<TABLE width=500>
# w# m' ]4 l) F! t<TBODY>- {. l# q0 o$ t+ X( a
<TR>) v4 y7 d" ~, b7 ^- N0 f
<TD><PRE>Method 01 * v" B; N& Y7 q, \
=========( a, r. C8 C J% l" o4 H
% l- P" x( }2 l7 O5 s/ ?This method of detection of SoftICE (as well as the following one) is
' } c1 |# _; X' {1 d+ M. fused by the majority of packers/encryptors found on Internet.
! G) ^, m( ]/ u7 L jIt seeks the signature of BoundsChecker in SoftICE2 V, U1 H' U6 N* @# y$ m
, |; R" H: F2 W2 e$ Q
mov ebp, 04243484Bh ; 'BCHK'
2 \# S: ^% n+ ~& j% O# l mov ax, 04h) g. |1 q1 |' H* W6 p
int 3
4 v0 k$ W: j# S% S7 v6 p cmp al,48 _0 a) x2 i5 t3 \
jnz SoftICE_Detected
) T, F* e2 _( Z" W' e. q6 o
% q5 j& n2 d2 v) v___________________________________________________________________________
9 m4 f7 }, E, s0 A5 c
' z! ^% @! D0 G8 p$ SMethod 02
4 u( x. l/ X( @2 ^8 p" c5 H% i=========4 ~) p$ [2 Y# h% T
1 Y% A& T6 W7 W9 |$ }3 a
Still a method very much used (perhaps the most frequent one). It is used$ |. T) m' v* m0 g s
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# [% ]5 O& A% E3 w' e8 R0 I+ v
or execute SoftICE commands...) b& T* b+ s+ Z# B
It is also used to crash SoftICE and to force it to execute any commands! v) c4 b$ |6 T
(HBOOT...) :-(( 9 ]: _2 T l3 y' |: J* I0 R0 F
7 B6 @+ `! n+ D# |/ E( U
Here is a quick description:0 a) {8 v) o- z7 B3 n9 a
-AX = 0910h (Display string in SIce windows)
4 D/ U3 p% o; U$ u( y% b( f7 y& q-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); T5 t' i+ F2 Z, D6 S/ i
-AX = 0912h (Get breakpoint infos)
# m( }6 E3 U" d J, b+ _4 D-AX = 0913h (Set Sice breakpoints)
) I( a+ u. y Y-AX = 0914h (Remove SIce breakoints)
' B% Q, P$ y* w F3 f/ c& e D0 \- ]% w/ i3 \
Each time you'll meet this trick, you'll see:. O1 S9 {2 f% M+ a" ?8 Z5 `
-SI = 4647h
; @# |. l/ [" o9 H/ _7 M-DI = 4A4Dh! h& j3 |7 k: i
Which are the 'magic values' used by SoftIce.+ {4 P8 ?7 L% w% ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 H) V" ]" W8 s' I
8 Z1 j2 v" ?' Q* _4 \, G8 NHere is one example from the file "Haspinst.exe" which is the dongle HASP
2 N( ~1 u% P" }Envelope utility use to protect DOS applications:9 I& P4 f5 b/ V; g7 n, b
+ L z% i2 e; Q) ~- e& \0 _
9 K# a! P# @ r) p d4C19:0095 MOV AX,0911 ; execute command.5 q) |5 f9 v, {. [- d
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& [" m2 F1 ?; i3 e7 d& s* @- k; L4C19:009A MOV SI,4647 ; 1st magic value.
