<TABLE width=500>* D/ c2 n" L r9 D; d3 o$ v9 S
<TBODY>
- V, J; N; b4 q5 ~<TR>
7 Y$ U, t W. K. A<TD><PRE>Method 01 6 N6 G! F; x& U
=========+ S: e1 N5 H6 v
8 ]7 l+ b6 x& X2 _( fThis method of detection of SoftICE (as well as the following one) is+ H* l9 y9 i, s
used by the majority of packers/encryptors found on Internet.: q5 K" A" _' B0 G
It seeks the signature of BoundsChecker in SoftICE8 c6 ?/ V3 w+ t2 M' k- y# }& W
3 D; F* E& }7 b* H1 V% l$ o7 ^0 B
mov ebp, 04243484Bh ; 'BCHK'' P* @4 X+ ~% @& X9 J
mov ax, 04h+ K* [9 M# P, O: a8 n0 h/ a0 N+ K
int 3 3 q8 L: c3 X/ w
cmp al,4/ _9 R1 i. M4 }# Z6 }5 W; Z
jnz SoftICE_Detected% A& Y2 U) V# m9 }9 n( }' g8 t
# i6 v$ j @. B; e) b3 l7 ~( n' t2 E___________________________________________________________________________ b/ U1 V* c' h9 y
( G+ W2 O1 L( i0 M% C. F: `
Method 02
& a y' m; f1 ]0 b" O/ F1 E=========& t- T! w; }9 Q5 \
( U( I- v' _/ I9 E! q7 eStill a method very much used (perhaps the most frequent one). It is used
; d, g+ ^$ V6 ]& i+ ?2 Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 F( Y' k: K/ a2 D Z5 t$ aor execute SoftICE commands...3 ?8 P2 q! u, n/ l. @2 j0 f$ ^
It is also used to crash SoftICE and to force it to execute any commands. r4 X7 K* h/ Y( l- J
(HBOOT...) :-(( 0 Q+ d+ X) j$ t
/ [4 \ w, L8 E3 c4 C0 uHere is a quick description:0 k) Q9 L* x7 R N7 [' N" _6 {
-AX = 0910h (Display string in SIce windows)
% F$ L; f- }0 q/ b; k-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
}) L& j6 U. [% x8 _* w-AX = 0912h (Get breakpoint infos)
7 h8 v$ W1 q* I. x) {2 c! _-AX = 0913h (Set Sice breakpoints)
& @ E* K. l# n1 b) z- Y% J-AX = 0914h (Remove SIce breakoints)3 c k6 L; Q5 e1 t
9 D y( a/ m/ J/ ]" n
Each time you'll meet this trick, you'll see:9 S/ X! X1 X; S' \! T8 j
-SI = 4647h
! o* _! E/ U5 R) M-DI = 4A4Dh0 Z- k8 u7 N5 r
Which are the 'magic values' used by SoftIce.2 P5 t$ E3 n" F, ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ ~# E& X) M: w6 R/ i# M* E3 Z' u7 P5 |; E
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 m7 @! h% P( h& p M' w" NEnvelope utility use to protect DOS applications:9 P0 H, ]5 q5 ?0 W: g
* z5 I ` `* P
4 G( U* q7 x+ K# P9 ]
4C19:0095 MOV AX,0911 ; execute command.
