<TABLE width=500>/ I- _! p6 m3 ^/ g
<TBODY>
; R, v/ }* h& }( y1 ?5 a7 i3 j<TR>
, h" n3 r8 B8 D& z3 }<TD><PRE>Method 01 7 O' P8 \7 P3 b& Z
=========# L6 z& J- O/ ]' V, s: m
" y3 p3 d% @8 |4 {9 ?+ e3 @
This method of detection of SoftICE (as well as the following one) is* R* U' I; q4 Q2 P7 P6 V
used by the majority of packers/encryptors found on Internet.
2 B0 l$ @: {3 P' [It seeks the signature of BoundsChecker in SoftICE5 {( m: x: S8 R; o5 v5 @
) @& n( X8 v2 I$ p mov ebp, 04243484Bh ; 'BCHK'
3 @6 X$ T& N' l1 j* c" b9 \ mov ax, 04h
3 ^. P" b- s# R. z% n( i$ s int 3 6 x4 N' V2 }: g$ e t8 ?
cmp al,4
1 B/ y. Q) J# L8 P* u jnz SoftICE_Detected
5 m: D7 C8 i3 ]6 h
0 p$ ]! X8 X, H' D; J- x___________________________________________________________________________
2 `1 O5 ] x1 q& C! ?
3 U. o- d% ~. ^2 ?Method 020 V& }/ h$ w6 a
=========
! f9 @6 h( l% G7 Z7 A6 j# O$ C* s
Still a method very much used (perhaps the most frequent one). It is used
3 t& N9 U9 X3 X; T& N' U4 t8 c0 Rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" _# X7 I! p3 D3 J4 K* B# Dor execute SoftICE commands...
1 r% n; T$ o' z; B( B# X* i6 Q9 dIt is also used to crash SoftICE and to force it to execute any commands
# Y$ j, f; M4 a4 C(HBOOT...) :-(( ' z" x; t) ~6 V
6 ?; n0 \; A/ e, q: e" ]2 ]3 L# C
Here is a quick description:8 f" Z: @7 T! `% A+ S" a( A7 F
-AX = 0910h (Display string in SIce windows)) O% `9 _4 t& Z+ f b* J
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
m, e, V4 m' U: f-AX = 0912h (Get breakpoint infos)( v9 ~- @2 L" N5 ~6 B
-AX = 0913h (Set Sice breakpoints)7 j r2 v9 r# Q' E. O' ?
-AX = 0914h (Remove SIce breakoints)
) _7 O( i3 t% h. G* R( P
& H0 c! w& W, H: L* \- H( o( eEach time you'll meet this trick, you'll see:# i% z. f( ]* h+ F8 O# a7 b" L
-SI = 4647h
- J f8 w, S. c9 c* r-DI = 4A4Dh
B3 k- P) o7 \( kWhich are the 'magic values' used by SoftIce.
4 Q' L( }; n+ `: F' j+ \# e% n6 SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: P# \: u6 X0 a2 D& H' s5 j9 P- ?
I' u' q" P# ?1 {& IHere is one example from the file "Haspinst.exe" which is the dongle HASP
) ]7 s$ B" v% ]$ x: C+ r/ |( wEnvelope utility use to protect DOS applications:. R# @2 h# p1 ?1 ~8 }# u3 v4 U
) [7 I9 O9 F0 Z' u" ]4 J% e( v' o1 f! U: @" R% W0 \& o i
4C19:0095 MOV AX,0911 ; execute command.
+ n. F) X- ]' x; X8 v; p5 W6 I4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- v6 S( {: [/ z5 \0 ]' g4C19:009A MOV SI,4647 ; 1st magic value.; w- f" \$ R: D" a' ~
4C19:009D MOV DI,4A4D ; 2nd magic value.% o" \1 w# c* U5 E- b. h
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 b5 A8 i# ]/ L5 F
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 n7 O) W, z8 ^+ ?+ E) E+ r8 f3 k
4C19:00A4 INC CX
- n$ |/ ~+ b6 X- R, n; E+ L& g4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( A& E: N7 t3 s: f8 Q5 F
4C19:00A8 JB 0095 ; 6 different commands.
