<TABLE width=500>
( f) \; K6 n7 F& t) ?<TBODY> F, [2 ` \' [8 j: o
<TR>
, [7 M+ O$ v4 Z<TD><PRE>Method 01
8 `* Y& q5 e" A/ a. [2 X1 \$ u5 |========= d8 [& C% k, U2 Q0 N/ V: h, V
- K$ h; Z9 e% e8 M
This method of detection of SoftICE (as well as the following one) is
3 K% {" C- t2 y5 J! r/ [: v& Gused by the majority of packers/encryptors found on Internet.& x. n6 L, Y" o) s/ l/ k
It seeks the signature of BoundsChecker in SoftICE
; G, L! s4 `- f2 d0 m0 \4 D
1 B1 Z! E8 g0 X, F @1 \: n mov ebp, 04243484Bh ; 'BCHK'
, E Y/ S7 Y6 L2 _ mov ax, 04h
) W$ u' ~% T1 Z& `5 t int 3 1 i' W# s% W q
cmp al,48 o4 n' D9 w$ N# i
jnz SoftICE_Detected; L, I/ ^1 l3 m. y! A4 X
! F& U0 ~" S4 o2 q0 ?" F6 ^3 ?/ f- P* C___________________________________________________________________________$ }& v+ t) u% O& X1 c1 J
9 G$ N" w u {
Method 02
& Z* ~; G3 i; l3 G) w% G=========8 P" S+ ^4 b3 F p; |
. {% R- u- P4 N D3 b0 M) h3 F* L
Still a method very much used (perhaps the most frequent one). It is used
; [) N# ?9 S7 |3 D" A" V7 |# cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ d0 X' j' `1 s7 X2 \ N2 ]or execute SoftICE commands...
/ @1 m7 D; }0 v$ ~4 MIt is also used to crash SoftICE and to force it to execute any commands1 e# f* e U5 j8 {
(HBOOT...) :-(( , I1 u9 ?" B7 A5 w$ x0 v `( C( v
- u8 d, ^1 I" @/ W* P4 LHere is a quick description:4 L3 x4 ?. n5 `' V1 l0 X7 p
-AX = 0910h (Display string in SIce windows)
( C* V& N' Y! t) s2 I1 O+ E-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 o+ d$ J0 z6 V4 P, L2 L; E-AX = 0912h (Get breakpoint infos)- @6 m% R' Z( i" S8 H. z, [
-AX = 0913h (Set Sice breakpoints): e! k. Q6 f% x: Z# r) ^0 n" L
-AX = 0914h (Remove SIce breakoints)
! j6 O8 _3 Q' l' d
: J4 A% _1 u* D5 K9 z$ e3 a2 mEach time you'll meet this trick, you'll see:9 \4 r; u3 p8 i- P# @4 c* a3 D
-SI = 4647h
" @( g2 l2 x# U" t-DI = 4A4Dh/ k2 k) [* o6 T' d& q6 h- B
Which are the 'magic values' used by SoftIce./ ?$ T+ K4 o5 }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 ?# u5 Q) J( p) ^1 }7 }
( e, s3 L2 m/ x# p/ B' z- D: oHere is one example from the file "Haspinst.exe" which is the dongle HASP
9 }6 ]$ a; b* e$ N; A0 U- xEnvelope utility use to protect DOS applications:! d5 f- R9 A) [5 \) p w
" | B, v/ T7 r
& }$ _3 S, a+ l# O9 ?; I& [
4C19:0095 MOV AX,0911 ; execute command.- j& S* Z* C# k2 L/ S
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* H* Y, T7 W+ i$ d S+ t+ r4C19:009A MOV SI,4647 ; 1st magic value.
% | o8 T+ |) C# P7 G4C19:009D MOV DI,4A4D ; 2nd magic value.
$ M) K( o$ ?; M2 V6 x4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 Z2 I( L( J9 q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; A# @1 Y8 n; F* q4C19:00A4 INC CX+ `* j' k, l0 v, B+ r
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# z. i8 x" ]% ?' _$ @4C19:00A8 JB 0095 ; 6 different commands.
