<TABLE width=500>4 p# s+ C: i8 |6 X' a- e. Y
<TBODY>
+ B# L% W6 a U" D<TR>
& J9 W/ f- {7 D% C<TD><PRE>Method 01
2 l/ a- `, ~# z=========
- ~% n6 G+ K+ p+ T. ?- z
# G, f- X V$ U! I, {0 wThis method of detection of SoftICE (as well as the following one) is0 a8 w& w* h/ D ~) x2 w
used by the majority of packers/encryptors found on Internet.
- ? g+ Z9 U2 [/ y0 u7 n1 K6 z+ oIt seeks the signature of BoundsChecker in SoftICE
V0 n! l% B& h( Z: t$ U0 m Z
" h5 v+ |& V k4 _1 h mov ebp, 04243484Bh ; 'BCHK'2 \1 a! w" I3 h. U+ G7 h/ C9 j
mov ax, 04h
2 K. b: P4 _$ P; D8 S int 3 4 _# j& a, n4 B3 d% n4 E: ?
cmp al,4
# j+ b+ @ W% Z! g jnz SoftICE_Detected2 ?% Q! A l1 k5 C$ Z$ D
! a& s* @4 J+ X* f
___________________________________________________________________________
) }+ O) R! B; q) M% C! w# P+ v. R N& d8 [" K+ f& C8 S) @ \8 U' c. U
Method 02$ g9 k$ G3 C6 X* N
=========* ^2 I4 _; m# H
. F. f0 D5 d" J, s* D# cStill a method very much used (perhaps the most frequent one). It is used, Q5 N; U' [2 B9 D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& [. v/ ~2 z( k5 zor execute SoftICE commands...3 K `, C0 h9 Q1 H: g: h& j
It is also used to crash SoftICE and to force it to execute any commands
- P% k$ v/ p1 [" J5 h(HBOOT...) :-(( $ r! k6 w+ m* h; h4 O; }! ^
& s- @0 ^0 M/ @7 W5 ^Here is a quick description:
5 b% x/ ]: x( W; {3 Z+ A# S% l-AX = 0910h (Display string in SIce windows)
+ b- `% C9 C7 F3 G* U: z# ]-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); t) S; r9 [, H4 d% [9 }" |! ^
-AX = 0912h (Get breakpoint infos)
2 L2 k7 a) `# l% _' y5 l" F! b-AX = 0913h (Set Sice breakpoints)
% ]9 B) t/ u' ^# ?9 o-AX = 0914h (Remove SIce breakoints)
, ~/ A) L+ h, N
/ P6 _) X2 {+ n2 P' B) l9 u! c5 v3 VEach time you'll meet this trick, you'll see:+ _/ A8 j5 Z8 R( e; e$ u
-SI = 4647h
, E- j/ `+ c: ?! A-DI = 4A4Dh$ b: D9 a9 Z8 l1 N& O3 I' C( J e
Which are the 'magic values' used by SoftIce.2 i! ~; d; _0 J3 N# }2 U7 s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 Q- U& ?, W5 b G8 @! {6 J/ q8 R
5 d7 Z' k3 {( Y5 eHere is one example from the file "Haspinst.exe" which is the dongle HASP* {( [- V- t3 ~: _) c1 z1 _
Envelope utility use to protect DOS applications:
4 a& g/ l6 _* E8 a+ r9 j- l1 S
7 ~; r) D% Q1 s( q! Z7 Z2 `. j2 K4 R8 T
4C19:0095 MOV AX,0911 ; execute command.
4 w& c# c) i; F( O* }4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ `0 Z# c V% _+ B( b V* g" m4C19:009A MOV SI,4647 ; 1st magic value.
* I/ Y8 {# c) f" n1 n6 X4C19:009D MOV DI,4A4D ; 2nd magic value.