1 h* k4 V- W4 c8 D4C19:009D MOV DI,4A4D ; 2nd magic value.. V* h2 M# \3 i& S: l
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% A2 S9 H: k. p1 q( Q8 A7 K4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% O" m9 H) t9 {! d6 o$ s8 t4C19:00A4 INC CX
$ F. \! j9 @& W; O/ p, b, G0 T( Q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. m0 H6 B3 _( \: ~0 C
4C19:00A8 JB 0095 ; 6 different commands.3 j5 i: D) ]( i, Q
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ D4 A9 R8 H9 z' x, J U! r; |
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 u. c, V# Q4 J0 d% J+ C) h- @ k2 ?7 ], D- h
The program will execute 6 different SIce commands located at ds:dx, which# i0 E4 t- d- _0 x+ t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' ^2 [0 k9 Z5 o. M1 H( j- M, `6 N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 q5 Q9 ^6 R1 _5 J: s" v" t
___________________________________________________________________________
1 ]4 K7 }3 T; T5 K3 @# s' W9 _, b# J
$ O5 g4 c" Y% C5 x. ~6 W
Method 03
m$ ~9 ]' o6 s. p. b9 M=========
8 M0 d6 r2 a* D0 l, B' L$ \
j' {% r( b; `8 R$ U4 O/ gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 y; p" K# m, a! N
(API Get entry point)
" U$ @4 b9 G% s- k
# I/ I# C0 C2 [' c" @/ h9 [1 I, s7 G" Y/ k
xor di,di* S+ K2 h6 X/ c. ?$ n; P7 B
mov es,di, [: L$ H, b* w6 G$ B0 J% d
mov ax, 1684h # L0 }+ s& I7 ~6 @( U% o+ D7 W
mov bx, 0202h ; VxD ID of winice: }9 l' u9 Q) W* g, d' t- V# I
int 2Fh
% ?! a. u' U$ {5 r mov ax, es ; ES:DI -> VxD API entry point
- u A% n: A0 T3 @) ~6 i add ax, di
4 |, I% l7 o9 u2 f8 V* C test ax,ax( }% ~) q) }$ ^5 }" o2 n+ ?! R
jnz SoftICE_Detected
$ \5 K' F2 V8 r2 C2 X* u3 B# S1 j% C" |; U6 t
___________________________________________________________________________
7 v: K2 Z, G2 ?. ]( l# B% P3 f& `$ E% \' Z n0 D
Method 04
6 j" Z1 U U* Q2 ?4 _8 k1 a, j" p=========! I7 t I3 a+ {+ l5 {4 F
0 f9 [0 v2 l. p/ A# E; V+ eMethod identical to the preceding one except that it seeks the ID of SoftICE y) y V2 ?4 T( N7 X8 W4 ]
GFX VxD.
0 v* U7 {$ v8 p" a, s. t3 O8 p! M0 B. b
xor di,di( Z6 A2 c/ K+ w$ Z
mov es,di
( q+ Y3 a3 s+ k. y$ ]1 a Y mov ax, 1684h
4 r5 e% y9 a3 f mov bx, 7a5Fh ; VxD ID of SIWVID3 r! H+ N9 n7 y h3 Q' B
int 2fh
$ m- d+ Y7 }$ e; j5 ?' K mov ax, es ; ES:DI -> VxD API entry point2 j# V" s2 y$ Y# y
add ax, di9 O+ U7 x4 z, V! |1 J3 v; F8 H U
test ax,ax6 e3 }2 _$ Q- T' d) H. X4 M' w
jnz SoftICE_Detected
) M6 F+ y3 Q) m2 c& A& ~. Z( s: h; k
7 T6 ^4 P0 t! n__________________________________________________________________________1 C; s$ l* c8 G1 \2 J
3 q U3 j, D+ C( ~
2 F6 x$ }% q% A/ w2 f, K: n2 C4 wMethod 05
& g. S% R( Q8 a8 a4 [! f=========
- Z3 g+ `$ \. o% y
3 d5 h l, Q' G. O5 i. C# d6 bMethod seeking the 'magic number' 0F386h returned (in ax) by all system
5 m! D8 {2 d' m7 K' S3 q- e: q3 Bdebugger. It calls the int 41h, function 4Fh.# C9 h! Q# M' }' }
There are several alternatives.