2 _; i+ S+ P4 S, Y/ G4 c- p4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 z! H% l W; O4 |! x
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
}( N, S: p y) w" ]6 R- Q1 K' Z' C/ w0 {7 d
The program will execute 6 different SIce commands located at ds:dx, which7 V# |& Q% z; b* l- ?6 O# L. ^! g. j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 K, F& D' Y; Q! d. {" t9 P1 p* A& v
4 s- M0 }/ L) H* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, D! ~4 K1 Q! N' U7 [ S___________________________________________________________________________
) F# h" _3 n9 ^: q% Z2 J. J$ X# D* H
2 d' e* T" h. p
4 K* N; j g. q7 h/ bMethod 03
/ c H3 y7 P( p: C=========! D- l* V6 N/ X
) y1 y( b$ T6 iLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; H5 n2 \& l. Z- v! h3 J) Y(API Get entry point)
7 |. p4 q! i' _% i# M
2 b9 ^5 p$ O' \
$ w! o. d; `( g" n xor di,di
) O3 c" V: A: t5 h mov es,di
6 m* J- q& t, \8 v0 D) j9 A mov ax, 1684h
% D: Y2 h H+ e$ x8 z% e' I7 T1 e mov bx, 0202h ; VxD ID of winice
" z: q) d0 ^- O7 {/ c int 2Fh8 f8 I6 l/ g1 ^; D% U! W2 Y0 `) f& E* N
mov ax, es ; ES:DI -> VxD API entry point: W+ K3 B, e% R
add ax, di
; E. Y2 H7 Y9 C test ax,ax
# X* m) O# P B8 ~- z. ]6 O2 x1 g jnz SoftICE_Detected
& s7 p& ?, @1 p" r# x' I3 P3 K: U N" ]+ G5 F' ~9 Z* J, L
___________________________________________________________________________; ]4 T* ?, f- {( D* d4 l* w
) w7 d7 v" D+ D
Method 041 J1 t2 _+ r3 x$ y# p. {
=========0 v1 O# R8 D0 X) _; m x
- s5 c4 E$ i2 ~
Method identical to the preceding one except that it seeks the ID of SoftICE- M; l1 @& E, X" b
GFX VxD.
5 A! D$ k$ |, v3 Y/ }+ ~. k! A W0 d U
xor di,di& Z& P6 j s8 W
mov es,di; N, Y( H' a: }4 I
mov ax, 1684h
6 a* C. ]& h+ O$ @% @ mov bx, 7a5Fh ; VxD ID of SIWVID5 S/ v$ L4 \0 @
int 2fh
' }2 x; U2 V" Y4 M4 Z9 A Z mov ax, es ; ES:DI -> VxD API entry point2 ]; K1 B T2 O4 Q
add ax, di
$ D* | b6 q' S1 Z test ax,ax
0 ]; g8 Q/ h& m0 X- n) @ jnz SoftICE_Detected
. B5 q! u( p' s! Z6 C$ r0 y; F9 C' |0 N5 b0 H9 D9 R: C. J
__________________________________________________________________________
- T) {' u8 _# ]; s4 \ s- ~* q& ^* l% a/ p5 b
1 M2 |# _6 s% k3 W) ^7 ]$ t) GMethod 059 M+ b+ w5 P1 H7 m# K* K2 E
=========
7 w! L8 |+ b4 M2 F# \, l
9 c+ c) O( _- L' l o. `Method seeking the 'magic number' 0F386h returned (in ax) by all system& y" x- y3 D$ f- I g
debugger. It calls the int 41h, function 4Fh./ i" k: F. K2 M+ @8 `
There are several alternatives. ' v2 g$ Y4 |" \+ B, J$ a* f, l
$ d- f% K7 z7 v) I+ J. o4 e5 O- V
The following one is the simplest:
5 b; ]7 ]7 q3 \9 w/ p+ Z. P k
" ^& S: L o- N! W- k9 @" w mov ax,4fh4 g% i1 R6 E" A* N