5 B/ y. _; J2 h8 }/ ?; D+ e4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 ~$ e; J# \) G
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 ?! w& h$ E6 y9 b4 G$ z- A! E) C
4C19:00A4 INC CX
* F0 k: ]# B( ` R+ ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% i: |1 E( ^7 E& u, I9 f! _4C19:00A8 JB 0095 ; 6 different commands.0 o3 j, g* ]. m- R; I0 x3 a; n) e
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# h7 t8 Y8 _( i
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: q" p( v& Q I: [5 Z. q% Q c( V! O0 c+ m
The program will execute 6 different SIce commands located at ds:dx, which" Z! H' H7 W D' g1 K: \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ E, [, Q, }% [' F V# Z
6 @/ L8 X/ o- U" E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; C! X' @7 q# @___________________________________________________________________________" [- x4 r; x7 F3 g( z: k
7 |) _4 r8 l/ }2 r: [+ L" m$ o
}2 R3 i3 l% A/ P* M) v9 N- V
Method 03
- s1 m2 k$ J2 ?# v=========, v) d2 v' m; A0 V; r
, U# v' ^2 D1 _! r+ D/ mLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. G* _$ P. u8 U* ]' [+ z8 f8 E(API Get entry point)) l% k7 h- X0 v2 j
/ C" ^- a% X9 @) j4 C _' p3 T7 Y* Z6 J. v4 x( ~- n8 X2 w2 I
xor di,di
& k. Y5 ~8 k9 X3 A1 m/ ]$ s mov es,di
) K6 ?5 r' M6 k6 _7 P" e6 @ mov ax, 1684h - U$ ^( E; V6 u) u- O# r
mov bx, 0202h ; VxD ID of winice
3 h% ?: X3 j$ N; Z. G4 W* v int 2Fh' {; S5 m! q% B) c
mov ax, es ; ES:DI -> VxD API entry point7 V1 g! v, q e8 q5 Y7 N
add ax, di
p$ e8 j' k1 F3 } test ax,ax, d( r, i! A+ R6 w# }0 j: P! a
jnz SoftICE_Detected9 M! N4 q0 T4 Z) N% r* N; v
) T" C( U% X$ Z) ^' y8 c2 g/ L___________________________________________________________________________
7 k" ]! m0 @, G
9 C' O5 O4 E" l9 F% ~* K* q$ ?Method 04
5 i9 i! `: n7 F# K" {: u" g=========+ N* M3 i( j' \
5 O; {' J0 `' J. D0 W
Method identical to the preceding one except that it seeks the ID of SoftICE" P! O1 W9 e* f- m H. ^
GFX VxD.' _4 v# y* w) Y. _5 [0 o* G! b
) x( j0 N/ \2 I" q xor di,di
9 Q( X6 {) H' e4 R2 P5 w2 R mov es,di& j4 C- s, y5 d+ ^
mov ax, 1684h
- T9 f& t4 f V2 E+ I) L mov bx, 7a5Fh ; VxD ID of SIWVID# J8 q2 H- _# l; Z7 |! ~
int 2fh2 Q% f' ]0 G7 {; _+ o& y
mov ax, es ; ES:DI -> VxD API entry point
' U/ V$ E0 ?. T, h2 y add ax, di
6 C1 p" D. P! V1 A test ax,ax
& S4 i" f# C- C5 g6 L( y* z jnz SoftICE_Detected$ q ]- S3 F4 F8 z
, q' @1 L# {" L6 z; r* B0 F2 f& f9 `__________________________________________________________________________
$ |7 A4 Q9 D) f. `! Z1 H2 N! H' ?3 k. k- {2 E6 J
" v, \3 ?0 a4 \, ~* u q/ f! D( b
Method 05
# I( T) ~9 Q3 Q: j2 r. T: F |=========! ]/ W' c- u. B
# {2 }" Y4 A7 [Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 R: \& x5 g* B. l6 R( ?debugger. It calls the int 41h, function 4Fh.# v8 G F5 ^! u! u8 D3 m6 w
There are several alternatives. 8 L, M. T% ]. w3 b2 K1 t) a0 G