/ w7 O T# I- W' N- q- ]5 q; {' c; P" g5 u
The following one is the simplest:
5 i) [0 M" a4 b/ m" w" i s1 c; {4 K1 Y, @4 l
mov ax,4fh4 i H6 R+ q8 C1 c; t
int 41h: {7 B7 P9 e+ {* i: D
cmp ax, 0F3865 V0 N2 J! _5 O' j
jz SoftICE_detected
/ S; D6 ^; J! z9 u( }1 j$ A/ S& C- x2 v; o
/ N6 r8 K' z2 QNext method as well as the following one are 2 examples from Stone's ( H% x, M( k+ k, o* q
"stn-wid.zip" (www.cracking.net):) j) c d" P$ \# ^9 I' y* |. W; e
) H4 I c6 ~" \* B7 a
mov bx, cs1 u' q* U3 X# x1 S# X
lea dx, int41handler2
8 f! A3 J% [8 b" a( } xchg dx, es:[41h*4]4 p" t* C: ^9 U- O. P* ^
xchg bx, es:[41h*4+2]
5 p& K1 [( Y; `& o mov ax,4fh
0 c" g# F1 i6 a2 [ X8 } int 41h5 [1 ?( U& E( H& V8 X3 W$ A# L
xchg dx, es:[41h*4]
2 _5 [6 d5 A) n$ H0 ?! ] xchg bx, es:[41h*4+2]# i" N+ ^9 x5 F9 ^& M
cmp ax, 0f386h# I6 [( L% z% f7 K. Z4 d$ f6 E
jz SoftICE_detected7 }$ z T5 M B
- f5 x* z0 g v0 a( y+ Yint41handler2 PROC
: r) V2 ~2 }! c. P# y, Q4 T iret
" G7 i% D4 O8 p/ Z- Uint41handler2 ENDP% L; x6 R( \) H' ~0 H
+ {* O) c9 V; w; Y1 V$ N+ l5 H
! _3 u! C" `3 `6 @; b; w) L* M' |
_________________________________________________________________________! ] {! N+ o/ c6 B- s0 s' b
1 A# j' [4 V- u6 l% r8 |8 O
+ j$ W5 t% f4 q! P# L
Method 06
, Y! S7 ~8 M; X! a=========0 T+ a7 N& a) L$ O/ U
& P( ?6 w9 f% [' a, N- H( u+ s5 N K! E: p3 x$ ], {
2nd method similar to the preceding one but more difficult to detect:
# r( E* \0 h$ [: E, V l
' \6 \+ K4 p& j2 g5 p/ ?! f2 K0 _: t; ?" V9 y
int41handler PROC
4 S2 W- c" u$ E. i: m; k mov cl,al
6 H4 F& y! [" z9 H( v M iret
6 S, A. c6 [/ O) ~( P |int41handler ENDP
; S: i: f5 Q# U: g: l* ~: q; ^& O# r
! b5 [$ {7 [4 {" q xor ax,ax
6 k. Z0 g8 `1 i* u3 w8 C mov es,ax/ d6 @( ~$ G1 e) `/ q& I
mov bx, cs& ~9 q# x/ b" C: S* c ]
lea dx, int41handler: u1 D$ W6 \+ x
xchg dx, es:[41h*4]
k4 C, r) a% f5 w xchg bx, es:[41h*4+2]
: U7 A- p$ p# I) r4 _ in al, 40h1 B6 |0 C+ }* w& [2 J
xor cx,cx% c2 D9 f! }4 x) b, z$ x
int 41h0 J6 m7 D6 J# \7 _9 ?
