<TABLE width=500>
' ]- D; @9 n( D$ l" _% L- O7 @<TBODY>- T' k4 t5 q! n$ j5 L6 c
<TR>
# l" b# F' e& ]8 M' d1 W<TD><PRE>Method 01
- G. |- Q/ H2 m9 m& `=========- |; r. P6 e7 x4 V+ }$ o
- ?# T. l2 x# w) u$ ~. g! RThis method of detection of SoftICE (as well as the following one) is
# m9 q9 _* l) Y7 bused by the majority of packers/encryptors found on Internet.6 s8 @& | f' Y
It seeks the signature of BoundsChecker in SoftICE
% D" y+ Q, M$ u$ R7 z% s
, L3 Z4 o6 u3 }5 h. o0 }, O7 U* { mov ebp, 04243484Bh ; 'BCHK'+ _; s% a# w" A$ c1 g; w
mov ax, 04h
. \! x0 b# i/ b, u( \$ U' A int 3 8 q0 l" Z; N, U
cmp al,4+ z& r3 {# n K
jnz SoftICE_Detected
* t/ @: f: B- J- q2 c
- O1 B3 T+ i8 P, f+ F o) A___________________________________________________________________________3 H, e1 _% Z4 ~! N& y- L3 j, t
3 ?1 O! ~; p- H$ m( pMethod 02+ m" R0 s5 [% U9 O
=========
4 ?$ j( i, e6 X% v6 `" r+ F" G. `3 @
Still a method very much used (perhaps the most frequent one). It is used
! B' Q" [) k c/ v7 sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 O/ C6 a! A5 g5 L4 y! z
or execute SoftICE commands...
- P* K. I( X& i$ o2 `$ L: aIt is also used to crash SoftICE and to force it to execute any commands s% f! j! O. f; }0 l T" X$ m
(HBOOT...) :-((
; E& K- @2 n# j4 V
1 m% s: Y4 q8 q8 GHere is a quick description:( o* T+ ~0 Q$ A7 h- M
-AX = 0910h (Display string in SIce windows)
3 e7 h E7 K' W( v0 w6 U-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), U6 g- q1 u5 h/ N* T5 \
-AX = 0912h (Get breakpoint infos)0 j& E7 T A- T/ n- C
-AX = 0913h (Set Sice breakpoints)4 o B. v' I6 \7 c$ H0 U g3 I( K
-AX = 0914h (Remove SIce breakoints)) A5 F& Y6 j/ F+ Z. y! M# a
1 z& D: v+ r9 f: j
Each time you'll meet this trick, you'll see:
# Z9 P% u$ T& E; H+ h( @/ d1 Z-SI = 4647h3 N: h6 Y2 c) Z( o
-DI = 4A4Dh
0 A8 j* h( j& Z+ W! M& ]8 W. JWhich are the 'magic values' used by SoftIce.
7 G) w; J7 [) }+ I: fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 v, Y7 H: X0 s
2 f' w' S0 N9 Y# o2 _0 mHere is one example from the file "Haspinst.exe" which is the dongle HASP
2 [9 O4 }+ C6 _! l0 V! WEnvelope utility use to protect DOS applications:
5 I8 |5 N; A6 d: C% ~3 ^' q7 e x* M# I0 w& V" |9 {
3 V6 o( }8 D. o; ]4 N7 G4 Q
4C19:0095 MOV AX,0911 ; execute command.
4 Z. F+ {, n& L+ o: A4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# ^, ?6 a% l$ c3 V4C19:009A MOV SI,4647 ; 1st magic value.0 Y: N' t. I3 M" R' x
4C19:009D MOV DI,4A4D ; 2nd magic value.6 G2 |: r4 p1 ^' V6 [* S. C) M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' n/ U1 ~" Q3 w, K( G9 \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' f0 y3 s* F. F
4C19:00A4 INC CX
0 C+ q8 Q( ~3 O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 p8 U8 r, `6 g5 A- r7 n+ d4C19:00A8 JB 0095 ; 6 different commands.; o5 Y* C- M6 P% x! z$ U; A* H
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- M/ g9 n8 H7 g
4C19:00AD MOV BX,SP ; Good_Guy go ahead :): j, d6 H: g0 |9 A) B4 r; p/ u/ ^4 `
% }. s8 T4 J7 WThe program will execute 6 different SIce commands located at ds:dx, which/ \% M) x: q/ w5 k' D3 z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., c* X; \8 T5 b4 y1 n" A5 ?