1 c! E* q$ i$ G( P: J6 `4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 D' c+ E6 W# W4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
O: V Z( R* J$ y& i9 j1 B. |1 a0 o( K! O! u5 \
The program will execute 6 different SIce commands located at ds:dx, which& Z3 Q' V. _2 C: v$ ]$ j: {$ D* o) p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 ~4 C& K1 j( A J( \
- ^. V6 A/ ]3 O0 y/ @8 l* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 i Z: M' q9 C4 o
___________________________________________________________________________; c7 W4 ~# G7 `
) g' ^5 t1 C$ {+ \" ?" K6 u8 H% ]# y4 g; {, O% m" A
Method 03
s$ L, W0 L P! k# P/ `, D& p+ H=========
) k7 t1 c1 ]& S4 n1 F( r9 K: O/ o# r8 O3 n! m8 L+ u" X
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& @& B3 w+ m s" U' n(API Get entry point)8 G7 J* y2 W' @/ }" k P
; \8 e0 c/ z; C" f/ q2 D: Y/ \7 h; ~
xor di,di5 P5 V$ w6 G o! J* q) A
mov es,di) g7 g% U' f% O9 _
mov ax, 1684h % a% w" \7 U; {7 U0 Y. s
mov bx, 0202h ; VxD ID of winice
* ?2 F7 L; m* X int 2Fh) Y* }2 ]6 I8 I: l3 H( l
mov ax, es ; ES:DI -> VxD API entry point7 u+ N P/ Q$ G1 A
add ax, di) i: i* L& M8 @& Z; ]
test ax,ax
% V% |8 o f: Z' a7 v; w jnz SoftICE_Detected
1 n; Q8 @( v3 s/ ~$ g! |
4 J( K2 ^4 ?. Y# M S___________________________________________________________________________
( a# r. c: g" a& z
8 K, W+ d6 b+ F: kMethod 04/ V9 }1 m9 e. w0 |7 c
========= `- T" Y; v& P
4 [8 L+ j3 ?! p" n) wMethod identical to the preceding one except that it seeks the ID of SoftICE
6 E2 |' B6 {2 ^4 ~" x8 a5 s: z \$ _% gGFX VxD.
# ?" o3 E/ z, E0 k4 L
" z) L2 v& r0 F3 p6 R. r3 m$ I xor di,di) h& d* t- x7 {! M R G
mov es,di3 B2 L8 b+ _+ s% o6 j( F: o
mov ax, 1684h , D4 i# K0 K" h# [/ f0 g' ^
mov bx, 7a5Fh ; VxD ID of SIWVID+ R" T; R: m5 S1 i3 W, p; j5 [4 n
int 2fh8 ^' d* O" ^4 l/ k4 U
mov ax, es ; ES:DI -> VxD API entry point+ D) C: K9 ~2 `4 o/ H1 `
add ax, di
* `; A3 L5 f1 d& A- M# z test ax,ax
8 f. i: S- Y* A) m# G" \8 u jnz SoftICE_Detected5 X* Y. Y& @- a- R+ }* E
8 Z0 F# c3 C4 _% U# G3 }( U, V( P__________________________________________________________________________ o( { n3 [( g I# [
7 u' p' r+ t: w
1 q/ i. _" C& iMethod 053 @: Y4 [3 K) X; }: V7 X( o3 M1 K2 t+ Y
=========
y9 k& ^2 v& ?* E
; m5 E; O! O/ bMethod seeking the 'magic number' 0F386h returned (in ax) by all system) s1 s2 ^( }' r2 [ T! D
debugger. It calls the int 41h, function 4Fh.( L: ~# }6 f6 d) r) c7 X- O" y- X
There are several alternatives.