0 I: \$ q B+ @( `8 g/ \' cThe following one is the simplest:
8 f3 B# g+ }$ O- o; _4 V- D0 d3 \
, p {5 B. I$ G- J F9 c5 w/ L mov ax,4fh
# | t4 I9 l0 N* C. r int 41h0 J! Q" _& P! ]
cmp ax, 0F386 ~1 H0 }! B# t/ Z6 p
jz SoftICE_detected
& P7 Q6 n5 x5 g8 Q' U' H
/ r$ c' k) x' L y& Y! z9 `3 G' S0 Q/ e9 J$ k" k( D
Next method as well as the following one are 2 examples from Stone's
% h: K$ C& Y+ V A$ g k"stn-wid.zip" (www.cracking.net):6 Q4 u+ Z! [+ o$ z* X9 ~- L
- O/ K: Q, I" Z* B) Q' D8 | mov bx, cs' f1 g& \4 Z+ U) g
lea dx, int41handler26 v' f9 p+ ~7 A" ]$ n
xchg dx, es:[41h*4]4 g* t( G1 n9 k# ~0 G. g+ \
xchg bx, es:[41h*4+2]
7 M4 c% f: x! B! s mov ax,4fh R# }! }5 n( f5 R w
int 41h7 ]; K9 t7 r. G3 _# s6 D
xchg dx, es:[41h*4]
" o/ y2 ?$ e! ?( U L8 S4 U xchg bx, es:[41h*4+2]
1 a/ M! f- o1 @1 B! |8 f6 J cmp ax, 0f386h
: b( A2 {8 z9 N! Q6 S0 L, Q+ p9 Z jz SoftICE_detected
8 N. N4 [* K4 }8 ?* J
! F: g/ S+ b, Lint41handler2 PROC
+ } y! U8 w, Y' P% b0 o iret
0 R& G9 }/ b+ z5 cint41handler2 ENDP6 d- h r6 P5 D
$ w$ `5 I$ X! a$ W5 J
5 j3 d$ g. [$ \7 z# C( |) `* W) t% n, C_________________________________________________________________________
% C4 r5 Z. l- M1 H; X
3 P) M! Z/ q" _
% n$ |1 {6 L3 a% DMethod 06
& Z2 @( W# L* f) w/ Q6 V7 }=========# U3 e& a1 T4 ?* s( g
0 F; s% _# E9 V$ N! S: E
2 @: n Z* k( E$ ~, t2nd method similar to the preceding one but more difficult to detect:
T; p# D: v& C$ v: F6 g+ m! X m; |( V: M, N
' N( j1 b; x* [6 Z3 dint41handler PROC
& H9 V. ]8 B: H, T$ B9 g4 U mov cl,al
$ J4 | K0 j2 x+ Z iret
2 l4 q u; x. P5 c3 Pint41handler ENDP
1 F- R. i7 R; H
1 C/ j5 w- q/ c
x1 J u5 ]0 Y) R0 d xor ax,ax
, N5 _5 m; S4 s- J0 {" Z# @" z g" b mov es,ax- T8 |0 ^$ m- b- @; C( l# R- T
mov bx, cs
, R5 A" P- G4 I8 l lea dx, int41handler5 N3 D7 ?" p( m, i$ v$ `& U5 _
xchg dx, es:[41h*4]
2 W$ S* n! |" }* j2 X0 f3 x xchg bx, es:[41h*4+2]2 h' Y" x9 C% J! |/ V# m2 l
in al, 40h
; A2 v0 x4 v2 ^- ]) D. h# x, y xor cx,cx
- @, m: A3 x' Q$ d+ l) h7 A0 D int 41h
3 j1 Q$ A" B+ N3 y" x xchg dx, es:[41h*4]0 B% O, A y( g2 Z
xchg bx, es:[41h*4+2]
$ x. d0 P' `0 t( U& a; \9 _ cmp cl,al% a; U3 b2 l- f: d
jnz SoftICE_detected' [1 q6 R, V$ n: a) l
- J9 h- b# ^& Q; k' j0 Q9 M
_________________________________________________________________________9 I+ c" O6 W8 y1 s$ f) {4 y" s
. v) k F4 g0 VMethod 07
5 X& M& Z" L. W4 D& r=========
; u8 Z: J4 S0 Y# U8 ~: u7 K( A& ?5 l
Method of detection of the WinICE handler in the int68h (V86)
0 {' I3 z5 `% E0 p6 j3 x! j+ I. p2 N) D2 F& i% y4 q0 u: ^
mov ah,43h6 \+ j2 r. ?" {& C
int 68h
6 S3 j% o0 T- t4 H$ T, ]+ C/ S cmp ax,0F386h# {5 j. N( y9 ]: t6 w
jz SoftICE_Detected