+ {4 ^) b5 E9 J O/ ^5 \% |1 r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( o+ T. m# _3 b1 {
___________________________________________________________________________! n! h5 J R4 M( U4 P/ a( L. ~0 H
N! n9 s( C) A# m2 j M8 u
) A1 }7 Z/ j$ T2 [9 gMethod 03
5 T- i6 [; c! K. X, a: \=========& M* T% h8 |/ r6 [
4 D) V5 e& @$ A8 J$ T) ALess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" {" m8 |# c$ j. e
(API Get entry point)
; I+ r4 |. U8 U8 \9 r; [) t + f! |# C+ }2 _7 E ~3 v2 H4 h0 n4 W
; H0 C+ Q) n+ Y! ~* [- x# W xor di,di
4 e5 _: e, i7 f) w: _, D mov es,di# R( @, v) c* d7 G0 n( H8 I9 o; p
mov ax, 1684h
6 ]5 ~0 W; ?8 v mov bx, 0202h ; VxD ID of winice1 q9 u( {4 O2 C) g# a, X& Z
int 2Fh# Z: d1 f, W6 z: x3 p$ z
mov ax, es ; ES:DI -> VxD API entry point! v3 e2 T0 K; O) z
add ax, di
, U; d( t. h: M3 k8 ~, H7 w0 | test ax,ax
z1 q# W9 @7 b4 J- g/ u4 n: {6 t# ^ jnz SoftICE_Detected
# G$ V; Q0 R0 k( q' M" E0 s' c# H, \" Z( k% N( G
___________________________________________________________________________
2 `' }" f0 u7 p- P* r% @
0 @ @/ K( c8 ?/ q2 _Method 04
( ^7 X" F: {- h2 G6 E=========
7 j" v* \- ~/ d( L& A# j' m! d
1 t* S. o& ?, b: x" ^Method identical to the preceding one except that it seeks the ID of SoftICE
# e7 @* M# A7 `4 k$ pGFX VxD.2 C" y- ?5 y) L) V+ w& l! \
$ T& c8 k$ C8 @6 Q2 S) ?
xor di,di
# @; V8 r- Y9 E& \* K mov es,di; J, T1 I q9 X- O" r
mov ax, 1684h
" W. a7 q& i. t mov bx, 7a5Fh ; VxD ID of SIWVID
! S( e6 M3 }8 y( G: f; v" C5 Z int 2fh) \/ C/ S$ f7 e$ d' m
mov ax, es ; ES:DI -> VxD API entry point
) q: [, W, m3 N. B0 i/ E* D add ax, di
F+ Y- h$ W0 T' H, E test ax,ax* p2 I! V! w% d+ Y# {
jnz SoftICE_Detected j- j9 P+ h0 f0 G, q% P- u+ X
, c! @5 a, Z; k5 [! p7 @' \
__________________________________________________________________________. W% {. U8 ~. Q5 E4 ^
8 F$ T# ?% q- [1 Q* `
6 K4 n9 n2 q- |( Y$ }Method 057 \3 |7 w2 B/ B% X
=========
2 ~' N I8 _! r- z
6 n: Z' b7 T9 l3 F: mMethod seeking the 'magic number' 0F386h returned (in ax) by all system; O3 h/ r, [( r( N4 `! m. |
debugger. It calls the int 41h, function 4Fh.
