<TABLE width=500>
- {. A Z7 f& x<TBODY>
Y& r- N; Q2 [! f8 s<TR>
2 p6 V+ c% [+ m% ]9 J6 k/ h<TD><PRE>Method 01
4 m( j8 i" A6 x$ j3 w=========! Z1 U% d5 O- z0 @- t% ~; R( T
) m% b, |0 e( _5 ^! k! f" [0 PThis method of detection of SoftICE (as well as the following one) is ] N/ A4 Q. C. F
used by the majority of packers/encryptors found on Internet.8 P' q( Q$ D! j3 }' c: M
It seeks the signature of BoundsChecker in SoftICE
3 j4 j8 c3 L* Y7 P$ A- c+ K
2 G: T6 ?. |$ S6 W: l8 W+ R8 M. B mov ebp, 04243484Bh ; 'BCHK'7 V1 q( a6 {3 N+ U4 W
mov ax, 04h
# x" W" d D, ]9 m( B1 K int 3 - ?3 A1 U7 P6 n) S5 T
cmp al,42 e6 R6 _! Q) X1 L4 ^
jnz SoftICE_Detected
; ~& ^ i; I' t4 N$ ~) o' {; u" S* g3 O. E
___________________________________________________________________________
+ P, m" W" ^! g( C4 w6 ~ a g L
Method 02. o( N' {2 |7 t3 L* ]+ _ a$ {5 T* U
=========0 F+ S, j9 G7 g
' \: K0 O) {$ B7 R" o/ mStill a method very much used (perhaps the most frequent one). It is used
_+ C) Q1 G! {! W/ r. b2 |to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% g& I( F' j% h7 s5 l& h) Y
or execute SoftICE commands...
9 _- f: D! A+ V( e6 g, BIt is also used to crash SoftICE and to force it to execute any commands
- Z) ~# B9 ^; p+ a* n(HBOOT...) :-((
; K- `9 {) o5 |$ r& J9 M6 x4 t
! k$ p9 h8 N: R* `) d, S$ [3 sHere is a quick description:
# R; p0 t# U7 Q8 O8 W+ S- m-AX = 0910h (Display string in SIce windows)
4 b0 N8 h) ^5 |1 g& a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ l9 w, ^; w7 Q+ U6 r/ w' x8 D6 v-AX = 0912h (Get breakpoint infos)
/ g' G+ l; C' n/ @-AX = 0913h (Set Sice breakpoints)
" w( j9 H6 _4 R; R-AX = 0914h (Remove SIce breakoints); F$ [4 _$ }& T I! ]
: [' U; [4 T9 \1 v) R1 NEach time you'll meet this trick, you'll see:2 D* D) ?/ K2 D. b
-SI = 4647h
" z3 A, s/ y9 i( F-DI = 4A4Dh# Q9 N( ~2 w" g1 [4 m! ^9 s
Which are the 'magic values' used by SoftIce.3 ^; r6 Z+ o9 n- O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. E, a1 X3 L$ @9 f5 p' i2 I: ^7 B- j0 Q$ _4 y# p( A7 U& `
Here is one example from the file "Haspinst.exe" which is the dongle HASP. y! O9 \! y: U2 w! f" r9 q
Envelope utility use to protect DOS applications:4 g0 {* m7 b# M% I, b0 _" s
8 r% {$ u, K; [; i5 {" [6 q
" _' [# n4 T0 X4C19:0095 MOV AX,0911 ; execute command.2 y8 N* X: S" o; T3 ^. D4 _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- o& G' y( I* K- O! Z8 A" V4C19:009A MOV SI,4647 ; 1st magic value.
. |& ?' [& k5 R& t9 [' ^4C19:009D MOV DI,4A4D ; 2nd magic value.