1 @! y" a" f) Q' a# d" X4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: Q9 o! `% {6 s% ]8 N `
4C19:009A MOV SI,4647 ; 1st magic value.3 ]4 a, _- |5 }4 \
4C19:009D MOV DI,4A4D ; 2nd magic value.2 R; P1 e' d4 _* x. K( O4 u2 w+ ]
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 `- {7 U9 p; G' r( V
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! s% c1 w; \/ a" C8 |7 }; w7 b
4C19:00A4 INC CX+ Y, @% q8 R. R8 ~ M5 }( K+ x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
g* A7 a! P" c9 X4C19:00A8 JB 0095 ; 6 different commands.0 n0 O8 h4 G' P' K* V
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 r' h( e) B( W9 r6 Y! G: o
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& b9 T3 J) P% r* w. |2 v q! o9 d( D
/ M* l/ F( E. _7 L% ~4 s
The program will execute 6 different SIce commands located at ds:dx, which! K: `. x& k$ X8 o# }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 _% v. d4 j' e3 i* j
$ l) g# I+ U8 D4 U8 A6 N& x+ ?* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 |5 A- H5 j! O$ }2 S; I
___________________________________________________________________________$ ~: J$ c! q6 F' N) n/ w
2 Y9 m# E& J5 _+ i U& E% m1 d' s
- H+ E; t; z7 U# y! q. Z. @
Method 03
I6 A, g2 ^0 x; A=========
. m: {( H3 m3 x. v# I2 ^ r- ^1 b$ G1 v R' V! X1 y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( e0 |1 k1 a6 J(API Get entry point)
6 h7 G8 s1 E e; Y( T3 l/ e/ ?* u
( L7 O, l% X6 \
7 S5 O4 R' K) Q& P- [4 ?( Q xor di,di
" ~$ i( o I( h, G1 O8 ]' z9 n0 `" F mov es,di w& k) w8 b9 R! M5 {" E: X6 j
mov ax, 1684h
* D3 Z) s `$ B mov bx, 0202h ; VxD ID of winice
; A8 w2 Y" N* m+ Y7 `6 K7 i int 2Fh/ r* _& l' n& U
mov ax, es ; ES:DI -> VxD API entry point0 W, g6 O7 e& g$ c
add ax, di
! |0 B& d( o5 N' i" c! l. ?4 l2 S test ax,ax6 Q/ {$ }8 g) C* i) p
jnz SoftICE_Detected! O3 q+ F2 h* L% y8 D5 e+ A
7 {& G3 d4 a: i' s+ W0 m
___________________________________________________________________________
1 f/ R G) M- K z: J5 [' x# R
8 N0 Y0 D" ]: Q$ M3 r, p6 uMethod 04$ ?( ~5 L' P- i' L Z* H
=========
# b* R/ U, O4 P/ _! D0 |* a+ ]7 {) O9 S* m' e! H" k
Method identical to the preceding one except that it seeks the ID of SoftICE
$ n4 E! I$ w8 K( L$ OGFX VxD.* M4 J# e) V6 p
& o {: _! e, O% A- T1 r7 d! A xor di,di
0 h3 Q% r6 ?. o/ ?- D mov es,di
3 F P3 r. @7 K+ t! k, ` mov ax, 1684h
1 F) C6 m% `9 x/ I4 q" m$ r; H mov bx, 7a5Fh ; VxD ID of SIWVID
0 {3 \: F- G3 \; O& J Y7 d6 J int 2fh
7 p% l0 H, G; I4 I4 F7 M8 w mov ax, es ; ES:DI -> VxD API entry point. p. r6 K! K2 V7 N
add ax, di* N! v6 `+ B& |
test ax,ax
1 U, P7 s/ K! ?/ r* F2 p7 P: M* ~ jnz SoftICE_Detected
+ j3 O4 d$ }; E5 s' d; p
7 i1 G; G$ h; Q& G__________________________________________________________________________; b1 t. W, i1 ~! b9 [+ r' k# e
' i9 w! e, |. e; k4 C. ~8 G. o; t5 N" `+ b4 t
Method 05% W! v" d% W( `; m, g
=========
5 n1 G# G& u7 U- c9 u! i5 o& |" z$ z
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; x( H" E& d) A, p/ n3 ]! O$ ]debugger. It calls the int 41h, function 4Fh.5 A8 d7 A# m7 I; c9 | q% M
There are several alternatives.
