<TABLE width=500>9 Q, c% Q2 G- d' U4 o p
<TBODY>
" f( S% n5 S# \<TR>
0 |+ v. M$ N6 d4 `, ~<TD><PRE>Method 01
! u! K5 c+ s8 R8 o+ |# H=========
1 T- Y: v: ?) m* t% Q1 T7 m( B5 f' G `3 v
This method of detection of SoftICE (as well as the following one) is8 D2 }7 g9 j" p! m3 O0 N
used by the majority of packers/encryptors found on Internet.- c4 C3 H6 a( ? G6 F5 k
It seeks the signature of BoundsChecker in SoftICE, ~, C) y! t; I2 }6 y3 T$ R
# L# P8 Y6 d2 d/ j0 D8 h( T
mov ebp, 04243484Bh ; 'BCHK'6 s) D' q/ \1 h+ ^+ \8 q: \% z. f
mov ax, 04h
$ j$ U0 |. ^ y3 |' U7 {4 P int 3 9 w) i @; y( z% ?1 r3 i8 Z. W) I) |
cmp al,4/ b- a' x I; ]2 `6 }3 b) q
jnz SoftICE_Detected, G) A2 Y( j* H5 @, O6 ~
* ?4 Z3 X) o2 z1 g
___________________________________________________________________________% s0 X. o/ U$ N% ~# j5 T ?
& d% w3 l/ |; s2 B x
Method 02' W8 ~9 V! C* v" N1 w
=========
8 w" W" s9 t1 x) P
& Z7 H; L6 ^: O5 y JStill a method very much used (perhaps the most frequent one). It is used: f6 ]" z& [& k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' K6 g/ u' J( X) S5 J# Nor execute SoftICE commands...4 D% @( E0 F3 ^2 a! e+ v1 |
It is also used to crash SoftICE and to force it to execute any commands8 l' f' K4 y& l; F1 ^
(HBOOT...) :-((
# X. K5 k: k4 z5 t3 T: X) o) n0 }- A0 `' a& t, c+ Z
Here is a quick description:2 w* }6 m9 s6 \
-AX = 0910h (Display string in SIce windows)
# U; u! n: k4 B. ~. [/ x-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- F, g: b" j e-AX = 0912h (Get breakpoint infos)& N6 U, U. L7 u. A' ]
-AX = 0913h (Set Sice breakpoints)4 q7 t2 y3 n$ M, m2 R
-AX = 0914h (Remove SIce breakoints)" e/ G; q$ [" m' C7 \ w. s
. R3 r! r7 N0 T3 ?Each time you'll meet this trick, you'll see:' Z2 E7 d p- r1 \
-SI = 4647h' O3 `5 r, L( w4 W* I
-DI = 4A4Dh ?" p0 Y$ Q$ }' Z6 ~
Which are the 'magic values' used by SoftIce.2 l" X4 X, B4 f; D6 {" X) x: `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ n5 ]" _8 y5 _+ Q% ]4 s$ T
# ?9 `" e# L$ {4 ]+ D4 X
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 r; F8 f( \- `1 u
Envelope utility use to protect DOS applications:
/ \( T+ `" t7 r& D3 I
6 f" R9 k% k, F2 k6 m: Z4 a& ?3 ?( g3 ]1 e' b
4C19:0095 MOV AX,0911 ; execute command.2 g: G1 |) C+ a3 {, P9 K
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; @ `; \ u% ]) G9 r& f
4C19:009A MOV SI,4647 ; 1st magic value.
! z0 z2 ~/ x. @8 E" ]! V4C19:009D MOV DI,4A4D ; 2nd magic value.
3 a l- r, x7 b" |- R6 t3 f4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* e: Y' p: b" T( J3 B4 N4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ |7 i; l% |0 W9 [
4C19:00A4 INC CX
5 H% t& g3 e' h7 A9 {4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ G1 _; h* u0 J# A7 C/ }8 f; |6 }' N
4C19:00A8 JB 0095 ; 6 different commands.