9 G( {4 y/ Z& C
* D3 s0 m( Y5 e! L l' E0 }The following one is the simplest:* E7 C1 I: |9 G8 f5 K9 K
# b3 g6 p! `# P- i: ~ mov ax,4fh" n# L% `/ L2 N1 @% o+ H- \) [
int 41h* A! @4 q5 j, V% }" B
cmp ax, 0F386, u& Q A4 S R6 W
jz SoftICE_detected) {' s6 ?7 O3 C. p2 n7 u, k
2 D- M ?, Q! P K& Q- x4 Q
5 l; j( u1 u' ~8 P3 p. A3 ^' O* HNext method as well as the following one are 2 examples from Stone's
2 k% `- a* L, f/ f# ?. v& x$ R0 ?. g"stn-wid.zip" (www.cracking.net):4 W& A H# ]4 C4 h% \
- p+ Z) ]! x- m: C, k1 x/ G/ y! s
mov bx, cs* I* v9 }7 a# B% o
lea dx, int41handler24 W2 p' B s( r4 V5 ^2 j
xchg dx, es:[41h*4]
/ N. N$ t3 s) Y- X4 V% g# j1 P xchg bx, es:[41h*4+2]
3 V) m* j" E( G9 w6 r/ L8 E mov ax,4fh
/ y m) \5 X/ M8 {$ q$ Y5 M7 u+ o int 41h
/ V7 X+ s( @$ e7 S' }( ^ xchg dx, es:[41h*4]
1 ?$ u, \! p, w xchg bx, es:[41h*4+2] H" e7 f/ G- g* J- R
cmp ax, 0f386h6 \; ]: k& ^" \7 o* |
jz SoftICE_detected
* m& L8 \# j; m# N0 R! b. J
# d$ E4 g% z- U O7 ~int41handler2 PROC; {5 I, v! ]6 D0 l0 }$ x
iret
' h( b H+ j1 v7 {" I2 Zint41handler2 ENDP' e: F1 u/ Q8 m( l4 y M! g2 y
7 B# V. `" g+ ~: m0 p
1 e+ L' c3 Y# Q2 S$ Y2 Z
_________________________________________________________________________/ Y- \" n( V# i' N0 j' h$ G3 [
# \2 a, g$ }6 {$ \, M! Q% e
, t6 o0 B) ~2 ^: m4 A$ ^Method 063 J. ^+ l9 S0 B
=========4 t0 n4 _$ k4 b$ k
0 `) o3 v. [, r8 a- q3 M/ E
9 N$ j: @/ ^% O' {8 z
2nd method similar to the preceding one but more difficult to detect:
4 a, o0 s6 r; f' j7 D: C) [& t0 I/ b# E: K0 c& h
$ {) h R: H' [ o; _int41handler PROC6 G$ y/ m/ @ f; D/ M
mov cl,al
, u: j$ I Z# T" t( x7 w0 {& r iret
' r4 S8 Q+ L& A* ]. P5 N9 W' Cint41handler ENDP
) a- p. {3 P( A5 q' H( ?' `2 U2 t
9 u" L$ i& P1 k4 L- t0 W" }. g0 }# X( J8 `9 H! _& T0 I2 ]
xor ax,ax+ y9 R, y3 w: h
mov es,ax
9 m0 j. o9 o2 o T v7 F mov bx, cs# C5 d0 Q& `5 F, c1 ]! J% `+ L' z8 |1 v! v
lea dx, int41handler5 S i, l& W- W2 O2 ?8 y) c2 W. g
xchg dx, es:[41h*4]
% H, }% t: G! B9 E" w. f7 k xchg bx, es:[41h*4+2]8 D, r6 k+ p/ u
in al, 40h: W; [8 `, o0 D9 t) @
xor cx,cx) b$ K; z& z) t+ \
int 41h+ \& z% U% |5 }0 f
xchg dx, es:[41h*4]* N# c6 C! y- U7 i/ l2 V: E
xchg bx, es:[41h*4+2]
* l" ^4 z, ^8 J5 x cmp cl,al: y) {* {1 I1 f8 |7 d# \2 g3 v( b) `
jnz SoftICE_detected0 L) f9 q- \7 U O
( Z! U% F" u* n- v d
