_001 ; VxdCall
; M4 v+ Q2 D9 p& ]- E+ b1 w& p cmp ax, 0f386h ; magic number returned by system debuggers0 P3 K: h" o5 s+ d
jz SoftICE_detected# C1 F# S* ^" G% w5 r5 L+ W
3 V# K" i8 f# E# X
Here again, several ways to detect it:
1 H. y) O8 q* a, Z- e6 T7 O# H5 F) G; c8 K3 ~" {8 X* N
BPINT 41 if ax==4f9 c" W( L: C5 F% V6 N
6 x; [ g( U0 U4 m: {% W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 l# a) s' R0 y, a. p9 V/ o% k) x
# i" o0 ^3 p5 ?1 p% L$ y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, K/ p# e" B$ _
; y+ X$ K' x7 c; n5 \ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 N4 t8 k% d. x+ a! t
7 m1 V/ e- I5 A2 N
__________________________________________________________________________
3 p L$ L: O g, i3 M4 T* c/ @; T( f2 H
Method 13
2 w5 _; S+ J: i4 @6 x=========
& S6 k0 B! L5 F5 ?& y+ S1 R7 M/ g0 P! Z* h8 P
Not a real method of detection, but a good way to know if SoftICE is, @8 I. a: p+ m% J
installed on a computer and to locate its installation directory.( T7 @ |" J( R4 P2 `
It is used by few softs which access the following registry keys (usually #2) :; a$ J0 k( I$ ^+ A+ r
* l: l6 z$ \- Z, ~8 C# f, H8 k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* U9 O6 ^( B# z
\Uninstall\SoftICE) q+ s8 f0 R. ]5 V
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 ~9 |' s' q- g+ [& {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 k; q5 V9 o. h\App Paths\Loader32.Exe1 h% Y R& }, g. ^" n
4 ?! V; @1 l" Z1 R+ ^( U
; J O9 s% u6 j& q$ f
Note that some nasty apps could then erase all files from SoftICE directory
& _6 K( R9 J3 M+ E(I faced that once :-(
. B5 ]- B3 v1 w) H# J2 M( {6 T# u5 O3 @
Useful breakpoint to detect it:
% v$ L& P2 b) j( s) z4 S3 i$ h- @; ?% S) E9 c) U( _
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 s0 Q q. K u1 g, F
7 x! g k8 J, D+ u
__________________________________________________________________________
4 _" @3 s x$ [: [ h
/ s- o7 C7 K/ h$ ?* s4 \; |: R1 Y" Z8 i" \
Method 14 9 p" j3 q! U" Z. d7 E: K8 R
=========
( R" F9 m/ L7 ]; b, F! V
, V0 k1 I: y" g& \- }; `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 q! i5 x" W1 \" a
is to determines whether a debugger is running on your system (ring0 only).% c) `# [+ q+ O9 [, W1 B
: a1 D }( g$ o4 f* [
VMMCall Test_Debug_Installed! s/ Z$ p: x9 \( t/ l9 C8 W
je not_installed" z6 k* b2 X& A, B/ ~
0 d! N" y9 R/ `5 A
This service just checks a flag.' T" O! R, h/ W% l: j2 U% U
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