& H, ^% e3 ]$ P- S% e4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ b2 O2 A* k; i" `# O2 {' E4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( y9 m# F( c) Z$ G. @# r, w0 p2 m* }2 ~9 T
The program will execute 6 different SIce commands located at ds:dx, which, U( L0 A. N% C" H2 E" q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ S; X, {8 b7 n& v
( C7 N+ E: n1 F0 \' I% P8 T; ]* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. B9 v% V0 s2 y( }1 I2 l
___________________________________________________________________________/ `" ^/ E1 m5 c% m6 K8 Z
* W* j2 x# x+ I4 g
6 S$ C6 I" `& ], w, gMethod 03% w- E' i0 q& K O2 G
=========
& f& O1 ` e4 Q4 q' I8 W: ]" G6 ]$ `2 E$ b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 Q# l9 d- d7 R(API Get entry point)
. O7 M0 E) h2 K R! } ; K: s" p+ ], H
2 @+ x8 p0 T* x o) M9 v1 P" d. B7 z) E; @
xor di,di
- X" c. m% U f/ P" |* }1 \! a8 \* P mov es,di D; J0 J0 b- Q2 ^" \' k
mov ax, 1684h ) e( W# o. {) X# y8 M
mov bx, 0202h ; VxD ID of winice1 B; e0 v+ B n4 b; R: h
int 2Fh9 ]7 L i$ F% `! ?- A7 L8 N" ]
mov ax, es ; ES:DI -> VxD API entry point' b, t; F1 R% ?- A& C
add ax, di/ B R0 e- x+ P1 |- N& Q" C6 D3 e
test ax,ax
9 T2 T9 ]" Q h jnz SoftICE_Detected
: A; l" u- o0 p' a ?9 J N. Q% Q& o8 N
___________________________________________________________________________: K9 `& U; _* f" k: k- o
% F( h! F3 M$ h0 L3 ]- h
Method 04# g4 i& G0 w2 |' [' M) A* }
=========
- Y% s& u5 Z# Y7 Q$ p, t1 L1 d5 J
- Q, [+ C2 A, s7 J1 J7 zMethod identical to the preceding one except that it seeks the ID of SoftICE
+ l2 i' k2 S" D7 L. DGFX VxD.
' i. M( P' J. b4 A0 |: U3 b m. v1 N, Y% I- Y4 |
xor di,di" M8 n/ G8 y* `! w* s& m
mov es,di* Y8 G+ F, p% ?4 t+ C
mov ax, 1684h . k8 N8 \8 [. K2 J* D9 d
mov bx, 7a5Fh ; VxD ID of SIWVID& S5 z; m1 P& ?2 _& z/ X4 [
int 2fh+ L! B# x$ I: N5 [
mov ax, es ; ES:DI -> VxD API entry point
& Z& Z5 T0 W5 Y& k/ l; k add ax, di
. P4 D5 C; J, H: l test ax,ax6 ]: G: z, d& D9 B0 g, K
jnz SoftICE_Detected9 Y" r' i% J9 I% A, ?0 C
: g) ~4 g7 r% t, i& Z
__________________________________________________________________________
$ R- l( o1 @% v) Y5 Y, _) C+ w0 H3 i& Y% C4 `$ I2 e2 L
. z* A9 ^% q6 K7 A& g5 K* l, U/ Y- WMethod 05) O. T( p* n, B& }' }& C
=========8 U; ]+ B1 O/ Q o
$ R* y |+ ^7 l) x5 s: K$ vMethod seeking the 'magic number' 0F386h returned (in ax) by all system
) N, g6 X1 g4 e9 V+ x4 odebugger. It calls the int 41h, function 4Fh.