) _6 M( M3 Y- f1 F' nThere are several alternatives. + c. u2 E a5 a' a
$ \$ W( \- {1 ]5 h3 o! C9 PThe following one is the simplest:# T4 e2 O" L+ Z9 b2 }' W4 X
w# C4 V3 h) P) s$ H0 T; w! S
mov ax,4fh
5 v4 W9 k0 W: @" g; m" E; w int 41h
- E$ q! | k* F2 b& M) Q9 K cmp ax, 0F386
( [" W7 _2 o8 V: W- b% O5 z) t jz SoftICE_detected$ C! V2 \. d- x. O6 `: p+ `
% L" N# K$ r1 S7 ^- k
/ L X7 [6 E, ~# nNext method as well as the following one are 2 examples from Stone's
- k8 ] h) ?. s% K. ^"stn-wid.zip" (www.cracking.net):( I) z# u% }4 C6 {/ H! h+ X
0 M% B. N5 W/ D- O# k) w mov bx, cs
" s1 X6 F( s! H: R lea dx, int41handler2
- } x2 q$ B- F: c% n/ j- V, m$ w+ R xchg dx, es:[41h*4]6 b. H; \0 t7 C* B/ L7 g
xchg bx, es:[41h*4+2]
, Y S! {% d: a+ Y3 a( B4 E mov ax,4fh
; o6 i" i4 l2 ]) C, F, C9 c0 p, d int 41h x5 d) }' c j+ p$ ?
xchg dx, es:[41h*4]
6 x* r9 Z, z" A$ t2 N- T% u4 Q xchg bx, es:[41h*4+2]
6 ]8 M' z7 n$ S" M cmp ax, 0f386h7 y" H. F) Y- |
jz SoftICE_detected
: Z6 `; H/ ^+ |2 d
; m+ V* a; R, e; [" a, w! Xint41handler2 PROC
# C8 t! \8 U5 U$ U& ~ iret
# Z( e7 o2 r7 wint41handler2 ENDP+ _0 r- \- p5 b A5 \) M6 ]
9 }' V( W. Z# {. b0 n1 O* ~$ ]8 O8 w" c% ]6 s4 _3 `
_________________________________________________________________________
# n/ i. x" \+ ] }$ t, I/ |* i# P" \ ?7 c" x. Z: ?4 B
% m7 ?' ^( I0 w, p/ @1 b6 H( cMethod 06+ X6 o$ k; _: g+ W, @; _( x
=========) D" w8 o$ \( r; r! b
" `" W# q) @6 `: t7 o1 Z% H
0 _2 Y4 [* s$ B$ m2nd method similar to the preceding one but more difficult to detect:# j0 K: k7 _+ h6 ^6 w8 q8 v# ?
3 x0 d/ C' ?& y; m$ Y# Q! Y
% |! r' ]3 q Z* @0 O* Yint41handler PROC
& G6 o+ ]2 `+ k) o$ g: K7 N mov cl,al7 c M% ]2 w. @, x' k1 B/ f! v
iret7 ~( @6 K4 t l% Z; F: B" R; ~* y
int41handler ENDP8 m Q# `& S' m) r
" H) K, f0 p6 ^0 I
: p% L5 ~) s& k6 X4 s& J xor ax,ax9 m# ^! n' {! O% M
mov es,ax5 X& a/ a! j3 q- R( n4 [/ X5 v' u2 u
mov bx, cs* D0 F% p4 E; x5 ?) m
lea dx, int41handler8 o2 f9 ^) r/ |7 G
xchg dx, es:[41h*4]
6 K* |! O! y W6 T: z4 y% D: Q3 p4 ?, I xchg bx, es:[41h*4+2]+ M3 A1 O1 `# p4 P
in al, 40h
( u7 x4 L( S2 L xor cx,cx/ N0 E9 v6 L0 F4 h
int 41h6 F! z) `# W5 Y' x5 ?9 t5 y0 h
xchg dx, es:[41h*4]
( x2 y- \. u' E: Z( ? xchg bx, es:[41h*4+2]: a; j9 g" B1 W9 N0 Y
cmp cl,al5 I8 d$ M9 _' c2 A1 p
jnz SoftICE_detected
3 Q" J$ @+ `0 T, f0 c; n; X
8 \$ h ~& L2 E1 X_________________________________________________________________________
7 i% _/ o! x" [1 a1 l1 E7 O" y- ?4 E: o; {/ s
Method 07; M% G( {- s# @+ t. o
=========
! Y& O. W% W2 e0 p% P8 U9 t) O% ^) D# V
Method of detection of the WinICE handler in the int68h (V86): k8 c, y6 q9 T- g* G9 q4 Z3 m
- \) f! y$ a* X1 w- u3 O1 w% A. x mov ah,43h