xchg dx, es:[41h*4]* i0 F$ H( L( m6 k+ p
xchg bx, es:[41h*4+2]7 @# f$ ?: k; x( ^" Z# r
cmp cl,al
' q: o. a# H: `! c+ p) l% d jnz SoftICE_detected
- I9 n7 Z% _* B5 b' Y
9 c! r/ Y8 F2 Q_________________________________________________________________________
( z8 F) w2 L9 B6 v: V7 K: ~# w* X( D$ n; S
Method 07
: `; D' v0 c1 H& q8 H=========
: o+ Q5 {/ {8 l1 ?! y* | f! V. I# o- S+ N
Method of detection of the WinICE handler in the int68h (V86)
4 O, Q8 V( S/ K: Q; X' |( _& Y Q5 o$ m" j
mov ah,43h
. t5 d! `0 O+ b* }/ r int 68h
( O: |; t2 R5 Z5 P cmp ax,0F386h; p+ s4 f9 g, }3 ^$ R; Y1 X
jz SoftICE_Detected d1 V* n( K$ i0 O' |; j
! R2 }+ }5 f! N# A7 l, D# {3 @" p0 H8 ~+ Q' i$ n
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" C, F5 v# p' ?3 g& G3 @" S7 ]' e& ^ app like this:
0 V# F" b6 F# r' m$ H2 C$ w4 Y# v9 d, C1 z5 v" J" j- e& {7 \/ E
BPX exec_int if ax==68
5 J8 y. `$ r: F- @/ t+ l+ S: V) w (function called is located at byte ptr [ebp+1Dh] and client eip is& y; w# f- N+ n
located at [ebp+48h] for 32Bit apps)
v3 Q) A6 h' f__________________________________________________________________________
2 N8 E F1 x; {+ h/ c! Z9 ~5 y& B( K% Z* N
; @+ Y/ Y+ X6 n/ o
Method 08$ N& h2 {2 y9 p. @7 Q
=========: a Q2 @6 D0 n3 B! q" c: \
8 j; |! q: t1 \) m5 NIt is not a method of detection of SoftICE but a possibility to crash the- N- Q% g) E, X8 m8 M q
system by intercepting int 01h and int 03h and redirecting them to another/ F- W7 f' i; @* ?: _
routine.
! e2 `1 d# P5 N+ P8 ?# j7 ^& W, JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! N6 p* X% n$ Q M) X! s: E8 l
to the new routine to execute (hangs computer...)
: m6 H4 ^. K* _+ e9 E" g8 a+ Q6 n/ a# z3 W* \: e3 d
mov ah, 25h+ _+ w; {0 Y' v: q
mov al, Int_Number (01h or 03h)
( F Z: B. {$ N; h mov dx, offset New_Int_Routine- P! _- @% s1 W6 V t, S
int 21h0 k% Z$ i' \! d8 M# v7 h
3 C- y% h9 f' S5 \; }2 G% o
__________________________________________________________________________
. M( l6 E, Q# {% b) ^8 M" o, k; n& }( n# i# i8 ]% p
Method 09
+ @8 J, |' r, W=========
4 p7 E& @4 c8 i! t% r$ ~2 ~0 B4 |# I5 Z }. B
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" j5 o$ S1 j. q& u# Nperformed in ring0 (VxD or a ring3 app using the VxdCall).
1 ~& C& a1 n' T' u: h% t# l* wThe Get_DDB service is used to determine whether or not a VxD is installed( g, k( E9 o4 J- H
for the specified device and returns a Device Description Block (in ecx) for) f0 O/ @* A7 [5 L* l
that device if it is installed.! n! @' V' P+ O: M3 t9 F
' s" Y' y" A1 F, K. A9 x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ n8 E) \7 ?; G: ?1 A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 y. R' w6 Z! e! Q6 [# ?: y6 d7 m VMMCall Get_DDB
) s( k* `1 Z- _- \7 G$ [4 @ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed V3 j% \9 H. T% L b
3 G' u$ f1 ~2 ?$ a9 b& Y
Note as well that you can easily detect this method with SoftICE:
# N4 T7 Y2 H$ H. z9 K; U bpx Get_DDB if ax==0202 || ax==7a5fh
4 h! t2 |% O& l9 a7 b) I- r: Y0 n
2 N) R8 V- z; A' |! I__________________________________________________________________________" ~: v/ h0 O6 }% x1 ]" O
3 R4 K5 V# x% D. Y9 [4 [. |7 BMethod 10
w, [, m q4 L( F0 n' q% {7 w3 w=========
3 M# x" i( ~5 z3 K
$ f- R& f/ [. r4 W- K" l: b s=>Disable or clear breakpoints before using this feature. DO NOT trace with) l$ I$ m+ y3 h/ Y4 ]
SoftICE while the option is enable!!
