<TABLE width=500>
: b* \& ]! K- ~" x<TBODY>$ R! u8 K8 T2 ~
<TR>
6 d4 u; P9 o# j# u' \/ y$ ^<TD><PRE>Method 01 7 ]* n& S- x7 s! V0 y& C$ m7 i: }7 Z
=========1 D* [3 i6 L+ `& W9 }
3 z0 q5 v8 ^7 C T8 l; ]
This method of detection of SoftICE (as well as the following one) is
\8 a6 r9 V, l8 ?! Cused by the majority of packers/encryptors found on Internet. ?6 a9 d: s6 Z- C
It seeks the signature of BoundsChecker in SoftICE7 Z) c3 z- V9 x5 B0 @, ~
0 }* _/ }& t2 O9 i @, L+ O) j mov ebp, 04243484Bh ; 'BCHK'
, ~6 _$ I7 b3 x4 x; r% g5 B; _ mov ax, 04h- \9 W2 t1 y8 ^# \. a" B
int 3
5 Q) X' Q+ K2 s7 ~- y/ U cmp al,4: x+ y3 ]# M/ g$ e9 x# I3 G M3 e* j
jnz SoftICE_Detected! j: O9 O. [+ Y0 S, y# {
/ q$ r' }4 o( ~0 C___________________________________________________________________________
1 ?7 G8 a, _& {! Y9 S6 @( o# u4 ], e
Method 02
5 f) A, p% i% C=========
1 L( U( a0 g5 F, Y$ G3 P: \2 |( c" U2 a1 A" r
Still a method very much used (perhaps the most frequent one). It is used, J4 {7 \" ?8 P
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& c$ s$ j! {/ `: `6 g, R1 \- g9 Yor execute SoftICE commands...
" K9 x# T4 L" S, Q* P# ~It is also used to crash SoftICE and to force it to execute any commands
8 v, L& l0 M5 w(HBOOT...) :-((
. I; k9 o( ^7 Y& R, ?$ Y
% B, K+ o( b, x4 q. t) KHere is a quick description:
* d% W v/ s2 O4 f3 n {! f. i+ _-AX = 0910h (Display string in SIce windows)
8 d2 }4 B3 _; h+ m5 e6 p6 Y+ L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# u1 c0 v5 J; ~6 t0 Q; T-AX = 0912h (Get breakpoint infos)' @ I( R5 M/ ^! Z
-AX = 0913h (Set Sice breakpoints)8 }5 O; u, I3 @! ?2 M
-AX = 0914h (Remove SIce breakoints)% }% H# e$ E) x8 }
3 G! i1 W) d* c0 v& f% ]. g. MEach time you'll meet this trick, you'll see:/ d# Z6 t0 N0 ]+ @& @5 K
-SI = 4647h, @; Q3 G( F- `
-DI = 4A4Dh. i+ I7 N( R/ J0 I
Which are the 'magic values' used by SoftIce.
+ b7 K! x, D' s8 \& l0 x1 m* A( jFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 Q' a U4 `* e; ?3 e3 E/ J
. ]$ V# r& W3 ?0 v- z/ WHere is one example from the file "Haspinst.exe" which is the dongle HASP4 R( H! s8 h9 U2 e" @' d: g' K
Envelope utility use to protect DOS applications:/ m* @+ c8 [% L/ x& B% D2 H3 Z
0 H: S; w ~2 D ]/ r3 D- r
& g8 D7 Q' s% b- `/ k* J- R! l
4C19:0095 MOV AX,0911 ; execute command.
; g9 C' N7 Q, X( y* o& Y( H$ m' w4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! b) f! K6 g$ f( ?% @2 c4C19:009A MOV SI,4647 ; 1st magic value.