6 s6 k0 V$ J3 ~4 u7 i+ i+ Y; S int 68h5 X( Z! R* W0 U" V
cmp ax,0F386h
1 l5 l! v' {; E7 \7 G) d jz SoftICE_Detected" i; g# Y4 n/ R# ~$ R
6 S$ i* |# C9 h9 V+ A( ^& k
: X0 {% ]! N( ^% l3 V. v# ^=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 R9 o/ j: G6 G0 G, q3 ]
app like this:9 t7 ]; J0 _3 V5 Z, V6 b3 R2 s
* w, m ], d3 |# C, C BPX exec_int if ax==68
2 k) \: \0 x; L: z, r1 I2 I (function called is located at byte ptr [ebp+1Dh] and client eip is
7 M l( s% H m0 c7 S+ z5 m3 } located at [ebp+48h] for 32Bit apps) C4 L! e; j; {0 u
__________________________________________________________________________6 J/ \- }8 J# r$ ~: B4 p5 d
& \! A9 P+ f( N$ C3 M& \/ `: g
+ g2 d4 y I+ `, PMethod 083 \5 v8 d8 {7 {/ R
=========3 F% _- W) q Y. A1 V
. B% ^ H0 K) x2 P- a+ RIt is not a method of detection of SoftICE but a possibility to crash the
# T- J$ {' Z1 I O3 v, u$ T' lsystem by intercepting int 01h and int 03h and redirecting them to another, j3 W8 `. z# M
routine.$ x* u% e6 }) ~- r5 l0 `; N H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
l6 U3 K* Y- Z* C- c- zto the new routine to execute (hangs computer...)( ?: a+ ?7 F" q
& Z( N; Z) ~% _5 r2 K
mov ah, 25h
% D5 G; o9 L! T& Y4 x. r mov al, Int_Number (01h or 03h)) L7 d% l/ J0 S: \3 K3 P/ G
mov dx, offset New_Int_Routine+ C* Z. ^ Z% X2 w: j- ]( n$ g: w
int 21h
0 T& p b6 X/ j( D$ B# T+ f
1 F# ~/ T- g$ n) G1 e__________________________________________________________________________
; I) j2 y( d( q" C! A; e$ R- d" n6 z: r- G7 o
Method 096 R$ y1 z5 x' S6 D, y
=========
9 F- m i, H" `4 I% r/ S* R" c+ y3 b. X; i
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 w6 x& |) U; K3 q, Nperformed in ring0 (VxD or a ring3 app using the VxdCall)." I# p( w) N2 |5 v! o& T
The Get_DDB service is used to determine whether or not a VxD is installed
3 S8 ~2 ?) Q0 S4 Z. ] R2 zfor the specified device and returns a Device Description Block (in ecx) for
% R O, e8 |3 q, c. ythat device if it is installed.; }: w1 E: d. U' c/ u `+ m
: w9 l6 G# k9 e% a: @/ z# t: A
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* J! x5 z+ Z7 r3 _! b0 w" n
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 L0 R; f) r" B$ H VMMCall Get_DDB/ J! l4 |1 O7 O! t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 j; g3 ~- _( K/ \- H
" I* }0 O, b5 I g4 K9 |( U9 Q( E- KNote as well that you can easily detect this method with SoftICE:2 x, F2 L4 G0 j7 \
bpx Get_DDB if ax==0202 || ax==7a5fh& c6 Q0 Z! \) r( n
( X1 e3 c, V: J, M; m) i& y
__________________________________________________________________________# d1 P9 V4 \0 t6 j- u' X
: |+ q8 J" c1 \/ m
Method 10
( v; Q, y# G" |# w8 _7 Z=========