; n5 @5 j# K, U8 \4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). J; J/ d- M9 \4 ~) F. a0 U0 T7 B/ O6 ^
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 G% J# q& b- w0 n8 U: r! X, X
4C19:00A4 INC CX
) c0 v! P/ f) |( e4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- C: N( Q/ j5 W, @
4C19:00A8 JB 0095 ; 6 different commands.9 y3 ?0 l! r! O [) ^
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( w' l- r3 `4 `; Z( {5 t# b- ?4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" @' r* X- Y% d' x
1 B4 L1 \6 Z/ R" w
The program will execute 6 different SIce commands located at ds:dx, which
3 q% ?; G4 m, v1 \" y' @3 hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 F _/ p5 l/ s
3 q: ?) ]1 g7 \% R4 r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) s% W1 x" Y% z2 z
___________________________________________________________________________2 d7 c- M8 C* s" E: h" m
6 f3 s D3 T& X, |' t: y% `0 y }
Method 03
( T" {! m; z5 y' O+ }- t( O1 H9 u: V4 ^=========
6 E: f' Y2 D D8 s5 }3 u9 Y/ y1 ^3 t& s0 X1 h( i- Z1 g( W3 g
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' P$ O! b% w1 q$ g/ d
(API Get entry point)/ K5 @' D; O4 d, b4 N, {1 a
& i6 ^6 D( M$ r7 K
1 ]5 f' L4 L7 S6 s' \. y2 y0 N6 Z9 U xor di,di
' P ^) g' O, Q. m, s4 ]( \ mov es,di
3 I# Q5 L0 s+ e& H0 p* T2 ]$ m) j mov ax, 1684h
3 z& Q5 O3 o7 B6 m mov bx, 0202h ; VxD ID of winice; ~( K* c( X: {9 G7 _
int 2Fh1 c5 N7 I4 V- X% l U
mov ax, es ; ES:DI -> VxD API entry point+ g1 [# J1 m8 B# s) n. A5 o7 j
add ax, di
7 X h3 F5 x; s0 {4 D) h test ax,ax
V9 M3 g6 ~6 R' ? jnz SoftICE_Detected
7 `9 }) Q2 S9 e1 t3 O" R* B% c+ M( ?8 f! O
___________________________________________________________________________
- {* z+ Q4 c0 n. w" a4 U
0 e7 S: \0 n, ~0 P* r5 I: \Method 04
3 o: _. ~5 v7 U5 T8 a=========8 Q# f5 \4 \ r+ P# I& B
5 \+ {! s, Y2 O& X% F; i* |Method identical to the preceding one except that it seeks the ID of SoftICE4 L& n6 {# w$ x: }
GFX VxD.4 x! \4 H7 `" ^3 v+ Z
3 t# s% n( m) f$ F3 \3 v) Q
xor di,di
- z$ r1 q0 g1 }% h mov es,di
, F) ]. s% f5 x- z' } mov ax, 1684h
* Y4 t% ]. e9 I" e v* O mov bx, 7a5Fh ; VxD ID of SIWVID7 c- K, Y# D) ]6 y
int 2fh; g$ B( @7 C. |3 |. l- X6 j1 J! a
mov ax, es ; ES:DI -> VxD API entry point
' J: G" F, O7 n9 R' U4 o% K add ax, di. l+ L8 c/ {) }1 |) k# ~
test ax,ax
0 Q" Y: A% e) n' u% @1 o jnz SoftICE_Detected; W1 {9 M' S% Q" d
7 ]# r6 U4 _9 f0 A6 R
__________________________________________________________________________
# J, T4 V- F% H! w& E3 d k3 Y0 r% {9 p
) v* h* A, A3 L! k+ T E4 cMethod 05& a/ `$ _ \ I0 g
=========7 T7 r: h+ W& \# [% z+ u
2 I! |: r: B+ T" }' x) h* x
Method seeking the 'magic number' 0F386h returned (in ax) by all system) \9 m# g3 T6 y, U0 V& B5 I
debugger. It calls the int 41h, function 4Fh.0 T3 g3 ~3 a$ C9 { Z! \( v% b