! ]6 V) o s+ k" g' j- S
" u% S' c! f$ kThe following one is the simplest:4 E# h/ l, ]$ L$ e, p
/ N* n1 `2 G9 R/ ^: C" v mov ax,4fh
* X9 L, o5 x- _ z' |7 I int 41h
Q( P, `" i% y& C, O cmp ax, 0F386
, l1 H: g0 A; D. E4 j3 L+ f jz SoftICE_detected
( b e7 G2 X) Y' \- @# ]' G w: F( P3 y' F1 p& |# V* X
* U+ r8 _' a: d0 ~
Next method as well as the following one are 2 examples from Stone's
% `1 `$ h2 E, P"stn-wid.zip" (www.cracking.net):
0 b$ X$ Z6 G! y0 g: ]2 m6 ~, f
5 l' J* C: b, |5 t mov bx, cs
- M- S4 ~) |/ g- R" s* Z6 [# Q, d3 E lea dx, int41handler27 d F* N5 j1 m; g" q3 C2 G0 e
xchg dx, es:[41h*4]6 _* U1 g) r( ]
xchg bx, es:[41h*4+2]: x, z. q ^! l" Z' x
mov ax,4fh
: e- l1 N# m# E5 x" l' V/ k int 41h
- T4 Y) A0 X/ P& y5 p5 P2 g; B xchg dx, es:[41h*4]
; z8 g$ ~5 h- }% s! M: M xchg bx, es:[41h*4+2]% k% W' D% J' B5 o! Y4 n& u
cmp ax, 0f386h
9 e- [8 u, J1 N1 e jz SoftICE_detected
+ p5 i' B e# L9 c/ T( L7 t1 l2 l7 T9 `% g- O6 d8 _ `. Q
int41handler2 PROC% n3 m/ ?8 F! |) L9 m
iret! ]0 f! O- z% ~) o$ a) c4 x/ C
int41handler2 ENDP
2 Q7 {! _; h9 B9 h8 Y
5 d8 O3 v7 e b& l# J) i8 F, s3 G8 l% I- R: }$ T' J
_________________________________________________________________________1 c1 L J1 R8 y% d
0 Z3 t/ @5 J$ _+ b1 q6 G( F, T- U8 \& b( z
Method 06
- c" P" d. M' X: p=========6 U6 M$ N* A8 ` M( l- n" j8 f
. u' R* B- e; V5 x
8 @7 Y3 @/ k# S2nd method similar to the preceding one but more difficult to detect:, H' |3 w3 b9 _
( J: d- { C* v( o8 v
. u5 [+ ]( I# V. e# p8 t' j' e6 O, q% E
int41handler PROC3 l( T1 P6 c) ` g$ w. O
mov cl,al' k! E y2 r* I2 ~+ W. d
iret
4 s- r6 o0 R/ }4 P+ ^+ nint41handler ENDP O; m- g* ~- y. X9 i, j) h7 D+ g
: b7 o8 d4 a; ~
$ `% h% _; N1 A+ n0 C0 B* q xor ax,ax1 W3 h0 n: d' @2 J, r
mov es,ax1 n; C7 [$ n$ I
mov bx, cs# o; Q, c8 y$ z0 [
lea dx, int41handler
, i6 u/ A! z! C1 a. \ xchg dx, es:[41h*4]
8 a" E9 s' t& Q7 S: }3 t; p xchg bx, es:[41h*4+2]
; u$ N8 } x8 Q* @$ X+ ^1 ~ in al, 40h$ v- e% q2 ]3 Y1 O+ y1 V
xor cx,cx
+ K; b2 l0 Y2 T- V8 \6 | int 41h
0 N3 R9 E4 u! Z; q2 w; Y( z xchg dx, es:[41h*4]' z5 x) p7 k6 ]; T( ^' v5 C5 N4 l
xchg bx, es:[41h*4+2]: k5 @# U* F0 x) m6 ?5 P
cmp cl,al
0 D* g! r! E3 [9 S5 f! W$ c4 n& [- U% _ jnz SoftICE_detected. |+ h( J0 d* J. o1 P
" d8 Z3 D8 R. |' {. h
_________________________________________________________________________* i: m/ [+ w' Y: j" k8 D
/ \$ \' r- B& ^: U8 e) }
Method 07
& d+ x* i0 o# O=========
* C: i* Y" E% G K* `, V0 T9 E9 o! E% S P
Method of detection of the WinICE handler in the int68h (V86)
9 J* v4 u; E: i( z q z. Y0 Q& p$ |
mov ah,43h
# j( D# j% E3 h8 `5 o+ Q- I7 w int 68h
7 L1 W. q& g8 ]; v1 o cmp ax,0F386h8 q: q" N% q8 [8 j9 a! g+ h; S! |
jz SoftICE_Detected* Y1 l) ]& K; A1 x: z0 w