# X1 M9 {* N, _* l; EThere are several alternatives. . p% i' H/ j% \' v1 o9 `
4 N! T5 w3 a. _ @. y) I! gThe following one is the simplest:
1 x4 W5 O, E" j4 \7 [0 E6 N9 w/ H9 u+ E* ]1 n: N; ^
mov ax,4fh
4 C) @$ k% N8 Z) Y e int 41h1 M; `; G, ~' {
cmp ax, 0F386
+ L D* @2 I2 E& @ jz SoftICE_detected
! R$ z% B0 ^ o
6 M' ], N8 N5 i8 \$ ^2 @7 ?: ?% A. e8 x( a
Next method as well as the following one are 2 examples from Stone's
) ?) o4 T; E' M"stn-wid.zip" (www.cracking.net):; |0 c/ @# |2 v, p* t) }
2 y# _4 k4 x9 K/ o
mov bx, cs$ R7 i% V- D( L- L
lea dx, int41handler25 y; J5 A& `( d& h/ ]3 M
xchg dx, es:[41h*4]$ ]' K, Q9 |7 z( G+ M
xchg bx, es:[41h*4+2]. Q t" h2 Z5 p2 A3 V3 d! h: t
mov ax,4fh
+ W' W; ?& \3 }+ U int 41h2 \0 A6 m/ Q3 D8 O( T: L
xchg dx, es:[41h*4]. Y9 t0 X5 l: K. T+ j$ G
xchg bx, es:[41h*4+2]
+ l$ [ @- [" P" \/ r" v cmp ax, 0f386h
; ]8 k" q' c4 `1 }6 _ jz SoftICE_detected
2 {0 G3 a c O
* u- \$ J* j8 X+ f$ v* nint41handler2 PROC
, d j( _; }( c- @7 ~ iret
' O: E5 t" T) {5 T+ a+ B/ V1 Xint41handler2 ENDP8 @% e+ |0 g6 n, N$ t
- e4 I, I& T1 a3 k: E
" S5 `6 R# R& F, a6 \_________________________________________________________________________
" e) T' z( e5 y! ~, \" J
* D6 V: w3 C) ~4 V9 K8 X; ~# a" ?" r6 C. R" x( i8 U8 `
Method 06: j: S; F. H4 {% }: w3 T
========= X- [1 d& x. Y0 F/ c
w0 u/ p" D6 m
$ t& E1 P. S/ O2nd method similar to the preceding one but more difficult to detect:5 W, J$ R4 U) O. Y
( V' G2 x4 R$ {+ T& Z' {
# B" x# A8 g* l, zint41handler PROC
! T1 f5 a2 R6 J. a mov cl,al
2 \: a* B" q) P iret
6 Q* q: H. u; t3 U1 a8 vint41handler ENDP
' l. o) W2 l4 h5 M! m/ M5 E) q5 X0 {. F6 X% m# y& P, _5 e
& [' k, G- E! H! Q
xor ax,ax
# f8 F" k: @+ m- c2 I mov es,ax
1 B& {9 Q P0 ?7 J mov bx, cs
9 {5 g9 `- H" o4 V- x7 e lea dx, int41handler3 U7 W/ l' `. {9 h( z
xchg dx, es:[41h*4]
& p) c! |& W/ t xchg bx, es:[41h*4+2]
. m1 R* H" c# M" T, I h& m in al, 40h$ p# F5 W) Q+ q# a/ ^. U
xor cx,cx
0 a1 z, m9 ^* _1 M: l int 41h) i7 C" j0 H0 x- D! J1 o! z
xchg dx, es:[41h*4]4 i! N9 i+ x3 F/ H9 x& `5 n5 Q6 b) A
xchg bx, es:[41h*4+2]7 r2 f2 B. I7 q/ I9 s; W. A
cmp cl,al
5 w" ~) p4 D6 U3 Q9 B jnz SoftICE_detected; B( ~6 \$ x& E0 q2 @
w# @( O5 _# N# t, E3 g
_________________________________________________________________________! | H; k' L9 }3 q) s
$ h7 d. I4 R: W" d) T
Method 073 e4 t5 ~8 j0 i$ b7 d2 D j9 w) \
=========
5 w, F# r4 D) w/ v# i4 h+ G2 ^- U; }9 C) e8 u- x/ e
Method of detection of the WinICE handler in the int68h (V86)
3 {5 {8 Z' |' ?+ f) q! H8 V6 \- f4 y' `2 G5 ?4 g7 U% }
mov ah,43h. P' w. ]; T7 V0 c$ a Q' i
int 68h; F; b9 D9 `+ c; \% C% n# F5 J
cmp ax,0F386h
# x# _8 h& }. d$ W jz SoftICE_Detected
8 w* ?7 G* J1 y# r0 ^
" @! d7 l' u. t2 ~; Q( q l