There are several alternatives. 4 i4 Q( _' i' q* l. [
/ `- H$ z- c/ @) {: b7 [. e" GThe following one is the simplest:3 C) S! I/ Q/ C; @9 W
: X* f; B3 ^8 ]1 M7 D8 W8 N# [
mov ax,4fh( ?5 m& d5 {9 I$ K8 @& L
int 41h7 o* E5 U8 N* _! o" R Z" O
cmp ax, 0F386
# X6 |8 ?6 F8 D% G& D jz SoftICE_detected m6 z; w {+ N( U' s* r5 O
7 g5 M- d. I' ~, u# l! K) T9 d' \0 q8 u" f8 ^
Next method as well as the following one are 2 examples from Stone's
8 a8 s# J2 e: a3 x+ ?- N+ A4 I"stn-wid.zip" (www.cracking.net):: P- \5 S9 g7 ^
9 T6 s0 I3 l* y1 b mov bx, cs$ j& a* ~# S% }) a
lea dx, int41handler2: L9 @ E' x Y$ |" g1 D: }
xchg dx, es:[41h*4]
2 p7 I! H* Q) k xchg bx, es:[41h*4+2]
# p% W$ R* D/ z8 ^& F- G5 Q mov ax,4fh
0 y! r, b& q; W; v int 41h7 w G) i: c6 {
xchg dx, es:[41h*4]' h# T: V4 a) N! d
xchg bx, es:[41h*4+2]/ M% N: c6 @ N. V
cmp ax, 0f386h
' S9 J4 C4 o* @) q! w jz SoftICE_detected! ]' x% ^0 }( P
# G) [9 {- Y( ^int41handler2 PROC
V* \4 Q2 |0 l8 j# Z' C( ~% w; Y9 ] iret
1 d6 P8 L- X G: Hint41handler2 ENDP
$ Q1 |; P; p _0 k. I$ v' B( j0 e3 ]
8 k8 |: x6 z9 |) U4 n) M$ L8 P* `" B O
* X, b9 C) j3 B9 L/ V- u0 @_________________________________________________________________________
6 [5 Y/ b/ K+ j' X5 r- N/ ?: \8 L8 l# Q' o2 q3 ]& {
& Q3 C# m6 b( Y- R- F# r3 B
Method 06
/ W$ Y& Q L. |+ u=========' \$ ?3 Q( O4 _7 v; }' ]
7 Q: y- j7 i* U1 p* t! X0 A
) L& h; T1 C; J7 g) s
2nd method similar to the preceding one but more difficult to detect:( Z3 }( R" ?2 p0 [* E
4 t9 k- ~7 k: x; y: G/ }
c$ R3 [. Q% f# r2 z- k
int41handler PROC) q4 F; |+ D2 c* A2 B, i
mov cl,al
6 a1 I7 f/ H" g iret
( w6 Z; R& {, }* n! p9 v0 h5 V1 Pint41handler ENDP
4 T4 r+ Q! C4 J/ K" V/ D# X# Q; H/ d% l" `6 Z; j
+ J) b) c: K$ o! Z& `6 o8 x- h xor ax,ax+ l" S2 \( `6 l ^7 b
mov es,ax- v. R" S) K: m, p% F' A% u! x
mov bx, cs0 Z% O$ s' k/ b" m% q$ J
lea dx, int41handler
' A$ b- n. w$ F" y xchg dx, es:[41h*4]$ H8 n0 G9 s. ~, }; z4 W! W5 t
xchg bx, es:[41h*4+2]
2 t$ u* h. A4 K in al, 40h
1 v% B, q0 H' j) {& @: o xor cx,cx
* _$ e* t4 X- q( t- h% k( ] int 41h
4 X' V: B x0 M2 h; F* w9 O xchg dx, es:[41h*4]6 K" c$ A* O0 K( i: M& x
xchg bx, es:[41h*4+2]
( ]3 N: ?/ X/ D cmp cl,al
2 \" B/ Z* d8 I5 }$ f jnz SoftICE_detected
1 ^9 K5 Y9 U/ ?8 p p, b& @2 P# G1 G: G: e. F& z9 n
_________________________________________________________________________6 O- t; D. S5 E3 `8 J' k
: \3 K5 t$ J& F! @6 yMethod 07
: J P7 j6 v7 l) I& r=========6 ~% F% G/ T: t E9 u3 y
9 c% O; E" _2 @/ ?( T
Method of detection of the WinICE handler in the int68h (V86)0 s- m7 @- d0 N" U0 J6 y; W2 M
1 |5 |2 _: N& [; W1 }5 Y! D( m, h mov ah,43h9 \- p* W$ R+ m
int 68h
8 v. g8 n* D ~2 d cmp ax,0F386h
- r/ E8 A ], G8 r! u jz SoftICE_Detected* \) W% I! c2 t: X6 w* ^( W& `
4 d1 F% t' o7 V
- @* E3 C$ Q9 J/ D: X. m5 {3 o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 W2 e6 r6 G/ J" D1 p$ ?