int 41h
: F3 s9 O; Z) u0 T0 w) Q, ~. q! B cmp ax, 0F386
( Q( b6 s3 L) h' ~, X1 d9 a jz SoftICE_detected
$ b/ B d0 W( R) \! b2 ^6 {; r6 ~' u O+ V& O5 p8 B
, H4 c, t: v" {1 t" b# U( `7 j$ G
Next method as well as the following one are 2 examples from Stone's
8 u4 Y: W0 Q" S/ O. Y"stn-wid.zip" (www.cracking.net):
6 P6 R5 l# u9 `$ ~$ F" O6 i. s' K3 A/ a# R8 q$ C& U3 ~* W; Q
mov bx, cs5 B7 t9 x; _* d" \
lea dx, int41handler2. v9 T+ u }5 v4 E1 i$ V) p0 R
xchg dx, es:[41h*4]. P1 O" c: t# g/ @
xchg bx, es:[41h*4+2]
' u' h! x9 h' N# R' o mov ax,4fh
* [4 G5 u( Y/ _1 V8 m4 F1 q int 41h7 T/ \# j; B# h5 M
xchg dx, es:[41h*4]! ]' i' X/ x1 ~9 G; j
xchg bx, es:[41h*4+2]
) ^& Y) L$ A/ m; _ cmp ax, 0f386h5 \. i1 z9 c2 s+ S/ V
jz SoftICE_detected
6 |9 ^# k3 K- m
' E# F' j5 Q) @ x# [8 \: tint41handler2 PROC
1 }9 ?3 ^8 F/ V2 r! M/ o" m iret( c0 J+ ~" ~: \' f" q% Y! |: g
int41handler2 ENDP% V; t! e5 r$ {- {: I
7 ~0 u+ u Y: Y2 a7 s( }
: \; p7 T! x, n4 V0 C_________________________________________________________________________3 @& n# v& J. a' |( C, u6 o
. c1 o2 Y a( U' T6 W' v, t
& x ]6 I& I, b% [: i: lMethod 06, n# c. l, m, B& O. r% M7 a+ v
=========. m& u% z t3 X4 K/ H
' c, x3 y! Q* Y h! A+ ^
: C( [4 E1 t; E0 x) F0 ^2nd method similar to the preceding one but more difficult to detect:6 {! y0 C* b+ D6 K! }
( x& v1 E, t& o8 \- l9 D& I- P4 ~2 N
7 g( w/ I- d3 x- M+ C9 mint41handler PROC
. l1 O- t( l" R, q; ] mov cl,al7 \: q6 w9 ]; V; r! s
iret0 l! A/ n& C" Q% V* a$ G6 o. P: T! G
int41handler ENDP
7 w3 E% m: {" L/ e6 U' U8 H
' q7 f7 z% e9 j& h' F m8 o# ^0 S, \4 n. [7 G
xor ax,ax
9 P& t2 s2 `& w! }# P& E mov es,ax
" G2 V5 ~2 b6 t. ^7 k; G6 x6 y0 ] mov bx, cs
$ n6 a, e* J/ _, D lea dx, int41handler8 |! a& y6 G% F0 u
xchg dx, es:[41h*4]
3 v' J( A' }; r) o2 a xchg bx, es:[41h*4+2]
% t6 X4 z0 U( g7 g3 X3 Y in al, 40h
- v3 u) C0 Z9 ] xor cx,cx! p8 v S$ }: q1 {% n
int 41h
0 b# x4 r/ q& t- \; |+ x7 [. P xchg dx, es:[41h*4], U- I3 E4 d4 k6 P+ y# b6 F
xchg bx, es:[41h*4+2]
3 n# t7 G- E6 \" S3 Y: Z cmp cl,al2 R+ a! ]* u3 [: X. x9 \/ i5 F
jnz SoftICE_detected @! q2 i/ F3 l& d& ?2 R _
* Z3 Z, N3 |6 ^7 o. g, l& |, K! b/ H5 r
_________________________________________________________________________
. v0 _! ?+ _& @! F( z! x6 n8 T0 z9 x' u* c2 e* U, r
Method 07
4 s- R) n& t8 ~1 _ Y' l3 B2 c: }=========
9 a/ G2 ^! V8 e. t" X4 G7 s
: p) f7 V% e E) eMethod of detection of the WinICE handler in the int68h (V86)/ J0 ]' |2 [6 S- e
Y+ Z2 R) K6 d6 v0 c/ P! B) v mov ah,43h
: a* x; x- o, Y2 H int 68h
" `5 Q9 x0 G1 W* |' F: g cmp ax,0F386h
1 g8 c/ C; E' F1 }$ c! G jz SoftICE_Detected
' t2 R8 y. e, R; k& _9 [" {: f- n- {( q+ {