4 k2 w ^4 V4 c4 y( c! ]8 y4 }) ~" m. W6 } i, L
5 k @ k. Z: `. I; `0 [6 [2 m
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ O4 L( r; h# b B4 R' B& A5 u app like this:
( j* Z- K/ X& I$ @
7 y1 i, O- j9 ]7 }0 A BPX exec_int if ax==68
4 w0 e" H2 t6 ~$ c" s1 I; q (function called is located at byte ptr [ebp+1Dh] and client eip is) Y- P: J' X- F0 {4 ?# r4 W
located at [ebp+48h] for 32Bit apps)3 l) U+ m- R5 @* c9 v5 B
__________________________________________________________________________
, z. Z0 w/ J ?4 E. ?) A5 I) ~ n% i" Y9 _6 Q4 P6 J7 S3 U
! O% q( O6 a' O9 Z+ Z( W; @
Method 083 b% t/ [% F# m8 r
=========5 j, N0 u. d6 e, N* O/ H
, M2 o5 }* y% x7 @
It is not a method of detection of SoftICE but a possibility to crash the
( Z+ i* l% H: N9 f' O' vsystem by intercepting int 01h and int 03h and redirecting them to another
0 H/ G& X" X; n6 X9 N5 b( b- nroutine.
6 H% h- D- G$ eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 O- z; P5 @9 P. S, a. B" y1 gto the new routine to execute (hangs computer...)/ X( e: l, c" G% z, @/ } p
2 T$ Q* X4 H: a9 Q7 d mov ah, 25h
# C! B/ |, [; S0 z B T mov al, Int_Number (01h or 03h)
" d9 ?8 n( n. d/ U3 u mov dx, offset New_Int_Routine
$ b# r( v; o9 T5 L) \+ n int 21h
; i0 H6 a" k! m. _! H( }- Y: F1 G! y4 c
__________________________________________________________________________1 R# N7 _/ ], F/ K
! [4 ], V5 T* x$ k& I; M9 n
Method 09
( m( r: ^6 @, Y& j/ G=========
7 ^* g4 S% w1 f1 p' U. [" l/ L% x+ h% H; D# ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 H' c7 Y% R7 b# _2 dperformed in ring0 (VxD or a ring3 app using the VxdCall).
" x6 V. r% l! ]/ F! H3 yThe Get_DDB service is used to determine whether or not a VxD is installed
9 d% ^7 a! ~! K8 s- A; {) d$ Bfor the specified device and returns a Device Description Block (in ecx) for
' R! w7 n8 {% ^" @' ~ ?, Cthat device if it is installed.! _# p6 ^/ y" ^' v! d
! K: L- k# E0 Q' C D* Z* @' H
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ d0 r: L% t# Z. Y2 g' m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 z0 e& w5 d; `3 [& I VMMCall Get_DDB& ]7 v" V. e. K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 T8 b& r, u4 t3 [ ^! l* X* f9 R) @
1 [, `# [) D( n5 _* G- U
Note as well that you can easily detect this method with SoftICE:! \ e" a7 Z2 {2 \' A e5 Q: ? v+ Z
bpx Get_DDB if ax==0202 || ax==7a5fh
) H3 c4 j! m" Y* B% n, Z3 H+ v
# W$ H: \9 D, j3 L8 |$ H1 t- G3 u__________________________________________________________________________$ a# F3 ^& Q2 A+ ~+ c3 ]9 H
; h( H% u0 W$ X! l9 }8 G4 KMethod 10
* P" P: a3 o5 N5 }0 G=========0 R) N& G. }2 I
2 U) c; y8 Z" m: H9 V7 {=>Disable or clear breakpoints before using this feature. DO NOT trace with
% w1 Z( h) h& h SoftICE while the option is enable!!