app like this:
: s! r$ A1 t! f9 j: \0 b9 `5 r1 w5 Z- g& Y
BPX exec_int if ax==68
1 _2 i+ d, R( @5 \3 S! s; U (function called is located at byte ptr [ebp+1Dh] and client eip is) j+ B0 i4 B! k- N& B! I1 M( ~
located at [ebp+48h] for 32Bit apps)
* g* }8 T4 G0 w__________________________________________________________________________. n; ~$ O) F* q" C3 L; `( _
1 S; q* C7 R% j# r
5 y7 S; r% y6 M, sMethod 08! I; M/ E3 S; a2 @ a& x
=========+ q" [# C; v E5 X3 ~) I% m- E
# L( ?$ ?% U$ O% dIt is not a method of detection of SoftICE but a possibility to crash the8 }0 K+ m* Q8 ~
system by intercepting int 01h and int 03h and redirecting them to another
9 z2 w1 h- M8 P9 J$ ~9 U! lroutine.1 q- \0 z) ^- U/ g' e8 t: q! \; x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 e( _/ M+ }& lto the new routine to execute (hangs computer...)
4 ]( y a1 K2 w* W. e+ N/ m" }( _9 `; g) k y8 [7 \
mov ah, 25h- ]1 i! F8 R3 A% _
mov al, Int_Number (01h or 03h)
" }$ g. L: F- S) z% l X N4 R mov dx, offset New_Int_Routine% E7 J7 c5 r, m3 _
int 21h/ r8 w) L) M) N; N5 ~* J
% ^+ Q) b' ?: t% P, ?5 i2 D__________________________________________________________________________5 c- Z$ _' W* y3 M5 x
, {$ W8 w' r2 a: u: ~: jMethod 09" j y) u; T3 m3 {7 L% p' T
=========
) L' u/ d9 _7 E4 ^' _; I" |; ]( u* Q' g x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 j" a- D: z5 O
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 w! i8 }' Q' o. N& eThe Get_DDB service is used to determine whether or not a VxD is installed0 ^5 w6 B9 {1 i% a8 F
for the specified device and returns a Device Description Block (in ecx) for! h h. X$ O8 }
that device if it is installed.' g/ V7 g# _5 @! T1 S J
2 B( C/ @; f/ } L' A# |; k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 Q$ o( G' s& T+ E5 F
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- u% c1 b3 f+ Y; H% W VMMCall Get_DDB
; p4 N5 j/ f v+ g$ L mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 I4 v; H+ f0 R% V2 p% K) i. r! v
8 L+ J& r7 F- ]" p* w0 _
Note as well that you can easily detect this method with SoftICE:; N$ \4 \6 Z# e
bpx Get_DDB if ax==0202 || ax==7a5fh. O s+ K- E$ N9 M5 m
8 L' t9 C' [+ I( r1 f: |$ S__________________________________________________________________________- k7 Z( _/ m8 H* p$ l& W( |5 I
5 ? `9 a% f; \! T5 }! w
Method 10
, G3 O+ D# r, j: N, T& a$ E=========& a% |! B) C" Q E7 G# o
' r4 n# Y+ V% ^, \& }" \. [=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 k. A0 Y! K6 A7 x! ` SoftICE while the option is enable!!