" k4 k: v( L7 [" m3 J, }& @& n=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( ~, w0 n6 K3 H9 O6 g
app like this:5 x( P O& E3 A( z
: {/ L& j; k4 h. X( R BPX exec_int if ax==68; j: n$ F2 }. l \7 v
(function called is located at byte ptr [ebp+1Dh] and client eip is9 \* x, Z, X G! }/ `+ D
located at [ebp+48h] for 32Bit apps)& S4 W# d9 ] l7 \% V
__________________________________________________________________________; J0 n8 b! _1 @
/ h1 {6 c. J+ z2 @5 R0 h9 b# c
- ^( Q9 E& N* n% {, t( F' \
Method 080 q2 d, h4 ]1 P6 m
=========% _/ o: ~7 j1 L1 z7 b' K
$ I8 o3 k8 H6 p3 Y
It is not a method of detection of SoftICE but a possibility to crash the% R _' r' S9 Q
system by intercepting int 01h and int 03h and redirecting them to another
4 \) R3 T! b* P% c+ o8 aroutine.$ ~( G L" B0 c3 L; |3 |: x% q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ ^! {/ Z8 n7 C r+ ]
to the new routine to execute (hangs computer...)8 w1 D* T2 }5 [) K& ~
" I e" B; H" Z9 `
mov ah, 25h
+ o9 h8 H) j/ u! q; ~! y2 i mov al, Int_Number (01h or 03h)
, Z9 h+ G( k& n4 T( f2 O$ h4 v8 m( A mov dx, offset New_Int_Routine
2 h$ c5 }# P" ?3 P/ R int 21h3 N/ N# N2 E% T% J7 f; s
2 n) r0 O' J( z" [+ @0 F4 U
__________________________________________________________________________6 q. p4 Q* U# N9 D" J0 {. r
* D" z- i# i- EMethod 09
7 }# h5 A. b( A* J, l9 d=========- @9 M/ P- N$ G
0 l/ A) l; _- v0 }8 j
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 E/ d0 g! K2 _5 Q3 fperformed in ring0 (VxD or a ring3 app using the VxdCall).
: U) f/ V6 A. W5 g% TThe Get_DDB service is used to determine whether or not a VxD is installed( a& N4 I' r. s7 ?- ]* k
for the specified device and returns a Device Description Block (in ecx) for
- E9 X) l9 G. [5 n0 ^* zthat device if it is installed.
: V4 S# i& C; _) W/ @5 F* t+ m" ~9 x+ g1 X: p
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( J; k* m. J8 z$ L, b
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ C5 A6 G: t; _5 p+ g. b. h: \ VMMCall Get_DDB" t# N; j3 a# j6 i' L
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. Y: H i# {5 w4 q3 l
6 O- P1 e9 R5 w G8 t
Note as well that you can easily detect this method with SoftICE:
9 @4 L3 Z0 ~) h4 D& o bpx Get_DDB if ax==0202 || ax==7a5fh& `1 R9 V% Z7 N3 s
+ i! {. m5 [) |5 c
__________________________________________________________________________
" }; I. o; _4 |2 G7 N
4 b7 X2 p- H: l/ yMethod 10
0 e$ }- k/ C @- D; P8 p4 }=========
% \! {* X* |, N6 ^
3 q; u; g- V# w9 [( K# M=>Disable or clear breakpoints before using this feature. DO NOT trace with7 E. b+ o- L5 w- K0 X2 w1 E) y
SoftICE while the option is enable!!