! m* x9 Q8 {( q) X+ Y# C& p& O+ ~2 i& a, }. k# i+ c4 S0 M* K' [
This trick is very efficient:+ }% d3 ?1 L' ~. i. Z) a+ O$ N! K( n
by checking the Debug Registers, you can detect if SoftICE is loaded
2 w, O9 z- H( e) @1 `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, \. }' k& w/ ?, I; Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
( z( |5 @) ?- z0 J! Z- |% W& s: V5 avalue (in ring0 only). Values can be manipulated and or changed as well8 U! W4 p- _* Y. i: q- ^
(clearing BPMs for instance)* t+ ?9 W# d7 f* [& v
( v X1 i1 t/ _; g5 e0 D/ g1 @+ O
__________________________________________________________________________
( H+ F. L* R6 j' \. `' O; X2 a4 p! a9 H; H* h
Method 11: l, n# o1 n6 n
=========
( i, `# j& _5 ]1 G! o% ^& _' g, j
2 ~+ T! k+ S7 n: R( u0 e0 K& cThis method is most known as 'MeltICE' because it has been freely distributed, L/ Z& H; s9 Y) p
via www.winfiles.com. However it was first used by NuMega people to allow
1 u0 C% _: y/ ^( J' Y$ F( u( lSymbol Loader to check if SoftICE was active or not (the code is located/ }* A7 p' v% c0 Q7 v
inside nmtrans.dll).
K! ^- e/ X% K1 v3 u5 q- v, [; N
+ [2 `. k! ]( ~' B2 j, fThe way it works is very simple:
& W' b6 L6 G! _3 a/ \It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ y& }& P4 \/ G w2 u
WinNT) with the CreateFileA API.! Q9 G4 R. |8 F
3 a* P& j$ O, E- j
Here is a sample (checking for 'SICE'):0 E8 [+ f* M" t& A8 E
2 L/ E) \: V# BBOOL IsSoftIce95Loaded()
* {: Z) C3 U3 n! Q{
+ n! s+ K8 B" ^2 [ HANDLE hFile;
2 w% f0 ]# _* k. p0 ^- S hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 O0 n$ v1 y! w8 Y6 ^ FILE_SHARE_READ | FILE_SHARE_WRITE,) L, y" n% u+ ]4 c6 w/ ?
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. a j: L$ P% a( Y
if( hFile != INVALID_HANDLE_VALUE )
0 L; N5 L" S& @% g {
7 F4 T9 E" U" g$ _8 ] CloseHandle(hFile);* w$ U. }( d1 F% R) T1 j1 i3 i+ r
return TRUE;
6 S( }8 ^% K; g' Z" ` }
* }+ g' z4 [* A return FALSE;
* t0 o m4 X A, A3 U$ x}
1 s9 x' ^/ S5 H% v; \
" d! Z6 C b4 B) ?Although this trick calls the CreateFileA function, don't even expect to be" @% T' J$ g5 E
able to intercept it by installing a IFS hook: it will not work, no way!. A5 T/ s% u9 X" q/ p+ O4 Y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 O K5 ]; h/ p% Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 v- ~3 v! `! @% C" J5 l; r
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 f" K# t- h7 T, u6 R) u
field.