6 Q4 G" V$ Z4 m3 e
, ~! | I& P; y" }=>Disable or clear breakpoints before using this feature. DO NOT trace with
! u# O0 d" n! |0 W SoftICE while the option is enable!!' h3 j& D8 y2 S |- \0 f2 P) i% J% J
5 K+ i t X# ~: o, R5 x6 Q* aThis trick is very efficient:2 O) B: p: p9 ?1 U
by checking the Debug Registers, you can detect if SoftICE is loaded1 I' X: h: Q6 @- W# L6 G- \# `
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" z" P# }3 C9 }0 z, h. uthere are some memory breakpoints set (dr0 to dr3) simply by reading their& j8 J' g, K6 _) M$ Z+ J- N# I' \
value (in ring0 only). Values can be manipulated and or changed as well$ Y, S2 a4 c0 R9 g3 o
(clearing BPMs for instance)! }& ~7 K, \/ w, u- u5 e* L
% L; E+ |) p1 ^; p4 X__________________________________________________________________________* Z F9 ?1 f, N" u
5 D5 _" k; |7 Q) _$ z8 z
Method 11
8 W7 q$ \* `( ^( _8 V. d=========
. E8 O' Y; d7 h0 N& ^5 M
! y" Y2 Z: l8 uThis method is most known as 'MeltICE' because it has been freely distributed) U# z* _7 K" A' I: g0 L- p0 k6 u4 h, O
via www.winfiles.com. However it was first used by NuMega people to allow; G% b0 x6 F7 Q5 v
Symbol Loader to check if SoftICE was active or not (the code is located5 c. C) _2 c) Q, H
inside nmtrans.dll).+ l5 T. Z7 _; P7 d6 a6 `
3 V# H* k7 f' I) G* y5 q
The way it works is very simple:2 L5 F* [- i. h. E3 ?) U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ R, G0 B# R6 T( n+ o1 H# j
WinNT) with the CreateFileA API.5 x6 R5 Y H8 \3 c% F& \6 z f
. i: @3 D, b! v
Here is a sample (checking for 'SICE'):
6 L; q! ]. K4 Q) ^4 `1 m, l0 k# O5 S7 c
BOOL IsSoftIce95Loaded()5 }4 E0 ^8 P* I- R& e
{0 F) {4 B' x3 I4 x3 ^4 N1 Y$ w
HANDLE hFile;
6 o' P( Q% L. N2 I. V, Z$ W2 s8 X hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 z5 M' ?* z! m' J5 n FILE_SHARE_READ | FILE_SHARE_WRITE,
8 C. c. y& U, y. I NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* p7 n/ v4 N- e" D9 J# s
if( hFile != INVALID_HANDLE_VALUE )
# \# t( D. w( }4 ~2 F {9 \9 V- T) C) n7 B4 Z) E1 z
CloseHandle(hFile);: O" g1 E5 j/ H0 ^+ q
return TRUE;
1 j. V6 M# ~* i* s; p, T) m" ~ }3 t' [0 Y! ?1 Z: v$ M( I3 H
return FALSE;
. e2 v/ C1 x1 a$ {. x}& ^7 r1 |4 j/ P
/ B$ U! Q7 M3 {$ e9 S. V$ UAlthough this trick calls the CreateFileA function, don't even expect to be
7 G: U z2 @8 cable to intercept it by installing a IFS hook: it will not work, no way!
" c: h2 \ _) d1 u2 [In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& _: X/ B; K3 U, L' w. j6 Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 }6 y/ W% y" O0 v9 R+ Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc7 W; J2 A# Z3 L D, H
field.