' |1 i2 v' ~, Q, V0 i
' j: q/ V2 v* H( q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" D& D% T+ c0 D. J
app like this:$ P6 \% `# a r$ `
7 A3 C' q. R; p& D. S7 K, R9 b
BPX exec_int if ax==684 a& S$ e! o' M6 J. G0 B+ Y/ W/ \( l7 j
(function called is located at byte ptr [ebp+1Dh] and client eip is
* S5 }# s( B( ~ q located at [ebp+48h] for 32Bit apps)
1 F5 [. v5 I' Z; L& q& U__________________________________________________________________________0 ?( ~ t% _6 k9 O! L& h. d
# ]7 r' s' @6 I0 s9 X" E: f7 c# K7 _( M5 P4 y
Method 08
6 J6 T0 r& s2 m' b" u: \! D=========
% \8 P+ c8 y r5 L; D* }2 d/ \+ L* ~: A- d0 k
It is not a method of detection of SoftICE but a possibility to crash the" T( {0 Z+ E7 S! m& o3 x
system by intercepting int 01h and int 03h and redirecting them to another6 u5 y- P8 |. \, O5 u7 N7 M9 d0 B
routine.
" _' B9 ^! k- Z0 {/ q6 \* EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- o9 q7 F6 }7 K' ?$ E% ^
to the new routine to execute (hangs computer...)
0 p# G& ?5 ^; {$ X0 r
, n4 \2 K( C) n7 A- c mov ah, 25h, T M3 ~# w) }
mov al, Int_Number (01h or 03h)8 k& @4 @7 }/ }' ~; w) c/ e- [
mov dx, offset New_Int_Routine0 F: D" i8 z, z5 i% H2 ]
int 21h! Q% K! G) I7 d6 \
1 R% h% r/ o7 m( Q1 i k$ ~2 A
__________________________________________________________________________2 r7 u6 A3 u8 b! ?( R @
. ?' H- {; b2 C [Method 09( X4 y4 O& z+ e2 @' l8 v
=========& [* S. m7 M0 V
4 F& I7 W. h8 P& g! W; |4 B8 G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% f& B! w" x- q% c$ R {8 wperformed in ring0 (VxD or a ring3 app using the VxdCall).
, a; T. G* p1 E6 t, Z( IThe Get_DDB service is used to determine whether or not a VxD is installed/ S" Y7 L/ Q3 i: T6 e( _9 G5 {4 [9 _
for the specified device and returns a Device Description Block (in ecx) for5 w# \. D7 o% ~, W) _! G7 Q X$ p
that device if it is installed.
9 g! l1 [1 e# C
+ F/ O& I- L: y# T, o mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, Z' S3 j9 x' Y) s- c: [; l& o mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 p c2 l- ~) Z* Y1 r+ u' {* Y VMMCall Get_DDB
8 @- n, r; Y) v. o mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
W4 q+ ^; w% X: @" k3 L3 b( N' w6 Q N N% F
Note as well that you can easily detect this method with SoftICE:+ Q: q Q5 j9 g% i: Q2 J' B5 b5 N( d
bpx Get_DDB if ax==0202 || ax==7a5fh
I% \% Y. g+ x5 _) H0 r5 d' Z, L0 f
__________________________________________________________________________
) l& m# O% W9 P5 {! |6 G" X% q
/ b# n- p: L' P- y) BMethod 10% E0 {3 |0 E6 |* r( E7 q% r4 G
=========. W; Z) e' s9 e( `9 R8 C- E/ o" \
: s- t7 [5 U U$ J) Z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* f/ `1 v: f, E" j. @& e SoftICE while the option is enable!!