- T- s8 u7 G/ w4 c4 c" EIn fact, its purpose is not to load/unload VxDs but only to send a 9 P# [& F) H8 S, O0 @: j6 M) [
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); f+ m: P0 o# L5 [/ H2 |2 h- g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) Z9 I2 d; y6 q' Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
' \' M3 f- q- v: G4 I+ x2 CIf the VxD is loaded, it will always clear eax and the Carry flag to allow. a' n, h7 e! d5 Y* @# m
its handle to be opened and then, will be detected.9 _8 y% x2 u* i4 F# G7 s
You can check that simply by hooking Winice.exe control proc entry point
* c7 `/ _ N% p P( awhile running MeltICE.
1 t8 z' J9 ^; F/ S& G, i# u: r- X3 ~3 d' N, G, T0 f3 \0 r
: Z+ H2 v/ G5 o! a
00401067: push 00402025 ; \\.\SICE1 q- U0 c$ q" L N* x) b
0040106C: call CreateFileA
# \, Y) g D3 C# @/ ~! M 00401071: cmp eax,-001
2 F) i' o5 _$ F, P5 H. z- {8 c 00401074: je 00401091% x' Q, o8 b; ~/ s/ n
1 i+ I7 k8 D, _# u
# N% S& y j4 d' AThere could be hundreds of BPX you could use to detect this trick.7 @, @+ n$ H$ |3 m% x$ l
-The most classical one is:# I5 w0 ^" w6 {' B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 @+ y+ i: h0 }8 u *(esp->4+4)=='NTIC'1 W7 ?- j) L) y' G/ k
) s" `+ C1 X5 D) Z5 y, _& n- z1 f-The most exotic ones (could be very slooooow :-(
R. T5 }0 b* T' u6 M% H- i c BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; F1 S, Q% Q1 w0 M9 W9 M- d ;will break 3 times :-() P3 P' [8 n* Q. e" q
! j* K$ ]1 H+ G1 q7 t4 \-or (a bit) faster:
( d" |" [4 t+ m% K- O* O BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" K8 G+ p3 J7 s
q: ?; a5 W+ [( d2 A BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- u! w% @2 K+ t( C! y' k5 ^ ;will break 3 times :-(# q! `8 J/ T) A; j7 R0 O( C3 C
) u$ d% c! a- ~4 D' c, C-Much faster:
& \3 }) P5 X5 y5 Y# ~% u! [ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- N) e, Y# d( k
; w# I$ s# q {9 _0 sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 }# O( {3 D" ~' {
function to do the same job:
l& }+ e; _1 Z, Z I7 b# q! ^$ K8 ~" |0 i* Q! `1 o0 x/ ~
push 00 ; OF_READ7 g; A3 s/ q; T4 |' j
mov eax,[00656634] ; '\\.\SICE',07 d9 B" S6 P- |" U6 s
push eax
$ a9 L0 g% a) |) L! F call KERNEL32!_lopen
( m. _" Q: J; G inc eax
5 A( S3 \' \5 q7 S, |* q. h jnz 00650589 ; detected% S; Y K/ D/ q0 |" i' C' E' f% T
push 00 ; OF_READ5 S! F3 M( @, X6 L
mov eax,[00656638] ; '\\.\SICE'" I! ~- U Y# {, u C% l
push eax; I" y& S* R" O' F! B
call KERNEL32!_lopen
7 i* D9 ?& _3 u4 C- i# M% Z inc eax
, [: K2 m2 o+ W. s2 j jz 006505ae ; not detected" U% l. V% h& ~* t- U
% r1 ~3 ]$ x1 T) }% L5 O, z( b0 }" j% x7 S0 A
__________________________________________________________________________' {$ M2 b3 K$ Y8 b$ k1 @1 P
. P" L7 N; v1 X# L5 [* DMethod 123 y$ ~3 \+ H/ t
=========! q2 {7 L8 F3 Y) d8 l
7 f7 a' s/ e0 V' v. i0 H
This trick is similar to int41h/4fh Debugger installation check (code 05