2 K: [, d5 {# [& Z
) i; r! G9 s+ g0 T$ HThis trick is very efficient:
* x M9 j& b3 @% A! g2 }- T# [by checking the Debug Registers, you can detect if SoftICE is loaded
6 _' F1 Z2 K5 s* Z. {" P* }! l- `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 ]( T( y$ T1 n& s9 l7 N5 z9 g
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 V, R9 L( X& R& Nvalue (in ring0 only). Values can be manipulated and or changed as well* u$ g, s% ]* _2 O$ W4 k- a2 Y
(clearing BPMs for instance)
8 ^% [6 U/ b A- w! B8 D# j7 G, y% C( c7 `- V% f$ Y# K" d# x d
__________________________________________________________________________' r& p2 j' d2 S/ M0 i9 i7 C+ Z- Y1 x
# B) e h) }) I$ @7 T8 \
Method 11
. w5 S' _( {3 v& I& c0 u! l=========3 s+ Q1 U8 D0 }. f9 ^5 w9 U
1 T9 b1 m& e1 U, L( Y/ N
This method is most known as 'MeltICE' because it has been freely distributed( P+ A) ]5 w4 Q
via www.winfiles.com. However it was first used by NuMega people to allow: l0 K8 A6 P- Z
Symbol Loader to check if SoftICE was active or not (the code is located
7 I. Q" c& c, v; G8 N9 Minside nmtrans.dll).4 U m& x& y# T& X
* m! C/ I7 ]$ b; ]' D
The way it works is very simple:
/ E6 S, }* l. ~0 x. l! X7 dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 a p; O7 B$ U+ _% K- Y
WinNT) with the CreateFileA API.
/ r9 d3 [; d$ w7 D! {. N
: @' w9 k& P* n! o3 s$ A. R/ eHere is a sample (checking for 'SICE'):, k* n; X, X! |4 r9 R
9 Y" x& E$ i) b3 R$ k `, O
BOOL IsSoftIce95Loaded()% ]. ^ I: D1 }
{( d' j; u" W( T/ s
HANDLE hFile; # h: H. C/ h& B6 v7 T' r. B; E( U2 F. p
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. w$ N/ y5 |/ A7 m3 [! R FILE_SHARE_READ | FILE_SHARE_WRITE,, z7 n1 P. z1 j' V) |5 R
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 a- j( ~9 c1 A; w; r, ~
if( hFile != INVALID_HANDLE_VALUE )
0 B$ ]) X% l4 ^7 s+ @+ W" B. ^. N y2 q {; n1 v' e. m% K1 m4 q
CloseHandle(hFile);
" M i* t. P0 X return TRUE;
, Y1 o9 B% W5 t l% U8 H4 e* J6 @ }8 q! `1 {$ v8 S; E- y) G) v/ Z
return FALSE;7 L& Y0 s+ p/ W' }3 J' U% o9 H) K; H
}6 j6 q* \3 r! M' v5 [5 `) i
5 }' W/ k6 w1 F. ?) j5 j1 jAlthough this trick calls the CreateFileA function, don't even expect to be1 }/ G+ U8 ]' W7 {
able to intercept it by installing a IFS hook: it will not work, no way!5 C5 H! I$ T: ^, B
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 L0 o5 {0 Q$ w6 j' Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 [% V: ^- f' r8 M8 X A( ^and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 j1 Z$ C7 J/ M$ rfield.1 Z! i$ K9 x, c% w# I* F, w& c
In fact, its purpose is not to load/unload VxDs but only to send a , ]% b7 C1 X$ D$ q9 n- P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( s- {/ N- [) m- m8 ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" i; }' z5 E/ N3 Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ n; X! c% F) W6 M0 G; E' A: c$ WIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ ]2 Y0 O6 P) Eits handle to be opened and then, will be detected.