_________________________________________________________________________/ M$ U* q* i! H
$ w! u2 r! i: [% n; wMethod 07
9 m9 _# B- f/ ^+ H. F; X=========1 ^9 J/ X/ ~: v+ k M+ E
! U( S0 [ [% u/ J
Method of detection of the WinICE handler in the int68h (V86)3 ^9 J# Y2 q2 \6 Z
8 J* s1 o; D+ p* @" M: p mov ah,43h$ m) U+ H9 y( ~
int 68h+ \+ ~( l* M8 L! Y4 m$ e7 h' z
cmp ax,0F386h
6 ]# T* i; ~' B/ F; s7 C jz SoftICE_Detected
! X$ ?( [' X4 } t$ u( J( P9 n- m* ` B0 p
9 K/ u% F k; y6 e* x
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ v8 m; r! @* L
app like this:
: W) b: P7 j9 b. W% i$ g1 M& s' S" q `2 q6 h6 \* h8 u
BPX exec_int if ax==68
& z$ f/ U$ R7 k5 \/ n (function called is located at byte ptr [ebp+1Dh] and client eip is
9 T4 b; t( F' Q0 U5 k$ [, \ located at [ebp+48h] for 32Bit apps)! _( {/ F" J- S) e) n
__________________________________________________________________________
, x% F* m$ Z4 K; G0 U$ K: P8 o- G, E" ^9 r* F# Y& P) y
6 @( C. }9 N: V3 AMethod 08
3 H1 v4 C. ~0 j7 k=========% L2 l/ N2 w+ M# I
- @; ?9 }" C- @. TIt is not a method of detection of SoftICE but a possibility to crash the2 C& ?2 I/ A0 R
system by intercepting int 01h and int 03h and redirecting them to another6 D, r: I9 L0 C% n$ j* [( {
routine.: i7 h- h& t0 f4 k! V$ x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- W* L! I6 X9 |/ oto the new routine to execute (hangs computer...)
4 Z- ^( S( Q6 R& _: E; R0 I# V
% S, V. [. T- [: }* }& Y. f mov ah, 25h) O# Z8 G+ \3 p. F5 \9 P
mov al, Int_Number (01h or 03h)
! V# n2 O9 k. j( l% V. u mov dx, offset New_Int_Routine3 t! S4 h, q k/ ]/ P8 ]0 ]7 k
int 21h
8 ], G I+ k7 S. Q! m) o1 ^
6 X; B7 \. q/ q__________________________________________________________________________9 ^+ k) u' r) K1 J2 I+ q. \$ r8 f
' ]3 c- N ~% x
Method 09
6 J% I. \1 `8 h& K=========
' i- B6 C0 L; {+ J0 G1 j2 T: K6 t u" J/ y, j+ \" r, T: E: s9 c
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) n3 _+ y; P! ^1 s' \$ v' rperformed in ring0 (VxD or a ring3 app using the VxdCall).
! C7 f, {0 d+ `2 Q zThe Get_DDB service is used to determine whether or not a VxD is installed
# b6 J( P! ~) m9 G) u; A9 gfor the specified device and returns a Device Description Block (in ecx) for# i8 {; E" ^7 L6 k$ T. k1 ]
that device if it is installed.