( s. ?; n' X5 U. d8 W8 R=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 b x$ B' v; @9 Y8 A* e+ v
app like this:5 h1 i& ~2 j! F. N" h/ o0 {
7 M; J6 c! F; D r! n" b# v
BPX exec_int if ax==68
" b& M: [ o5 s& R (function called is located at byte ptr [ebp+1Dh] and client eip is
G+ o6 `) z: _- P( W located at [ebp+48h] for 32Bit apps)
! Y$ e Z# v2 m" z$ z+ V__________________________________________________________________________
1 d/ Z1 Y+ E* O- W+ o+ m$ S% W9 H' ` ?0 o+ |
4 D. N4 s5 u& y7 S3 V/ g6 @9 HMethod 08
9 a4 ]/ `4 [" J& q2 K' {3 k! T; J=========
- d+ `/ {8 |/ i" J/ `; \
* ?9 [4 C) i6 |4 Q$ `7 X8 E# O6 hIt is not a method of detection of SoftICE but a possibility to crash the
( z, O; `/ j5 ?1 @7 esystem by intercepting int 01h and int 03h and redirecting them to another
7 K* J5 j( c( t( N Y8 oroutine.
, \. a9 B( f; X3 ?! H7 }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 J) o4 L% O& { W/ g* s& Fto the new routine to execute (hangs computer...)9 h# f7 M8 Q. q: y
& ~! a& s6 I% ?9 P! P
mov ah, 25h
: ]- F( q# e; r/ P mov al, Int_Number (01h or 03h)
7 p, Z2 Z1 r a mov dx, offset New_Int_Routine
6 s0 i& F& A! U5 e1 k- `/ ?$ V1 p' Q int 21h
4 C m3 ]9 Z# E. Q/ y0 |! V8 H k7 U' z( b& W) e
__________________________________________________________________________
3 y/ ~1 [, ~& p8 e i5 c3 @3 h) _( n2 q$ H8 n# S
Method 099 f7 ?* \; H; o; ^8 T6 z7 D
=========1 F- g; R2 i3 F$ T1 X$ D$ Y
1 m+ M+ K) c* d6 O2 g4 W1 M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# c; v! \9 Z/ x, e: S2 m0 O7 @performed in ring0 (VxD or a ring3 app using the VxdCall).
1 d$ @, Z4 u9 \5 ?# b6 G: U+ nThe Get_DDB service is used to determine whether or not a VxD is installed$ ]; o; u7 c$ s! R$ m# p# U
for the specified device and returns a Device Description Block (in ecx) for
3 Z, P' E! r5 j4 l" H# g; Xthat device if it is installed.) n+ [2 L8 ]5 c x
- ^' l7 L, w {0 j2 J mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" Y& i P( ?' ~9 {
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 S; x3 g+ R, ^3 d
VMMCall Get_DDB; ~* Z# r6 x2 \% G; b/ f- Z3 R5 f9 j3 @
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- z3 C( y' Z$ U! g, k5 l
6 w7 w& x, @/ J) o( |2 T; k. l
Note as well that you can easily detect this method with SoftICE:
4 j# k* V5 N5 A4 L5 J8 B bpx Get_DDB if ax==0202 || ax==7a5fh
0 l) h+ v, \. _; C$ U
% q* b9 R- a; o3 L7 c8 ?__________________________________________________________________________
0 V% m; N2 p0 x2 f( ?5 ~! Z4 M2 Q1 W6 p/ x* x5 S
Method 10
) @- A) h3 ~* { Z; a* ~=========
8 R. ]4 V( U* L, \8 G& l6 n2 \7 ?# V
1 K" B3 n+ X+ W=>Disable or clear breakpoints before using this feature. DO NOT trace with
! @) X( @7 I2 F( e SoftICE while the option is enable!!