/ E" `6 ]1 M9 ?1 c5 wYou can check that simply by hooking Winice.exe control proc entry point
5 @0 w' {( A: }1 Xwhile running MeltICE.
2 W# L& m, C# Y4 h
$ v. V6 B7 a. P& v" [3 R0 S
- f& A5 \4 j t% ~% A7 B 00401067: push 00402025 ; \\.\SICE) G1 d4 k! v" T' i7 m3 }
0040106C: call CreateFileA" T9 R4 I/ ~# h( ?$ @0 z
00401071: cmp eax,-001
: u! c( G! z* q 00401074: je 00401091( o9 h) i, M! }2 _2 E8 Q5 H1 }' |9 f
9 G8 w- B: J( P R% M; H
; T3 f1 ?+ C8 f3 K: j/ ]
There could be hundreds of BPX you could use to detect this trick.
. z" x- k* `( `/ b" O-The most classical one is:
" W6 j" m0 m5 V( p1 W BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' {' x4 H6 O+ {4 P+ x *(esp->4+4)=='NTIC'
" G7 K! ?4 i; a7 F2 W$ u
9 {! b- C* l4 Y7 |3 R-The most exotic ones (could be very slooooow :-(; z9 f: P5 e9 q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* q1 j* ^2 T3 A/ O4 d ;will break 3 times :-(
0 J# o$ V6 u! N* j) |3 P8 ?8 i( ]( B, O X& X6 w' d+ v' c
-or (a bit) faster:
" w" U% F; t3 I- l* A0 Z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* |6 ]7 e/ m/ H
( C. U; D1 M/ P9 n$ [3 q1 _5 y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 [. [; y! ~4 P _. D$ C8 s6 o
;will break 3 times :-(
]2 z4 a) X% S4 v2 P6 c' h9 H2 w( ?8 H0 d7 _1 y8 E. r
-Much faster:
( g: b- w% v5 c" |0 N- ? U" n BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; x3 m- P6 K7 r" R5 b; |" ]' ?$ _6 Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# C( `* ^/ I" P5 [5 `4 G
function to do the same job:
- I, L! P$ n6 U4 F6 u( D) z7 H. @0 l/ U& i# ]
push 00 ; OF_READ6 B# Z' W" X" @ J1 r7 X, p
mov eax,[00656634] ; '\\.\SICE',06 M' L. f0 P" ?( K: u' I* A- h/ ?! A
push eax
) @* X4 n! ` {/ x9 I$ b& r call KERNEL32!_lopen
: N: Q$ l* y& Y3 _$ H. @. i inc eax
% @* X9 l& g. a1 B% [ jnz 00650589 ; detected
! |2 S7 Q( x% U' E7 b. I9 [/ ^ push 00 ; OF_READ/ w& C8 X6 u4 N
mov eax,[00656638] ; '\\.\SICE'
$ r% U" X" Q6 _* h; i* H8 } O push eax( h ~8 \1 \: m4 U# E
call KERNEL32!_lopen
# G3 R" n" Z) N6 Y6 @ inc eax, @1 a$ q3 B4 b
jz 006505ae ; not detected% s- ?% C1 o: e% S/ j
! |# J8 C; ~9 g: o1 c
; z7 e* a# j/ ^ a+ u3 ]__________________________________________________________________________3 O* r4 O7 u" z6 ^0 I- u6 X
( S9 `+ }! {- t% ^3 a
Method 12( L! u3 \3 ~* ]# s1 c
========= I* z$ O! S1 M3 t: {
- L8 ~( |( {$ P! l( n7 G
This trick is similar to int41h/4fh Debugger installation check (code 05
0 I* }6 N! Y+ [' q; H& D7 b& 06) but very limited because it's only available for Win95/98 (not NT)0 \9 W4 X; R8 F% d' n2 q8 b
as it uses the VxDCall backdoor. This detection was found in Bleem Demo." s8 j) d9 [( ^# t, H9 E
1 w8 U: K0 A# K9 K( W push 0000004fh ; function 4fh, T2 z) A* |- L$ s9 F; M) L8 G: F
push 002a002ah ; high word specifies which VxD (VWIN32)