% h6 a4 |; R/ F1 [
" ]5 l# y3 d s9 KThis trick is very efficient:
+ p) p3 W3 k* H3 M) a4 D* h% oby checking the Debug Registers, you can detect if SoftICE is loaded
: ~9 S$ O9 v9 @9 W/ l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& m" O0 g+ r( j. v( s) x, D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 y0 l2 t! U9 W3 d* [value (in ring0 only). Values can be manipulated and or changed as well' m+ Y4 C" S! N* F, ^! r' d
(clearing BPMs for instance)
, E* T5 W5 {& g8 }; y. S6 t4 ? D; I2 g, u" U) R, u8 d5 X
__________________________________________________________________________5 i7 @+ P0 [7 E
- e% x- G2 L: _8 j* hMethod 11
- U& q9 H) W5 ]3 A" I; a=========
: h7 l" l+ h0 J) M# u2 T$ |0 {' \2 r9 {
This method is most known as 'MeltICE' because it has been freely distributed
7 K q( `8 {, K, ~) evia www.winfiles.com. However it was first used by NuMega people to allow
, d& p+ R2 R' ySymbol Loader to check if SoftICE was active or not (the code is located0 s# ~5 }8 u8 ^7 Z* r
inside nmtrans.dll).
# K5 K4 n8 y/ j( o
B4 B# z& T f6 N, OThe way it works is very simple:
3 Z; W5 B' Q7 i0 L$ q% R a5 LIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ U& d. R$ ^- F0 v- v/ j9 a ]
WinNT) with the CreateFileA API.
4 ] _$ Y$ L) ~. o% }1 f4 o
& w' W) N' b0 s0 ~7 O' R( A1 U$ nHere is a sample (checking for 'SICE'):
; C$ q* D8 c" ?' @# x$ d/ z9 c$ @
, D2 L) \6 v( UBOOL IsSoftIce95Loaded(). Q& t( h- w- J% m6 Y# y4 S, {/ S
{
' ~4 }9 o: r8 n$ v7 K5 S3 X HANDLE hFile;
3 }" }4 d# C7 p8 k hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. ]! u! Q% c: g d% l) J- J6 O
FILE_SHARE_READ | FILE_SHARE_WRITE,2 Z* f$ ]4 m ?$ Q) c# T7 `! b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 b6 U- a! |. e$ S5 I
if( hFile != INVALID_HANDLE_VALUE ); P/ ~2 E Z& [3 d" `
{
, m. W5 M( q' L. V1 j1 G& S/ V CloseHandle(hFile);
& W# D* O( q$ V5 E; Z6 A" \ return TRUE;
* y3 }8 F" [/ G# a& ] }
' j% V6 J4 \7 u' s+ e return FALSE;
' d9 u6 z- w) K! b; C+ Q8 k}
' H/ W+ C4 M0 T/ v+ o3 y( q0 g: z# p% F$ h8 s
Although this trick calls the CreateFileA function, don't even expect to be! g- `5 J) S+ o, A7 x5 S
able to intercept it by installing a IFS hook: it will not work, no way!
& P4 A4 g1 ~+ a' w9 q: @9 | c4 e$ NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F7 N2 ~) f6 w% S% u$ m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 ^, j' s# o/ ?
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' `6 h/ k2 J+ Z; @8 Ifield.
9 W* ?7 J, v( I# o- t2 _1 F& NIn fact, its purpose is not to load/unload VxDs but only to send a ) p9 {! H1 @8 g3 l4 \
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 x3 G8 t/ i2 W6 J# [/ d1 Z$ uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: G# |" J5 M- y+ [8 qto load/unload a non-dynamically loadable driver such as SoftICE ;-).. C+ f( n2 J% J% i: N
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: {. i5 j" |! W2 N S6 {# fits handle to be opened and then, will be detected.