$ b) g& m u0 H- p) _0 h' Z& h" |, ?: D0 @8 B; X( X: w
This trick is very efficient:
7 E, I2 [; ] Q1 e, l- }* Xby checking the Debug Registers, you can detect if SoftICE is loaded
2 J8 c- P. h) R% ~0 b4 ](dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) d. r5 G' F0 A, T( [8 |there are some memory breakpoints set (dr0 to dr3) simply by reading their
# W3 N. A/ P- Wvalue (in ring0 only). Values can be manipulated and or changed as well
+ l/ R# X' U2 A$ ](clearing BPMs for instance)
5 @6 y' K1 U6 ]8 L+ c% H; w
2 V3 o$ b1 B8 T3 A4 U# ^& a__________________________________________________________________________
+ W/ H+ a$ Q1 v6 b$ ~: f, i! C
8 `$ Q1 l7 v' j! p- M# GMethod 11
' k# A& _) \% v=========7 ~: X4 {6 _& ~+ H+ e7 I6 b! ^3 w
; N* A: a! Z4 e9 g3 k# J) m8 m
This method is most known as 'MeltICE' because it has been freely distributed
7 o$ a$ V+ F- Kvia www.winfiles.com. However it was first used by NuMega people to allow
# o" W* I3 d2 Q; x3 d0 n7 ?Symbol Loader to check if SoftICE was active or not (the code is located* J/ o* _1 ?$ H+ y/ e' k) ]( J6 G
inside nmtrans.dll).3 d3 m0 s6 J" i% N! U
% f4 P: ^9 _; V' n9 O% q
The way it works is very simple:) K' a* ~8 _# `6 F8 f8 ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 Z3 B. n. q5 e% j c1 uWinNT) with the CreateFileA API.
8 B2 ], E }2 e5 n l$ e4 {
- i3 w) g1 T1 t" }; B; P1 {& K0 }2 iHere is a sample (checking for 'SICE'):
1 f$ Z9 C: y3 ?; o& `
2 }0 m) {+ y+ f+ R2 bBOOL IsSoftIce95Loaded()
1 V/ [) _2 @$ {) b, C5 v{- K3 u$ B1 d Y. `! p6 K% P- ~
HANDLE hFile; , _' E( q3 [6 R' O) {7 x
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% |* G6 F8 |1 G
FILE_SHARE_READ | FILE_SHARE_WRITE,- ~' R7 T5 z( k
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' m! D M- j$ E( @& N% W
if( hFile != INVALID_HANDLE_VALUE )
" a2 ]1 S# P9 D' b* A8 k {; v$ ?8 x/ }! t0 v, ~
CloseHandle(hFile);( q, R0 ^3 O$ u# |. p
return TRUE;
: S/ i" l* i, ~$ Y5 ]8 s4 ^ }" m3 y$ @6 D) G; v# o& V) X6 W! D" Q
return FALSE;0 a1 Y" J& @1 ~) j' s) H n- _+ z
}
0 D! V: T% N+ w$ P1 d2 V+ `% a5 C& O8 J" O& i# ~4 U
Although this trick calls the CreateFileA function, don't even expect to be2 M7 q5 C# _4 e( J9 M& @, j9 _5 ]5 D
able to intercept it by installing a IFS hook: it will not work, no way!, [! I0 D/ G6 O/ p! i
In fact, after the call to CreateFileA it will get through VWIN32 0x001F7 X, w0 f8 Z$ s4 s! i) u V, V9 X
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ C) U+ A3 M7 x" S' A8 `and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ k9 S. P u T' P3 a3 h9 T4 Y2 Qfield.