! ]$ n- s- N1 Z9 ~9 o: e7 V ; low word specifies which service
- A( j6 m8 I* c (VWIN32_Int41Dispatch): _% e; s, J. N5 s; w
call Kernel32!ORD_001 ; VxdCall8 u3 C: R/ s- J% R X6 T
cmp ax, 0f386h ; magic number returned by system debuggers
$ ]) M# b0 k. V6 J( g jz SoftICE_detected6 ~+ t& N) m( `1 @- }; y J: g; H* d/ S
+ d1 g5 D, r: a' j0 D
Here again, several ways to detect it:9 q; s6 b; Z8 J4 f# I" y- l
; s' j' Y3 u* J: L G BPINT 41 if ax==4f
" h! N: P& v8 O7 G1 r7 I0 u) {9 k& L) L1 E
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 E( J X& s& }& T6 t; L- y% q( z. U! R+ p7 @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' i$ p0 y& ^* {0 u2 @
! ^2 @% {6 H8 Q! R/ @3 c- t
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 y8 k# \$ [# r: y& t# g! h
$ p3 z- r) [8 G7 U
__________________________________________________________________________! M8 u& w7 X V/ ~! i# k; B
+ n% u/ c9 ?: c# [( f4 z, R6 M1 R
Method 13
, s1 p( e8 I0 Q. P+ P8 S4 j( F=========- Z* A F+ L# q! Y1 j
2 R# |9 w. P2 i
Not a real method of detection, but a good way to know if SoftICE is
% u- ` F# ^$ ^) l4 e) }6 pinstalled on a computer and to locate its installation directory.
2 |# l2 ?6 k4 I$ \1 I3 c& fIt is used by few softs which access the following registry keys (usually #2) :/ q1 b5 J; d7 ?* P( e
' O' U3 G3 U4 D) A4 T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; W4 K9 L$ y0 x# Z+ Z. o; n! ~\Uninstall\SoftICE
' ^! @" F) v& r1 C( ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ s6 {% B# C) s* d% V9 ~& y5 R- a# F! S- V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) ? Z1 [: x* P1 |4 g- R, k
\App Paths\Loader32.Exe# S* {# V( M- C# S& |0 d
: C$ R8 h! n) G$ X1 o, B' S3 G: A% O6 I" H
Note that some nasty apps could then erase all files from SoftICE directory
/ k+ w1 B! W. j7 \% m(I faced that once :-(
( [. S- c/ }5 G9 K3 O7 Y d% G U; D6 I6 Y$ ~" I. B6 J9 n
Useful breakpoint to detect it:
3 z6 y* l3 v; p5 p4 i% w+ f8 \* r7 }# l! K3 v/ e1 z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. M: r* `3 \3 X0 P
6 W5 K! V% t" d: {__________________________________________________________________________
% X: Y' W/ ^0 [1 ?. S' K8 h
* U) k9 I: Z5 z4 q2 t k1 K; K* d q/ f+ B8 @% w4 v
Method 14
$ K. r' L; Y0 C: }# U=========
+ ] m9 \) A6 g0 R7 L* S! }& `2 M' D. I5 K) p: a) t) @& i
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' N) q& Q$ i" r( U# R; E7 E
is to determines whether a debugger is running on your system (ring0 only).: Y4 S3 p+ b7 L- k, F
* w. k1 B* x$ V; q# ] VMMCall Test_Debug_Installed1 G R% G. b. N5 ]* ~& N
je not_installed
7 [2 b4 h$ e8 V g
# d8 F" N5 Q, F }: B8 mThis service just checks a flag.
3 _# u7 l9 x7 d, P+ {/ W6 j</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