- A. E2 g0 o7 x5 ?) j/ @
; o) Q1 {' N& y' _/ T+ \- s1 \) \ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ Z& p' Z9 u) r' ^2 k& Y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ \. K M- T& K/ @- h+ m0 P9 I VMMCall Get_DDB
A: ]3 Z d' n) q- ~0 K mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& @. L0 g) u' b0 D8 Q( [+ [8 x1 r6 b' f$ A2 [' F
Note as well that you can easily detect this method with SoftICE:3 r4 m3 ]$ `; P' f" K% F9 q. P7 X
bpx Get_DDB if ax==0202 || ax==7a5fh
8 K, D$ h) @7 o u5 j2 z r2 Y. | n' W: b9 M& W, \
__________________________________________________________________________
. V1 f0 M9 H. O' u# V- {) h
Y; m1 G: {, i4 K& V% w' T. ^; ~3 JMethod 10
K5 h+ r$ w) S; V=========
: Z! m$ `, L# @% n& T9 ~9 P3 x/ C
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: f {& ]% N* G' I) m5 M SoftICE while the option is enable!!4 J! A5 F4 X; f d. r: X) W4 H
) Q- ^( U1 e4 g* M
This trick is very efficient:/ w2 U/ s0 I% }* C# H
by checking the Debug Registers, you can detect if SoftICE is loaded7 X- V* R" i9 H9 l" \+ Z; ]# s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 v( z( N" O5 O) M9 b( h3 {1 kthere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ X6 i# r7 T2 ^4 J2 ivalue (in ring0 only). Values can be manipulated and or changed as well: \; `4 K" N( p3 Q" r
(clearing BPMs for instance)
; a t1 U. _$ b/ X
3 H! ]8 e( _- ]+ U8 M6 F__________________________________________________________________________
$ U+ X/ }3 ?( a6 G/ g
. h" k; {1 m" h0 kMethod 11' z$ \. f" f, a+ J1 q! s
=========* T8 \1 W+ ~% u/ ~& ?* N
) V" c+ A0 V+ e9 C9 R2 j2 K
This method is most known as 'MeltICE' because it has been freely distributed
- [/ u" G- p7 r+ _! C( x. f4 ?3 R& cvia www.winfiles.com. However it was first used by NuMega people to allow" I) m- H9 ^3 {8 i
Symbol Loader to check if SoftICE was active or not (the code is located
6 d$ N" d* a6 C5 [# cinside nmtrans.dll).0 L. m* Q7 {! B+ k5 @3 h- j
+ ?' r) X& y) H4 t5 D9 {5 l* }
The way it works is very simple:
7 R+ }- a0 |# o3 ?; kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
R& G1 m% m K- q0 e2 AWinNT) with the CreateFileA API.
: X/ P0 h8 R3 R1 e$ }* O" u( y# }1 q
Here is a sample (checking for 'SICE'):
! @% \, [; @* n0 a3 P. t0 B
. Y3 e6 G4 V, i+ Q1 Q) r$ rBOOL IsSoftIce95Loaded()
' E% Z1 ?0 X+ | c0 N% M; @{
* O/ V) \( g: ^2 h HANDLE hFile; . o0 \$ \. i; I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( [/ D3 C& b! K0 ~
FILE_SHARE_READ | FILE_SHARE_WRITE," v2 C2 H: Y5 p% ~: `6 a" @
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 o; X7 P1 H" f, ^: P3 s9 S7 u7 D if( hFile != INVALID_HANDLE_VALUE )6 [, w1 D( S( F% O
{1 ]/ l& o( \, X/ g. t# m
CloseHandle(hFile);
1 ~5 P+ ^1 ?" \/ W6 d+ P return TRUE;
% c6 C( A$ Y ^. E }
" X! l6 `9 o, b( ?. [/ x return FALSE;0 h* s, d3 e0 F# J6 [2 G" D
}
n% j/ Z6 y4 Y0 B
7 \/ {! p+ d- N8 L: PAlthough this trick calls the CreateFileA function, don't even expect to be+ k( d, g0 Y# ~# x2 n1 k j4 h- p: @
able to intercept it by installing a IFS hook: it will not work, no way!/ @, M' B* E0 _ J4 n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& w& P- T% T4 c# q1 f& d$ R1 kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- q2 m0 l* S& L. f& L( ]8 k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc: t- \: K1 K, z# o; x# R+ M
field.