. t3 q# f$ [9 N( M8 nIn fact, its purpose is not to load/unload VxDs but only to send a
: B9 |( h9 Y5 c9 GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" E7 b3 `) n. A1 Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try- w, j! z9 v* N2 ~* j2 c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" @( }( `8 x; A, m% VIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 R3 a. b; P& D$ a4 u
its handle to be opened and then, will be detected.$ L3 t+ y; t$ n8 [2 e6 K
You can check that simply by hooking Winice.exe control proc entry point
1 i" I: ^, a# Kwhile running MeltICE.
' q. I* S% t% ^+ f, @" G0 a) C5 T9 E7 i: P
) W( f7 B" b, R2 e 00401067: push 00402025 ; \\.\SICE
. \) V$ g# J' H7 t8 F 0040106C: call CreateFileA
$ l8 J \* o$ R1 I8 {# l 00401071: cmp eax,-001
5 t4 }. u) c9 y& f3 X3 b% C- l M$ X 00401074: je 00401091 U) w# o4 J: r( s' h" S0 D% g
2 K4 S# E! u# w5 l1 o
. J' B% ~4 O$ m& N, IThere could be hundreds of BPX you could use to detect this trick.
; U, G8 K/ ^& F" E$ t+ Q-The most classical one is:0 \* X& S" Q( u7 V3 _2 C Y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 g o* I$ k6 W) C: m! u
*(esp->4+4)=='NTIC'2 |2 N- Q( h: Z- U2 |
3 p" Y% z0 e* n
-The most exotic ones (could be very slooooow :-(2 ]$ ^1 J: X- l! B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 f5 O9 @8 C+ _
;will break 3 times :-(- |/ y$ J2 D) z: K! i' \1 _; L
$ H* C% v9 c3 z# D' q* W1 l-or (a bit) faster:
/ C* r) B F0 I: l BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: O- x7 k* ^) G& r, @
& r% Y& j' C; S: i: f+ D BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 P* E6 z2 f9 Y) A! C
;will break 3 times :-(
% t. S1 g: m/ u0 Y6 }% m! a; W! t$ q- u$ h
-Much faster:. Y$ z$ p% ~, @0 Y7 g
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', {% y/ t3 f4 p/ N/ K+ M
* L) Y3 @) S1 }3 F/ |6 g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 ^) J2 n% z. }3 Ufunction to do the same job:
& k3 i& l4 n2 a) H- L) R4 [
: N& x. O* b, q2 K8 p push 00 ; OF_READ
. D$ p0 N* b, V mov eax,[00656634] ; '\\.\SICE',0! V* G. O# I& } ^, q" l
push eax& S5 W! @& N; V9 x$ c" t
call KERNEL32!_lopen
5 ~! T8 r( u) L! ~: ~ inc eax) P: Z2 x% ?8 u$ _- _
jnz 00650589 ; detected
, m( I1 s; ]/ T6 u push 00 ; OF_READ
$ ?7 }' v* q) D7 b3 { mov eax,[00656638] ; '\\.\SICE'
2 }4 H4 Z2 n& v/ U7 @% p2 Q, u9 n push eax2 W8 K$ C. q( _0 G# N7 p# _
call KERNEL32!_lopen
+ J: [7 [& E* T/ f Y5 o inc eax
) M- ?* x8 Y$ A* e, z, s# w jz 006505ae ; not detected
; G' `9 b* w3 R- U, n' i6 B6 t0 ^% { ^
- L, M. [$ j6 l, ?4 p f: s
__________________________________________________________________________
; F1 Y! h; K& _1 s9 ?& e; t( r/ l! ^5 @/ K( Q6 m8 T- ?, h! U
Method 12
/ r! U D$ C3 r" l3 y0 c=========. Q! f% V9 x& X) h% Z! H
: f1 H: r* \0 y" q1 n' V+ xThis trick is similar to int41h/4fh Debugger installation check (code 05; h% M5 M2 b1 F7 W
& 06) but very limited because it's only available for Win95/98 (not NT)