0 ^+ j6 {, U/ F- Y# I: U/ v0 HIn fact, its purpose is not to load/unload VxDs but only to send a
2 ~; E% V6 d1 v& BW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ _( d2 E! q9 Eto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 r7 P. [/ h- R9 G& U" j& O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 f D8 _# Q2 v* d( _, a9 J
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 m) A& {8 [8 f. P- { Jits handle to be opened and then, will be detected.& G# v+ p. k1 J# _1 p
You can check that simply by hooking Winice.exe control proc entry point
. X# m( Q" V- Q8 U+ C/ Vwhile running MeltICE.1 A5 [. s/ _: W
1 V: h9 h2 w5 {) u8 ?+ o3 |4 z! M' b! v7 t
00401067: push 00402025 ; \\.\SICE8 c7 c# ?, `; i5 r& m
0040106C: call CreateFileA- W3 |/ }& v, e- u; T
00401071: cmp eax,-0014 Q0 R+ }. F. C4 \/ J# ~& c
00401074: je 00401091( w! n5 l6 f. U3 G+ C& G* R D( P: @
# l2 d2 a% B% }% h( M
! v. V6 @9 R, S1 K4 n" I4 ZThere could be hundreds of BPX you could use to detect this trick." _( ~; W' ? i+ e2 a, t1 N
-The most classical one is:$ c A0 T1 d8 K- S9 {- F
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' m! e c" Q# d" e6 `3 o6 Q$ k *(esp->4+4)=='NTIC'
1 B' T) m2 q$ l5 v1 ^8 q% w2 t0 j5 N# K
-The most exotic ones (could be very slooooow :-(. L$ B$ C7 q0 J. h8 Y, }
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / w- T4 B+ q# p& p9 @* j
;will break 3 times :-(- G2 C9 R6 l; }& q
/ M6 S! E6 @ t8 |; B% |
-or (a bit) faster: , C4 v0 N' j* R6 c( {( Z: s
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ s u* R0 @8 V: w4 `' Z5 M
1 v# G; p# ]. a; R5 X. { BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* N- g# T# S% N" R7 [: @: g( m ;will break 3 times :-(
2 a6 I$ X6 K1 G, w* I9 {
/ ^$ E6 g# g5 P& T# n- O. U6 L& d$ S-Much faster:. z. t2 w% S! X1 s7 ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; T! P7 D% m. m
3 a# {' ?9 |: B( O @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: U4 @3 U1 n# k3 F8 Y3 t! G9 Qfunction to do the same job:) @8 k6 h, t& \0 Q* b
* j+ ?0 m$ p; s1 V5 \. w$ n push 00 ; OF_READ
4 Z( k0 u. U2 b* e: c mov eax,[00656634] ; '\\.\SICE',09 E5 J7 X; ~' a, n; T" B' }
push eax& Y9 r8 _( }. L! W- v
call KERNEL32!_lopen
4 F1 K9 P. w6 o0 B inc eax; ?$ T* v' P# r# P. W* m5 g
jnz 00650589 ; detected
" ^7 n4 K( b0 ^$ c. b push 00 ; OF_READ. E! z/ T. I1 F& \+ J
mov eax,[00656638] ; '\\.\SICE'1 l+ }# d, b7 V3 n2 G
push eax
% e6 x# m: j- c7 g- F call KERNEL32!_lopen
' w+ ?6 S0 `0 c& t5 R inc eax. |" d; b8 B) A# P8 ]( b* o
jz 006505ae ; not detected
) i' i3 ?' Y1 M# r- O* I' Q0 F+ u. p/ D! _4 r, H7 E6 ^
2 g& l8 Z. X' v0 m( I4 P
__________________________________________________________________________1 [1 p4 R" J4 n' C( A: [4 T, m
C z! a6 k. F( i4 n* k& tMethod 12
$ c# z. G: I Y* [. w9 j=========, W' @$ Q& _5 w; [- c- ~1 r1 {
4 s; S8 ~) c) J" Q" [# d$ aThis trick is similar to int41h/4fh Debugger installation check (code 05