: _/ m5 G7 \0 u* }: k" |& E; F' n' O6 F$ {( n w, Z
This trick is very efficient:2 q3 w3 H) J+ k$ C4 b
by checking the Debug Registers, you can detect if SoftICE is loaded
, K" u/ o2 x! F0 j1 H/ n5 z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 |4 s d* l# D8 W& g* a" H6 {there are some memory breakpoints set (dr0 to dr3) simply by reading their
; R$ }- C! T* w& F8 X6 B6 Z) E, f( Z- qvalue (in ring0 only). Values can be manipulated and or changed as well
! Q* J/ f, z# J4 e. p' \% Q(clearing BPMs for instance)
/ x* E) @& `; h& D ~( F- @# \* d6 O! K6 W1 M
__________________________________________________________________________ U7 v. x( S! k; t. h# m
& c4 z N& k; R ]4 CMethod 11) g/ f! f# ?# Q6 T3 t7 n/ R
=========
. h4 }! v7 m, z' G+ Z1 I
, c4 A1 D) p$ r9 m' KThis method is most known as 'MeltICE' because it has been freely distributed
2 r% u7 F; j* J. J0 D2 @via www.winfiles.com. However it was first used by NuMega people to allow
, a8 }# W/ S1 G- u3 h( DSymbol Loader to check if SoftICE was active or not (the code is located
( v) b) ]4 d" k$ s' a. Sinside nmtrans.dll).1 o6 p6 i Y" ^; e( s$ v, F
' D# [8 E+ G2 I/ C& o/ F2 c8 g1 n
The way it works is very simple:! {: g8 k4 N' y1 I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' `0 `) }( U+ w- x
WinNT) with the CreateFileA API.9 c+ z" Y4 g9 K- [; r
s+ ^, _; y0 r8 j; A6 Z# }Here is a sample (checking for 'SICE'):
& N5 I, W+ H! ^: E5 W7 Q. k$ f6 B( h, L, e5 p u8 @6 |$ Q6 v
BOOL IsSoftIce95Loaded()2 K2 T: O: E9 y6 U/ E. u x; W, f
{5 Q/ Z9 o; C- C$ j. G
HANDLE hFile;
, N( ]# |0 x% J% x+ k5 i! g5 ~ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% u/ C& J2 g. G3 y- |9 q) l$ @ FILE_SHARE_READ | FILE_SHARE_WRITE,
/ p. N* Q2 P" t$ h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ e5 v1 S" q# b0 M: l
if( hFile != INVALID_HANDLE_VALUE )
: y7 v0 I7 ]0 Y1 a R {' m& x$ N, c, h3 U4 T6 B, e
CloseHandle(hFile);0 o( _8 @: }; d! j' z; l" V8 H8 _5 z
return TRUE;0 s( a: r. ^ p0 N
}- O3 I& W& |% @2 `, }* S4 ?" {0 \
return FALSE;6 m2 Y" \, Y( ]* m) Z
}5 F8 y$ P/ _. |1 u7 O
! T/ k( Q, h- _- M
Although this trick calls the CreateFileA function, don't even expect to be
$ n. F/ u! l- x2 h7 f! U+ r iable to intercept it by installing a IFS hook: it will not work, no way!