3 t2 \6 ~! T# E# xIn fact, its purpose is not to load/unload VxDs but only to send a ' y E9 Z1 e" ]" n) l- n
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ a- j3 d* O+ \6 Q. a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 `2 O9 H9 r8 s! B9 Eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ c* j* n% y k% p6 wIf the VxD is loaded, it will always clear eax and the Carry flag to allow
# A# p2 `5 o6 X' R7 V+ Pits handle to be opened and then, will be detected.
" N* J+ e, K4 j6 Z3 WYou can check that simply by hooking Winice.exe control proc entry point6 T0 l1 |9 b" O8 M6 m* a( K
while running MeltICE.5 [( u* k/ @* x+ G8 e ]
% R# t( z" r, q$ n, `2 g* g/ T9 U2 g \ u5 g+ |7 D4 y0 q; L6 K& G
00401067: push 00402025 ; \\.\SICE
6 ~" c" R, G2 C 0040106C: call CreateFileA$ E. x- J! m0 x+ _! s6 S4 u3 O
00401071: cmp eax,-001
/ Y& n! ^4 S$ x" Z+ e7 i: ~ 00401074: je 00401091
: u$ L* z# \( j* n9 ^6 F3 J1 Q3 _: W8 o: t0 @! c
) s9 D! [1 V, E7 K8 w% Z+ E+ D9 B+ S/ lThere could be hundreds of BPX you could use to detect this trick.
' H0 W& ]7 {6 u! W-The most classical one is:
+ t: g$ k$ l A6 V/ \6 ]- u. J% \$ C! L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 `+ S0 r! v! \
*(esp->4+4)=='NTIC'
$ a; v" g5 \# }0 J4 d2 X9 D/ q
9 ]' o0 M. B; a5 {, Q5 Y) m-The most exotic ones (could be very slooooow :-(
3 f/ K( \- z" o' E- Q+ ]" u' Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ } x: ]3 H$ j* e; U i4 `6 i ;will break 3 times :-() [9 x2 V: \& S) j s
; F$ r% u1 M+ ?4 K4 ~0 ?-or (a bit) faster:
+ V2 f" F/ M1 j BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! k- }1 u3 m& v8 ]+ i
# X& f- p' ~2 x5 g' i- W BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " X' |7 }4 Q$ A& T3 T& x
;will break 3 times :-() r7 g/ u9 R, G+ T
, Z( R1 [) S4 n+ ?-Much faster:+ F) W& e9 m4 I, [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# E: g1 `( `8 S" W
: r: V: z, f+ D/ C% j$ lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) C/ v0 }2 B: u0 V; C
function to do the same job:
: ^) f% v5 }$ [; q& k( V8 S' X# k6 Y) J$ U: H
push 00 ; OF_READ- y4 z0 L: o5 j( p3 {
mov eax,[00656634] ; '\\.\SICE',0
+ ^. M! I' T1 y" T push eax. k$ o; B9 v. c0 p
call KERNEL32!_lopen
# Q1 Q8 B {* y# J inc eax. w% x& }8 e2 H4 q* l2 N, F9 [
jnz 00650589 ; detected; ^% \( ?- s; E% g4 l# i
push 00 ; OF_READ4 [4 J( ?" J: ?: k3 y
mov eax,[00656638] ; '\\.\SICE'7 v6 U N' q I' c. ]- r
push eax
; k: l$ e# t- ?: B$ q$ u1 Y call KERNEL32!_lopen% w6 Q1 p( K a
inc eax
9 a; Q, Y5 c. m. ?. n, M0 E jz 006505ae ; not detected
4 M* K% r8 ?; }1 [1 O1 K2 C! R) [5 Q. I3 P' L: y- d5 }
. L: h. `. Q F8 j+ a# Q__________________________________________________________________________ |& J0 w# n) J7 |$ x" \, d' O6 d: P
# l9 _& }& y$ K5 E, k" S* ^
Method 12
" {4 ?: B# i+ ?) o5 W2 g========= [2 H& K0 `5 v! H) \9 V
7 q# x( K" n9 P% I* ^/ kThis trick is similar to int41h/4fh Debugger installation check (code 05
# b+ j3 d0 Z* z& M5 f3 ~8 @. a) O8 n5 e& 06) but very limited because it's only available for Win95/98 (not NT)7 x2 j7 F |1 l( o" Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 N$ k! C2 N0 @4 \; Y
8 l' o+ ~4 j5 H# l/ S$ T
push 0000004fh ; function 4fh7 } F" f* l: S/ k+ l
push 002a002ah ; high word specifies which VxD (VWIN32)
% y; L: w$ l0 V' C0 R+ |7 h6 o ; low word specifies which service# Z2 I/ t, D7 ?6 c' E2 |. W: s$ }
(VWIN32_Int41Dispatch)8 } o2 o) u( R: [( \/ s' X" d
call Kernel32!ORD_001 ; VxdCall; A+ T0 L% x9 B5 F
cmp ax, 0f386h ; magic number returned by system debuggers
6 c+ n( N- a2 s, u) |5 c* ~$ l; t jz SoftICE_detected9 [% x# M8 j5 f" p5 g! }+ r5 ]
7 a% p3 r1 T6 U4 f7 ]
Here again, several ways to detect it:: {5 L* C" g4 Z1 r+ L: [3 ?