% B$ b$ Q1 C$ L/ I% j4C19:009D MOV DI,4A4D ; 2nd magic value.2 ]# W) J( W8 P" k- T9 t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ a; y( d+ M' e ^6 k# M; [; L
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) k! k5 {+ m; h2 }2 q4C19:00A4 INC CX- b9 m; w# L. b+ U
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% y/ W! z1 P7 Y1 s% V, Y) \* V- D5 R4C19:00A8 JB 0095 ; 6 different commands.6 a _4 Y v! G) b- P% s
4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 p5 }( B d/ \/ c8 {: |
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, D- V$ p- I- `. F
1 B. A+ @; b4 }4 R- o3 bThe program will execute 6 different SIce commands located at ds:dx, which
' f$ i' }2 q: X% G, Tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 L" n- ^$ \; l( {
0 ~. g8 e, ^* N3 z7 ^
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. g. o$ I2 h$ ^7 B1 p___________________________________________________________________________
& l7 w. H" r& g- |# E9 t$ B0 J1 ^9 [/ j. Z: V5 k# u6 n/ J1 x9 f$ @
' U3 r2 P" X( v; d9 c( uMethod 03
8 a! K0 } x: R3 [# z* {=========
% h" }$ ] t8 J! X# F4 }
1 g4 \' d D- k: hLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, w# b" R+ f' F" r
(API Get entry point)
3 V3 ], l2 o% u5 }8 W 1 J% [. {4 ?) G! q
% v* A& @9 ?" I5 |3 e' S: x
xor di,di+ K* V8 @/ T/ A2 h
mov es,di, ?7 ^2 S5 O9 v
mov ax, 1684h
- X/ _: e+ w) N" k1 ?; T mov bx, 0202h ; VxD ID of winice F& @6 |" a d# r' R4 w. k: a
int 2Fh
% S x2 E- a0 q4 Q mov ax, es ; ES:DI -> VxD API entry point" K, n0 H% G% |* k6 E
add ax, di% E# O3 }! n- R* [8 l
test ax,ax
2 E: @1 A& E& a, R) }& t& ? jnz SoftICE_Detected
8 P* C! F& u8 e: j2 y
; `4 B( s# Y) \. @___________________________________________________________________________
; O" p4 x% i) |
6 Y6 o! ?3 L! x$ DMethod 04
( Z3 v8 ^& u1 y" x0 Q! h+ h=========$ V1 t& g; k7 l& c# s, i! B1 C
Z3 m8 P4 G2 K$ X5 k
Method identical to the preceding one except that it seeks the ID of SoftICE: O4 ?4 B- o- u8 W9 x& g1 s0 Z( M
GFX VxD.' l4 D+ j- U- w& T
% \% }8 H/ M6 m0 z. C xor di,di
! z! U+ x7 r1 B2 _9 ^- b, J mov es,di
! x1 g9 B1 [4 D6 K6 a mov ax, 1684h : t. s S4 T7 X5 w2 ]
mov bx, 7a5Fh ; VxD ID of SIWVID
. p3 K( N6 m6 p) Z6 E int 2fh
, C: h6 ]0 V% a$ i& |, T8 D0 ^$ A mov ax, es ; ES:DI -> VxD API entry point
5 O* x* V/ H) A- t/ D0 o0 _+ D1 @ add ax, di
6 [: v" a/ z/ ] test ax,ax: r9 i3 @ Z* e" A( X. J
jnz SoftICE_Detected
4 ?( R3 e' T& u" m/ w. O; k5 A, A; z! U3 b8 o8 _. f
__________________________________________________________________________
9 Z2 {" e* H4 U" ~ c% c! w8 W, G/ G6 @: ]
2 q1 d5 D$ ~+ }6 v
Method 05
& Z$ Z* e, L" ^! S% M% n0 K Q=========1 R" W4 \5 {$ b" W
2 K' ?- [4 ?5 q5 {- e
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 F9 N' L$ W6 M% G0 R9 F8 Z* P! Q$ Bdebugger. It calls the int 41h, function 4Fh.
( ]: x, G0 G( S: [" XThere are several alternatives.