; E7 C# A( E5 A/ y! GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 b9 J" ~+ [$ R5 a, B" O$ q0 qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
K) L, S$ t7 oand then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 j. D2 J0 r& p- L, _field.& y$ p0 O: g O& N: a1 B. G7 T
In fact, its purpose is not to load/unload VxDs but only to send a / k$ L3 X: s7 Q7 X' {) @7 t
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& g7 b: l* t7 Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 ?7 y* t( d4 e) r( {! Q3 T7 D
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& n9 i2 K4 Y, p3 C- {If the VxD is loaded, it will always clear eax and the Carry flag to allow
! x6 {; ~6 a( `! k% q: I% y0 l+ v& Hits handle to be opened and then, will be detected.
( Z3 ]7 b. W' vYou can check that simply by hooking Winice.exe control proc entry point
3 S2 ^+ B) T1 U! k3 H* f# Jwhile running MeltICE.: ~: D, ?0 F$ m, ]
3 N) d1 \0 P2 E
% f" d- O% r' @ S+ {0 i' T
00401067: push 00402025 ; \\.\SICE
; K$ F( E$ k# P. Q' N7 K8 ~) n" T 0040106C: call CreateFileA
( P/ o+ F* u1 E8 g- A7 t 00401071: cmp eax,-001
8 l/ A; s% M, p$ j$ i3 g 00401074: je 00401091
, ]. T; o% h3 `, b* r# e4 S: D2 }+ |5 X: l% i
2 x9 F, T9 r! z$ z: Y4 jThere could be hundreds of BPX you could use to detect this trick./ C1 _, A& I/ G. Q* @- q
-The most classical one is:
- g. @! W. p& B8 h. d: O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 @: D- U" G/ W% S8 C
*(esp->4+4)=='NTIC'9 y7 }6 A, V, K$ a0 @% |0 {! Z
$ Z& t7 [4 F! i. F4 C# w-The most exotic ones (could be very slooooow :-(
# U4 g+ z. C" c+ m BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) y- K! f; E4 i) S/ L ;will break 3 times :-(
# ~ A3 N6 n1 t. N% d
: G3 K- p" D/ B% ~7 C-or (a bit) faster: + g2 v; H8 I, Y7 I: Q. X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# {5 [0 V ?" E
6 _- U% T( A& }$ o5 \ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 a- t8 \! o: {+ D$ C) h, @! T
;will break 3 times :-(2 W3 R$ O- O) p. I: ~9 x
* @: K) C: t/ v; H: X+ d-Much faster:
# I B) I! q: O9 \4 P BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. f) Y0 c5 K8 G3 P8 {4 i# K4 c
8 R" e }+ G1 KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
! E# N% H, c1 L* w* W0 s* Hfunction to do the same job:
6 @& F w: F8 i) Q3 M n2 f H4 r9 u
push 00 ; OF_READ
: E1 D, G; `5 M8 e: B! a mov eax,[00656634] ; '\\.\SICE',0" e" G, `! y6 }4 C# l
push eax* q7 j4 }: } h8 a( I
call KERNEL32!_lopen
; G* f ^( c4 Q inc eax9 J2 v" G# j: F. e B' o2 U* `, m. Q0 k
jnz 00650589 ; detected
# { U3 d/ u8 _" z: r. n0 U3 t/ Q push 00 ; OF_READ
3 {6 x. t: _) B) M$ y. o: N mov eax,[00656638] ; '\\.\SICE'
! i. X! i" C, T) I6 T' \ push eax) m1 `3 Y y+ ]8 s9 y$ x
call KERNEL32!_lopen, ]1 M. x4 J3 y0 P6 i) _
inc eax: x) F# x4 e5 f [9 y: N% }
jz 006505ae ; not detected [' N6 @. v! S" M9 ]
[ d1 p' H- h' U0 b' R( ?' a' u1 L0 t
__________________________________________________________________________0 T7 A3 V1 K' R P5 q j- }
8 ~8 o' n3 x& T6 T6 `! D9 k
Method 12
) F! V7 \" f `) v=========
* f0 K3 f2 o- l7 W/ {# ?- x' C