, w& P# H' f& _% s: G* h5 r7 O: f( Y' H
This trick is very efficient:9 Q& ^; k5 g3 T# X: l* v3 f1 P
by checking the Debug Registers, you can detect if SoftICE is loaded
0 e8 W9 `, ]6 Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, K Z5 m9 W6 V: |2 F3 Cthere are some memory breakpoints set (dr0 to dr3) simply by reading their# w& ]' I& N: W, ]7 b( f3 A
value (in ring0 only). Values can be manipulated and or changed as well, p& N$ S8 x1 U1 i }) r. n
(clearing BPMs for instance)
7 H5 |; J2 w7 g7 R4 W2 Y, h# r/ k% @& F- |( [# L! @% i" a
__________________________________________________________________________7 v! Z1 V9 U& Q8 e; {$ M
, }; i7 z0 r) U+ _! D, hMethod 11
9 V) o9 C8 M P$ u K" |5 v8 w* z=========
' J; s) |+ k. N+ |0 n0 ]( G7 k$ T9 z# J% R; F8 @
This method is most known as 'MeltICE' because it has been freely distributed
! B) \, r0 e. F+ n+ K* Ivia www.winfiles.com. However it was first used by NuMega people to allow
$ }3 u" I' Y7 n5 d* hSymbol Loader to check if SoftICE was active or not (the code is located4 e3 C u+ B5 q# w+ }8 t
inside nmtrans.dll).
/ i. ^, h+ p5 t# q! ^$ `2 k# {
- U j u3 ]1 _% {- ` {4 [The way it works is very simple:8 d5 a+ R$ D: G
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! ^( g8 b3 Y! D( C
WinNT) with the CreateFileA API.
8 N4 A* ?; z" v+ }0 P9 j- v% d$ n$ X! T% ~
Here is a sample (checking for 'SICE'):: t5 Q" O( }# X% T' C+ @: }
% y/ p3 G- _; H; t4 t0 q; ~2 G
BOOL IsSoftIce95Loaded(): L! L- U0 c$ N5 s) ~8 j
{% K" p$ O/ S( U4 h/ G4 H: [" T
HANDLE hFile; ' w' x5 {/ b# D' d- |, T2 y1 a' g6 a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 A/ H( R: J+ \6 S/ I' y5 W* P; _9 h
FILE_SHARE_READ | FILE_SHARE_WRITE,' a) z, }: J/ `- F9 q0 n5 l
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); B* [' `+ d+ R$ [1 F$ J
if( hFile != INVALID_HANDLE_VALUE )! B v6 W! H l
{5 L4 Y7 x6 Z$ n$ K" n+ w5 g
CloseHandle(hFile);
9 Y7 J5 F+ W) e G: {8 U return TRUE;% J$ @8 A; z' |4 i
}
; H2 z; t2 D! B9 z return FALSE;1 l2 _( O: V2 H1 u- e/ Z9 c4 D
}& D7 e8 q6 Q8 P/ n( M2 B
3 W3 ? ?! k/ AAlthough this trick calls the CreateFileA function, don't even expect to be
- t" S3 p7 l& ?! x" R0 \: iable to intercept it by installing a IFS hook: it will not work, no way!
5 H) S% u& u' S( l4 [4 ?2 ?9 RIn fact, after the call to CreateFileA it will get through VWIN32 0x001F7 r4 ^4 u! ?) l! D, c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 C) d5 ?- V* M
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* j3 ~6 }6 `# G! D. x2 ]( kfield.6 P x: }6 V6 K9 y8 @
In fact, its purpose is not to load/unload VxDs but only to send a
; u6 _: i- N+ e+ w4 A5 L u( q& OW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# G4 d0 Z) z9 Q; j6 f9 [; ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 L a5 W# y! G! t, g7 h% }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: ]& X2 R, C) p# D# F" L5 pIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 p8 B& Z! G% H9 _4 W' T* x- c" bits handle to be opened and then, will be detected.