( f' f/ C0 Q, o1 x& A0 N. E- h& 06) but very limited because it's only available for Win95/98 (not NT)( D3 c$ U* `9 g5 \6 O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 Q& C: l3 X; G& h7 F3 V
^; q8 s- k3 F& } push 0000004fh ; function 4fh$ X2 W: f E Y# n& }3 b
push 002a002ah ; high word specifies which VxD (VWIN32)
! r- j: r W6 l: T) M+ t9 U4 Y ; low word specifies which service2 V5 W- x) N- n" Y# R. W
(VWIN32_Int41Dispatch)
; t9 K0 D2 t+ } call Kernel32!ORD_001 ; VxdCall
1 G% k0 C* S% Q' y& ] cmp ax, 0f386h ; magic number returned by system debuggers
1 I' @6 H6 G+ P; {' U jz SoftICE_detected) j! ]! t. W1 h2 C
3 Y* G& K7 ~# a2 G4 D4 D2 K# AHere again, several ways to detect it:
& a4 Q0 z6 U& ^; E) r [% Z/ j
$ N, I5 E7 O6 I$ Y; P8 b BPINT 41 if ax==4f7 h7 ~6 e0 q6 z3 N. l
1 a0 [7 D$ c* E0 g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! R! {% H8 S, Q8 P' Y; a; n
0 z* H( d% H/ ]# C BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ @) F: w, l3 I/ V
7 m+ s! l. \8 w- o0 T2 u- a
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) h% I8 L# ? r' d
, V: N. ?, b/ ^+ G# e, O3 s2 m% @__________________________________________________________________________
: D w; d8 C- b8 K1 Q+ I. g( L3 D. P0 \( |( ?9 E- G
Method 130 h) T8 s* w9 r! Q z
=========
: y! N# x. g, g) o% P0 x0 `
3 f3 I8 v! ~' l0 D& f1 m' CNot a real method of detection, but a good way to know if SoftICE is: q+ i! v( G5 v' s! O9 o
installed on a computer and to locate its installation directory.% j/ _! W5 ~4 x2 U& h. T4 K
It is used by few softs which access the following registry keys (usually #2) :# W! I: s* c! w% v) A% [( s; K5 ?
% M( p2 V1 S& m
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 j% ^. m" O! y# G2 j\Uninstall\SoftICE- E) T0 K" m: j3 L# p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" M! a0 ]- {+ W# e4 Z c/ Q+ Y) I: z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ P2 {$ A+ c! ?6 {9 Z: Y\App Paths\Loader32.Exe( Z) {# M: F6 S' Y: W2 J
' J9 v: d! I8 u& k: v$ V
- c- _) v* s3 H; i) ^# d* ^' ?Note that some nasty apps could then erase all files from SoftICE directory
; w. S' r) D6 p2 x g9 G, E" _* _9 ?(I faced that once :-(8 U% J6 @4 _3 c' Z: A! d* Y
4 ?2 I% R/ m! I9 d, o$ vUseful breakpoint to detect it:7 {0 M( A3 X0 _ Y/ X b2 i8 r
4 v& t3 o) w; n5 Z7 A }% v, N! K3 v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ c" X7 j4 a4 {) I4 j) }& L/ ?. N! j: f- o
__________________________________________________________________________$ {( m" L. {% R0 l& A( v. O% I
% D6 t4 e$ i: \; n
, l+ p0 P* R1 Y U
Method 14
O+ ~( k5 y2 L; q2 g) h( Q=========
' t5 e# E( s0 Z
+ [* J4 {* _ c$ A: p. g/ iA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose l. n$ U. L, n1 l8 t8 u, P
is to determines whether a debugger is running on your system (ring0 only).- j/ b7 ~+ @8 z$ L! u+ A
4 \" h0 A( p- n/ O/ b* y
VMMCall Test_Debug_Installed6 K$ X) B/ I& ]8 f6 Y
je not_installed
9 K4 O9 b6 d$ S; l7 r+ f% q+ q$ B. d# m3 S. J
This service just checks a flag.7 V9 ?# B) \! X3 {" M; n: r/ L
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