) i/ T, X( b3 S- r# A! I& 06) but very limited because it's only available for Win95/98 (not NT)
" a1 n3 N9 E1 has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 u- G7 v& u% M
3 T( u) ?8 W4 C8 p. G( O7 [9 Z push 0000004fh ; function 4fh
* L7 i3 n3 _% P9 ]# ~ n e5 f push 002a002ah ; high word specifies which VxD (VWIN32): d. N, M" P% V# {) N$ M6 D/ N
; low word specifies which service
% z7 T8 g2 z5 p9 s2 w' b (VWIN32_Int41Dispatch)
' L5 Z# ^4 @; u& Z1 ? call Kernel32!ORD_001 ; VxdCall3 B% V/ j& o: \1 j2 H2 b5 ?% S
cmp ax, 0f386h ; magic number returned by system debuggers
4 h, B8 i2 n: G; g9 L jz SoftICE_detected
1 h8 \/ o7 L: d
, j6 o" p' A& g7 J8 u* S: zHere again, several ways to detect it:
9 P- K6 [3 {1 n0 @ y
9 \) z; C2 |1 w BPINT 41 if ax==4f7 r; t2 L) ]. k
+ t: e) T+ K+ E3 ]6 z" ?% ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ }8 u! p: n% [
+ R9 w0 c( h& d/ f) h$ W7 v BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; R& c/ u) Q* o- L J
G) p. V6 B5 T; h r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 _* M' {) n4 Y) S* [
# Y- ]- |. X* [) @2 t__________________________________________________________________________; \( w! l2 d# I2 j L
9 s7 y! V3 z' V) V! u
Method 13: t" [+ B; \, p, B1 F
=========% C O/ _, Z. m
9 j% Z: m1 r+ g$ |2 wNot a real method of detection, but a good way to know if SoftICE is
7 S* L3 v V4 C1 _$ N$ p3 R: ~installed on a computer and to locate its installation directory.* W# i. H4 S) u- f7 T
It is used by few softs which access the following registry keys (usually #2) :
& v6 ^! B) S( T* k
% O1 z" K1 Z' q% M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 Z# q. v( W# i% B; M! u. \\Uninstall\SoftICE: W+ p7 u/ d& U. {) H' l4 I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 ]+ J# W: V/ y/ E3 @! Q6 l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. W! S. ^! a, S& l. h9 [\App Paths\Loader32.Exe: j0 ^7 i. I1 ?1 _
+ b7 j7 V' a/ \ o1 b( P6 w
: r w, q- B, q6 L2 f
Note that some nasty apps could then erase all files from SoftICE directory* v5 P) g; Q: T: X1 G1 n0 U
(I faced that once :-(- m( V, i5 c- e+ t+ G) b0 n
; f! G/ B4 H+ R% I5 J; |Useful breakpoint to detect it:$ y) ]% P3 d+ J1 h1 \4 q
# v0 h: ]. R, k BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# |3 c! y2 ^4 q5 U" k Y
3 O* L% N9 e& f# u* q# a) t! P__________________________________________________________________________
8 x W# V3 c$ F) ?9 F$ M3 T/ N1 I/ e
# C! E" V `8 j2 O+ ]
Method 14
. e7 _+ `, T6 j; X7 x=========7 m. A' Q3 r3 J4 ?' Y
: N1 D* x4 w$ X$ P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 P C2 M5 s. t' fis to determines whether a debugger is running on your system (ring0 only).
# F6 |* T! V5 T7 N# F3 R& U' D; z) Q# x
VMMCall Test_Debug_Installed$ ]' M; @7 B: I. _
je not_installed
+ P8 Q* T+ v g& z7 J1 a( `$ m- ?* t9 V: C1 u" L
This service just checks a flag.
3 ~1 U7 y( ?: \/ U2 d</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