" I+ p( u3 H- @" v4 V+ nYou can check that simply by hooking Winice.exe control proc entry point
% P5 D( i4 n$ D: B0 w, t' h2 |! M0 v9 }) Nwhile running MeltICE.$ \& }* v; h3 \. E" b
; P" Q- Q" Y k* r+ \
' e, B% Y$ ?5 Z% P# S2 x 00401067: push 00402025 ; \\.\SICE
1 y( k; z. m& y* v1 {0 b 0040106C: call CreateFileA
3 b8 a( S1 D, r2 N( m* I" _. } 00401071: cmp eax,-0016 J* Z0 s2 j# p9 y
00401074: je 004010915 r, O" [: Z9 f" [( K0 U
S' K0 z3 U( g( S' W. J" G$ T( K `& Q; M
There could be hundreds of BPX you could use to detect this trick.
2 M9 Y& b" ^6 J; c2 ?+ b-The most classical one is:
Y4 c3 ~- ?% r) ?6 A! @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ B" C8 N4 \7 i: [
*(esp->4+4)=='NTIC'
Z8 Y/ Y: `; W% ^- a
8 h6 q( A: u' O. d! t: ^-The most exotic ones (could be very slooooow :-(
" l( E) ^/ i$ A BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 o" _. j1 c0 ^ ;will break 3 times :-(
/ K, J8 d8 t" @8 j, g$ u/ x1 A8 j9 Y5 O. N% j
-or (a bit) faster:
5 N7 @: V, t) [$ b. ?) p BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' r4 [7 E- h d8 }3 U: p
# p; V; Z* t" D: A2 E BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % }" u0 O$ u( ^) }9 j; \5 A2 q
;will break 3 times :-(/ S8 T2 H4 b" n! a- r
k8 q: p6 V/ J& T-Much faster:
9 W' W- k( Q# L* q2 X1 Z* g BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 S* N' @& P3 r3 }& W. j
& H+ C0 e: U I6 x1 i0 ANote also that some programs (like AZPR3.00) use de old 16-bit _lopen* C3 {, i. C7 `- u5 ?& y% B( z
function to do the same job:* x1 U" ?; G4 K$ x: R
# J% ~" R) g4 L- K9 {5 w
push 00 ; OF_READ. q9 b$ j# \. s% h5 g9 q
mov eax,[00656634] ; '\\.\SICE',0) Z4 k6 M( I- f4 A
push eax4 X) \( P4 }$ h6 E5 I2 w: P/ L9 A
call KERNEL32!_lopen
2 ?- n8 I' S0 @2 `+ p9 ?6 [% [ inc eax
$ G: K! B4 P( r1 e9 Y. J$ i jnz 00650589 ; detected
2 I1 \8 l* C3 r. W' C push 00 ; OF_READ7 |" N0 {/ w" h( h6 w2 L& x
mov eax,[00656638] ; '\\.\SICE'
- i+ p/ K1 {6 ?9 B& o( }) f push eax# @/ X! Y! d: C8 R! }- b; x, Y
call KERNEL32!_lopen
$ D" J* w9 F9 E. P& N inc eax) f- E4 D3 j& _- m. i; ], G2 s
jz 006505ae ; not detected# o& U& u% Y2 ]( _) C
: @- [5 u1 i0 s* h: [, d+ _
( M2 a9 X6 i7 g__________________________________________________________________________
7 F+ y, C) A- T) d9 t7 [" t1 n3 z: F) r" l( N
Method 122 J/ t' x* h, |* Q
=========
% z7 P: h3 a c9 Y; {6 ]
+ \2 `( K- Z6 e- _This trick is similar to int41h/4fh Debugger installation check (code 05, C8 k; B* N' } j5 Y& O9 X
& 06) but very limited because it's only available for Win95/98 (not NT)1 u: p, {# m4 _! X- V& j
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 c& h# o9 f# G0 O9 W( o
. e6 z0 Q7 I9 B- o6 ]
push 0000004fh ; function 4fh
' J$ h# `2 Q) p. G- f* ^; t, X push 002a002ah ; high word specifies which VxD (VWIN32)& K3 S4 J' a c5 ~