7 _& V/ |3 Z8 x. o( AYou can check that simply by hooking Winice.exe control proc entry point
8 z: ^' u% N6 d- gwhile running MeltICE.
: i* O7 s n( P+ O5 T0 k
( U9 n- m2 }, }* C
" J- R) F- Y" A& t* p 00401067: push 00402025 ; \\.\SICE9 m- F) B2 }0 a$ L4 |; Y% b
0040106C: call CreateFileA
) Z5 o# B/ O1 @( v" s9 L( N 00401071: cmp eax,-001
3 w+ I; D: l# k* r. |4 q 00401074: je 00401091
d7 B B, \! [- }4 v q
8 t8 e/ ?# a) h, N6 f3 m7 J
$ l9 d' P+ d2 G2 o3 ^* w& SThere could be hundreds of BPX you could use to detect this trick.
r1 u5 p1 h4 P. `$ ^. U. V-The most classical one is:; e. |) h/ X! L1 c/ j* B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, ^" p; w6 v3 W6 t+ S! Q/ X ~9 ?
*(esp->4+4)=='NTIC'; h4 X9 ~9 l% W
+ h3 Z5 l9 h9 {$ T
-The most exotic ones (could be very slooooow :-(
6 y4 o w3 G- W$ Y+ f q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / D8 k8 A2 e6 @2 \+ }5 i
;will break 3 times :-(
+ f) ?# l' V) K. a% u$ R( q
# a* z: Y- `" I) @" A R& L-or (a bit) faster: 8 a, O" K4 @; ^& ^# q: ?
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ M( I" A2 T9 n; `' N- X- x- X1 r
3 a7 |6 C, W& s# u) M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / E. a H. b4 w3 p; L6 e+ b) b
;will break 3 times :-(. ?8 t, I5 x+ }$ R3 v
/ [! l2 u3 C- S# x9 Q
-Much faster:
1 h% a& D9 d6 d }1 p4 l$ e BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ W/ U! Y- U0 }" c$ G* U, e
# R" B+ M# `+ ]; d% J% v g9 Q* Q) xNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' W% y% r! ?) ]- L" g
function to do the same job:- m8 S* `: x" R+ Z, e& s
9 ~2 ~* D" M5 ~/ o; M push 00 ; OF_READ
$ N: p- T9 M w8 C5 c: P$ l mov eax,[00656634] ; '\\.\SICE',0
+ M6 H/ Q7 r( S* q# a push eax
- J9 F" G0 S5 K& Y call KERNEL32!_lopen" I. ~. T; i& ^2 A! W: i
inc eax- B, A7 O: k" v# \# ^! \
jnz 00650589 ; detected3 L3 x4 b) Q% z- P2 j. I G: k
push 00 ; OF_READ" u* t: ^" ~0 E1 M R& W
mov eax,[00656638] ; '\\.\SICE'
! Z9 {* g, D. I; q3 X: o push eax' ~, W5 M( \# [- H1 r- @
call KERNEL32!_lopen2 O2 J# {) n' u. D1 t; D5 R- s* G
inc eax
; h- m1 R) ^8 H: V3 l! u jz 006505ae ; not detected
& c9 x# T4 \$ o1 ^! O. f; @5 D0 v% _2 P. b$ B$ R' s3 j
4 q/ L' ^4 g! p__________________________________________________________________________+ e- \$ N& z- f6 h
5 _% H0 X; [8 k1 O& L. l# o
Method 12
* j/ \# j6 ^' x* @/ B5 R7 [=========% }3 v# Q4 ~/ w1 A% X: R/ ^: V
/ A% A$ {9 S( X2 A9 |; ^This trick is similar to int41h/4fh Debugger installation check (code 054 [( ?% D" N8 _. \; @; p* l
& 06) but very limited because it's only available for Win95/98 (not NT); D6 B# G8 H5 `
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* c7 l; y$ B Y/ b9 J7 i2 t
2 \0 L9 q' U' X5 N6 ?