- x- e1 l9 ]' p2 N BPINT 41 if ax==4f
* D( ^$ E6 M |7 w4 j! p: G2 i! Y/ k& E
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' I& K& ~7 z# n7 I! s! o9 Z+ K3 a9 B, {! e/ @/ Z4 j( Q: n
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 {7 X6 v+ ^* Z. R! N
" S0 @. W/ }$ {: t* ~+ A
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) m# h! X" `( @4 L% l
% T" A; S% c; R2 Z6 x__________________________________________________________________________
1 t2 L9 o8 X+ A+ R. J3 N3 e7 B! S# x* g* x9 v) @0 X, |
Method 13
3 X( F) _" f4 a9 S& d6 t; a1 ?=========0 [9 n" l4 t' ]3 A z- G( Z4 E1 y- H: K
* M _1 \8 p. u5 ~" l; i* |$ p
Not a real method of detection, but a good way to know if SoftICE is
$ |. ]! m& |4 @& J0 h3 x# Z8 Iinstalled on a computer and to locate its installation directory.
! z# ?# {7 z4 v' y5 @: E1 iIt is used by few softs which access the following registry keys (usually #2) :: D6 f) f' q1 A. |$ A* q
. W' Z7 f3 G! m7 T" X! @-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' R: H2 K5 b# h N
\Uninstall\SoftICE/ e, v8 L7 b' x6 v
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 M& M- y ?) M4 C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- o: A1 n H, Y8 B
\App Paths\Loader32.Exe
; q8 f# J$ P! _: t1 Y3 F6 {; a
/ `; S A7 J! q: l6 w' Y3 z0 k* Y1 M E8 I
Note that some nasty apps could then erase all files from SoftICE directory: B0 [7 U R2 M/ @+ G
(I faced that once :-(9 v6 m& {' U) n/ }7 Y% ~* r
( i! D% Y3 Y f6 I; H6 K7 y+ ]- n
Useful breakpoint to detect it:
0 x9 v2 l: N2 q+ R+ n. Q6 z, h7 E9 P( H7 d% O5 F) |. L
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% w. b5 x0 S1 S6 M
- j9 y, K; n( I$ l$ T
__________________________________________________________________________
; \ w; u% i4 \, {* P# P7 h
. \3 ]" p' ?: @+ s
# J7 }( a8 S* l' a" L( t; MMethod 14 4 a8 Y7 ^7 ~, [8 w4 x+ L2 L
=========
, C1 c! ?1 o8 U, T& J
4 U/ @3 @6 {- |0 ? s7 P% dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 _* _5 I0 [2 {& M! Gis to determines whether a debugger is running on your system (ring0 only).& ]# @+ V; h% i2 l) U' F0 H
a8 k- |9 Q, n, [$ B
VMMCall Test_Debug_Installed
6 Y% s J4 g7 D' @ je not_installed
2 m! F0 G$ Y0 b2 c: Q K' j
0 J! ^' @2 m: _! OThis service just checks a flag.8 Y5 x7 b# N, @7 I6 N8 b1 V
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