; low word specifies which service* v# D1 Y8 w+ Q N+ {
(VWIN32_Int41Dispatch)' k+ j5 O7 V- Y8 }6 d
call Kernel32!ORD_001 ; VxdCall' W5 P/ a9 K5 ?1 }9 n. n- T! Q) i
cmp ax, 0f386h ; magic number returned by system debuggers
) R* E8 q2 J, s jz SoftICE_detected
+ U3 n: d0 y; r/ A
6 k7 B2 d& ]' a' b$ j& `+ NHere again, several ways to detect it:; a h8 h8 q* \ @% o, W2 |
( e( r! X* a$ R$ P1 E0 i
BPINT 41 if ax==4f9 y( i( M/ x( N7 [* s
. J) R# D! Y- b5 ^ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 I# ?5 r# d5 v$ q! l$ D
1 ^- ]! H9 \) f
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 _5 {' D) N4 g0 |6 m! [; t2 t* i _6 B; {( W- K
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
$ }$ ^5 g. C0 a' F( M, ]- z ]3 V% f& q. C' G5 f2 S) e
__________________________________________________________________________
' X! b& P' A; O2 [/ Y# _
8 S8 e+ V+ w D; j8 t5 b. I EMethod 13
7 n6 P {* f. \/ E=========" O9 n' ]( F- l
, B$ e a$ W. N# v* t* lNot a real method of detection, but a good way to know if SoftICE is
" R6 u! d% S3 f$ y. \5 D" T. ]' Tinstalled on a computer and to locate its installation directory.
v" h& p( [8 S% Z) N3 W, L9 gIt is used by few softs which access the following registry keys (usually #2) :& R2 P+ a; v( f
/ h' k; b: Q% _( E# X& `8 _& N- m: z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
]5 I6 W/ G9 m1 i\Uninstall\SoftICE
, [3 Q/ T1 @6 L+ c# ?; ~2 J* C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 j z% J, m* T2 ^1 {& C7 a' \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 w0 I% f4 k* y, B) E: o+ x/ g\App Paths\Loader32.Exe8 c, t% B+ W2 ~0 U3 f. L' V
( C; B6 U4 c: B* T( F
I6 Z1 e7 v) x- \% B) u5 a# }% o% |
Note that some nasty apps could then erase all files from SoftICE directory
* i1 K/ p6 R" x" c9 Q9 J$ ?(I faced that once :-(
& @6 R5 L; g5 ]& Z: | j2 u1 n! x& D( @: k+ \: G
Useful breakpoint to detect it:* K# s/ D% m4 b) {; U! G
6 S+ g8 \( k8 G9 X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. J: W- [1 A P. Z, V; e$ X
+ F$ p) d. Y# n; m9 j6 A
__________________________________________________________________________! t) s" |" U: }/ J% Z9 J- N
; S) e; K; [4 ~4 o: s0 s
3 g+ G0 @: U' k% ~" KMethod 14
9 g% P C! t; s( J& D- b- K=========
; j( ?' y2 m0 z/ Y. ^2 n5 ~3 `+ T7 x% V
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 K! W# S2 S/ Ais to determines whether a debugger is running on your system (ring0 only).
# `& Q0 d0 x8 a! O" r+ X6 n
0 V9 W" `, I d- J VMMCall Test_Debug_Installed
1 d" ^2 o9 j: c) S, j$ o O7 Z je not_installed
1 p$ g: M% D: @4 V! e( L, b3 W ^9 |, O' j) k3 b' \- M
This service just checks a flag.
; t/ Q4 H( [& P7 S. q. O* X</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