$ J3 ?( o' g' n1 a; CThis trick is similar to int41h/4fh Debugger installation check (code 05; j- |8 O$ K# Q6 k
& 06) but very limited because it's only available for Win95/98 (not NT)$ H9 X" H9 C" D$ H" \: ~
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 u1 M. M* y' c, v4 c
" Y) q+ p/ K7 _ push 0000004fh ; function 4fh
: U4 r* `9 i' K& Z. n push 002a002ah ; high word specifies which VxD (VWIN32)7 J% [1 a% d- d z' D
; low word specifies which service1 K+ i& Q. E% x, L8 m) ^( q
(VWIN32_Int41Dispatch)
8 d; z0 \ Z0 e7 V3 @ call Kernel32!ORD_001 ; VxdCall) |9 C/ X- y( O3 u0 g
cmp ax, 0f386h ; magic number returned by system debuggers
7 f5 F( H9 h3 ?- u! I% v: z) I jz SoftICE_detected
0 @) N1 s$ B; Z& k7 j; {# D+ o% |" E+ }, M
Here again, several ways to detect it:- j4 l( ?) g* ^+ ~9 U, O
+ q" I* e" B$ a
BPINT 41 if ax==4f
& |& H$ A0 |+ T( Z& @% g# s, O
% B3 u2 W2 Y, D; C) P' j* n BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, l1 E% e x: d# p2 [
3 x$ u7 g0 r r& M" D, c* _ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ x( n4 Y, M# t
9 e; K5 I0 H) T% \/ x5 y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 r. U5 g6 @' V- M2 p" o, s |& t6 Z X5 E/ |- M" [
__________________________________________________________________________0 @; y1 C* R# {
) V: i% p7 O, B, r
Method 13* T; F7 S: ?! ?+ H5 c( O
=========
/ h% d: a* e+ a* f" z' l
! l, J4 d2 r, R: z* n! R6 C- v- V7 TNot a real method of detection, but a good way to know if SoftICE is
" T- e5 _6 X) X6 Kinstalled on a computer and to locate its installation directory.
3 `" @4 |/ A3 O! y5 A LIt is used by few softs which access the following registry keys (usually #2) :
- M- F0 H" w0 i' J- `' W) T
% J' c$ H8 T& u, V& o+ I-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 m0 v/ q* U8 u( }4 u( a) E
\Uninstall\SoftICE! N+ r4 H, S" z% }$ U* v7 o6 N8 P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; I* e) t2 u4 C* l+ {
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 Z9 X9 M/ K- e- Q- p\App Paths\Loader32.Exe
5 J% x, Z* J! q6 F: M; d- H! s: A/ ~: s. M2 f" J8 B: w. O
' J6 ?# ] g' y p) tNote that some nasty apps could then erase all files from SoftICE directory
1 E# F! U0 h# W2 D/ R9 `(I faced that once :-(. J5 Q. G, L! c5 [- `% k% p9 |' [
% N+ `* |7 P+ A) {Useful breakpoint to detect it:
* Y7 l/ T) e3 b- L7 R6 N& f! z+ W& j5 ~, y0 U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ Y8 c! L+ t& X U- a3 E5 P9 R7 W
7 i3 @; T% `) A3 a# S0 l, u4 L__________________________________________________________________________
# T9 S9 |) o7 i3 j% d! s( O# P
' } q/ J( i/ {( i) {) q- x/ m) V, k/ L% g' h
Method 14
8 ?( I* F% y& n$ L6 p=========# p: J4 c# o+ G" `% Y- c: }
6 i( D& f! j2 Z( a3 UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" l) M# F6 b, m) c: f8 @5 J4 C, Gis to determines whether a debugger is running on your system (ring0 only).
8 W8 Z5 C+ C& {* J6 m! D9 v% K% }, U+ I! Q5 l" e( E
VMMCall Test_Debug_Installed
% {- T/ O% O, v$ u4 z je not_installed$ E+ Y3 ]. E3 I4 V
4 \6 U$ v( D* P1 x6 t, _. I# k8 eThis service just checks a flag.
# o- W, c0 g$ a2 Z$ f</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