1 h" ~7 K* [3 Bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! X4 b+ J$ x) b7 \) w; }% H7 H2 H' o; K' f, k0 b$ {+ r
push 0000004fh ; function 4fh
/ r- i+ Y6 o0 w! M |- y9 y push 002a002ah ; high word specifies which VxD (VWIN32)
* ]# `) S9 J3 O, Q ; low word specifies which service5 v$ M& Y2 ?0 ]" m
(VWIN32_Int41Dispatch). ]2 h9 z$ n1 W2 K1 Q( |
call Kernel32!ORD_001 ; VxdCall/ }$ y. y/ o, v# v/ \0 ~
cmp ax, 0f386h ; magic number returned by system debuggers
, w% F, Y/ R8 \1 m jz SoftICE_detected! ~- ~! b6 O" |) S3 |( [
* } Z/ ~, K2 C m% C. U5 fHere again, several ways to detect it:2 E) v$ K, d2 P! X7 ~: H
. {! o& l [- t) Z# x- V; J BPINT 41 if ax==4f% ^0 [3 R# P) }
: _6 D5 ~; e/ h, E- R6 b) M$ w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one t* x# S& T5 U; @. J% e% K
2 A4 D$ O" \- B% w) d" ~% a
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( w; V; \0 e$ J, j" k; O
[3 Y" s4 N" g: F; U6 \4 ~ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! ^5 J, ], j2 L( g
- D' N$ A5 J8 ^9 n$ l3 o$ I__________________________________________________________________________7 H! G u4 H8 U5 e
* R6 ]( `) g; Q1 [* P* @. w
Method 13$ f7 c5 ~; ]/ s( ?$ z& O% W
=========, E. Z2 o+ E( V$ Q+ C2 ^
q4 T. ]8 \$ G$ p" Y; N! F+ n, L7 sNot a real method of detection, but a good way to know if SoftICE is: t$ b5 R J. H. J$ h" `
installed on a computer and to locate its installation directory.
& z+ n# r2 g/ @5 Y/ _& nIt is used by few softs which access the following registry keys (usually #2) :
6 \# O4 c7 A9 M# m! _- y) p) ~) } _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion b; p% U* c+ R5 @
\Uninstall\SoftICE
) E7 z, y8 I6 p; L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# }; K: t3 Y! l4 h5 C$ T! T& ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 G. A0 c3 S& f: n- o/ U\App Paths\Loader32.Exe
6 L* d1 d8 [( O0 O
( L+ O2 s3 G! q. A+ i. E+ {7 e9 [, P; P0 V v& ?
Note that some nasty apps could then erase all files from SoftICE directory
% c% q7 q% }/ {- b; p" I(I faced that once :-(
h: R7 k8 G3 ?4 Z5 X( P7 f) R- Z
7 X4 F' M% `* t" L" @Useful breakpoint to detect it:# c" \. e5 Y9 H3 l; o0 |
4 C' f+ [3 h) ?6 s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: p3 ^ G4 m/ L$ g* G m, q$ n) p7 a, s, \5 c- l! q' e
__________________________________________________________________________
8 S) P! g9 L- ~- n7 p% B- t4 P- P
# N( R* Z3 B% V% L4 r% z/ s: F5 v& y) h/ `" Q
Method 14
n' _/ I) C! R4 I" g Q=========
0 ~( i9 D: A; M$ c4 H, k
# a$ C0 z' ?" m. VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- t7 J5 }/ z: [, W& D/ d
is to determines whether a debugger is running on your system (ring0 only).
6 H A/ K8 h6 T% f. W5 p5 p( E5 l( K C; n) V/ O& z6 i1 Z/ q2 T, n
VMMCall Test_Debug_Installed
$ H% t2 Q4 a: v$ p je not_installed, _2 z! A* U. F0 ]' F1 z
+ u* J# Z4 M4 y( E: a; u1 j) p
This service just checks a flag.
( Z5 h: j& Y4 A6 w6 N</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