push 0000004fh ; function 4fh
) V6 h* q: n+ V2 V" b" X push 002a002ah ; high word specifies which VxD (VWIN32)
5 g! Q: T; r/ y) n, q7 h5 S, m v2 G ; low word specifies which service
& |/ x* L. ]) J$ q9 Y+ h1 U9 z (VWIN32_Int41Dispatch)
. C9 y2 D* X; L; m+ m$ V call Kernel32!ORD_001 ; VxdCall
: u ^ O4 e# m& o. h cmp ax, 0f386h ; magic number returned by system debuggers) R. n5 a$ ?2 j' a8 l
jz SoftICE_detected
% P* c" {2 P) M" W. o9 ~% T, T: X) x" s5 M w: k* ]! o5 F' G# a6 q
Here again, several ways to detect it:
6 ]" [6 o' d# b; x7 X) e( ?+ \
" Q- t" k/ g4 X2 f) M4 W BPINT 41 if ax==4f: \/ S% C" K! d* E1 o; _' L$ S
8 K% m$ @9 ~' ^0 `
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 r9 p1 h$ k2 Q
6 e3 b+ Q( ]- |( L2 `5 E, k6 F" U
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( f; R% D0 ^3 G! E& d
7 q9 i2 ]7 y# |6 U$ Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& ~% X, G, ` V, a2 [( {
2 }* i; A' }! U9 n* W__________________________________________________________________________; E: R f( w2 N" S9 L
8 s; X* [! X$ Y; |5 R: @: h
Method 13
3 Q( N5 y# M" G0 E r3 o$ Y=========3 o ^2 _* d+ `
7 q: i9 i& o( lNot a real method of detection, but a good way to know if SoftICE is
; w5 D$ r3 q/ B. j3 J0 w; Linstalled on a computer and to locate its installation directory.! Z. a- q' [% r# M; j5 r' y
It is used by few softs which access the following registry keys (usually #2) :
. u4 W" `& r+ j! R, L9 \5 }& U# q2 j/ V+ ?2 i+ n! G
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 Y1 {+ n7 [2 R& _( ^
\Uninstall\SoftICE
6 G* m# v! ?+ k# Z. A* A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 d6 ]: `; w; [# j6 D
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ X/ z* N8 w) c
\App Paths\Loader32.Exe
. C2 \7 j. }$ u2 y% r7 ]2 a9 y4 l! K6 ^" l f8 g
: e+ s% n8 w% R! P$ Z$ |5 qNote that some nasty apps could then erase all files from SoftICE directory
! |+ c, i" ?0 g! q5 _(I faced that once :-(
; Y# n: Z- C. f, V: |- u4 E$ d/ W6 e; V1 D1 L: o' N! t& G
Useful breakpoint to detect it:2 [" }- n' _5 r
7 k. \7 o5 l, g, @! P BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 s1 L* E+ y$ j2 w1 A; c- M* [/ E7 u' O( U+ ]8 V+ x
__________________________________________________________________________
- |; D( `+ t! J3 d# j+ e) L
3 j$ C& L6 P$ N% R" b! D) X
; L0 x( J& I7 W9 h- s$ cMethod 14
. |: H: \9 Q l0 F* D1 y! }# s=========
! V6 @9 e ^# y* C3 }5 A2 {% ?2 }- ^. D! X& |5 C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) R$ E7 R/ D" B# s
is to determines whether a debugger is running on your system (ring0 only).4 P. O+ o; \8 f% N# T$ E% ]
8 P/ G9 R- J4 n VMMCall Test_Debug_Installed
* d+ G& B! K6 |8 @+ i. |: n je not_installed
0 K: M& C& R3 |& m( w" e
5 ]8 _& W& ^: B1 fThis service just checks a flag.+ \) v3 }$ k/ n/ |
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