: s7 J J! Q* _$ C& ^7 {' b- j" \6 { B7 ?4 X
The following one is the simplest:2 j1 H& S6 P% Y; u3 |. n
' h$ r9 W4 f+ \ mov ax,4fh
% [- {; ]2 v' ]5 }" M) {8 s a int 41h
8 [1 w0 Q# ? [& y' m: b cmp ax, 0F3861 q' v5 X% O8 L& y) \. ]) P8 P! x
jz SoftICE_detected+ f& m" C9 j' C: r
* _$ l5 ^# B; b4 T
2 B* e6 z. H$ U6 M6 |3 tNext method as well as the following one are 2 examples from Stone's 4 \6 F/ ^/ C Y' c
"stn-wid.zip" (www.cracking.net):# J, J+ r; R0 a+ N
+ q3 l' o: v! N$ d$ c3 ] o mov bx, cs
! S. _' I- L: d" p, G+ Q' R; Y- u lea dx, int41handler2& A5 C+ d/ m& N1 G4 E/ P
xchg dx, es:[41h*4]
, s( g7 L, @1 y Z Y xchg bx, es:[41h*4+2]
# n0 U8 z% G% G2 B) H mov ax,4fh
2 a6 _) N7 F: _* { int 41h
H1 c/ q$ F) Z3 b xchg dx, es:[41h*4]7 c$ j" ?, b8 D/ {- Z( T2 ~. C) T
xchg bx, es:[41h*4+2]2 [2 M9 E/ x* ?9 D6 O, M+ u; \# L
cmp ax, 0f386h+ s4 l8 x! S3 t* p( B
jz SoftICE_detected
9 |4 G/ C) [# L4 U! l
; B5 p2 x/ f! h9 m, \5 Aint41handler2 PROC& U* r& ~8 c- W8 g$ w0 P
iret F; f; @( t* j
int41handler2 ENDP2 q+ N# `% W, I2 x0 s1 g
. ^" _0 \" s5 _! `- A5 h1 u, _& ?$ C5 |8 t( Z( |: f1 q& S$ h
_________________________________________________________________________& S$ d5 V3 i% R+ s
, @9 d" \& j; y Q b U
6 W, p4 ^% Z7 Y2 t9 }" r' X! x0 O% x
Method 06
6 M% o3 |+ D; d! v+ f! p! T=========
1 P9 l# h/ \: y; t H4 P) q" i. X. i, K- G1 s
1 v6 A h- X8 a6 l0 j, ~! q2nd method similar to the preceding one but more difficult to detect:
: h% t' P7 @7 D: D- ^& z9 D& a" N/ S C! _8 {: Q" M( R1 B3 |' ~4 k
7 x# A% Q' G1 |! `% f' k1 cint41handler PROC( \$ Y9 ]( x5 P
mov cl,al; P9 |7 u) G3 o0 L' s0 A1 c$ v" L
iret Z0 S* m2 h7 l8 a! q4 F$ m
int41handler ENDP2 n B. y. Y* N2 }6 B3 C
& g8 l+ t/ H, Y
4 _0 U. u% Y& W1 D xor ax,ax
3 Y+ b- d; V: } mov es,ax9 t5 j/ f6 p6 A* X# H9 _
mov bx, cs/ J4 M# U& f+ o* P) \4 ~
lea dx, int41handler
+ S1 {6 I( e; r4 Q xchg dx, es:[41h*4]6 I9 d' E$ E) q) p5 c# k
xchg bx, es:[41h*4+2]4 R7 v. D; e* h( d/ Z; L' v" |
in al, 40h' Z. ?# \( i$ t7 c9 R
xor cx,cx
# v( h! ~6 \5 B) d% @, { int 41h
6 d5 w- R6 D$ F% S% k" k xchg dx, es:[41h*4]
9 P5 w- @' W2 j8 ^ xchg bx, es:[41h*4+2]
- t m, @/ w" R+ { cmp cl,al7 u2 @7 T. S0 |/ ]% t3 J+ _, M
jnz SoftICE_detected. A2 x7 J+ |% y/ W+ s
/ ]7 X* Z0 `, j6 H9 F_________________________________________________________________________
* n$ i4 a6 ]) @5 G' s/ N" [ T
$ Z; h- A/ C( }# Z" E" a' CMethod 07
; P1 b$ H# Q& I$ D% K0 p=========
. {* r) x" ]+ ]8 F/ b9 D( p2 t: r5 b! V% o) M- i
Method of detection of the WinICE handler in the int68h (V86)- Y( }2 g7 u) M3 L0 r
# B3 Y2 `# y9 A; B% K mov ah,43h6 q- P( W1 w+ q3 D1 n
int 68h6 g7 D$ E0 g: m3 Y* L6 ]/ \
cmp ax,0F386h
) a3 J- p( b* c# H jz SoftICE_Detected1 L' ^. ]( H, V( G$ V% }9 b
0 N. H9 h' _4 D& f4 \1 i- s; x) y; J% g+ E4 N8 H' m
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 T2 L' s( X- W8 }3 O app like this:
. h5 ~, B: W- M( R/ a# y7 L5 n$ ]+ G* c1 {9 w; L8 W
BPX exec_int if ax==68
' [; H3 A9 n9 l) K' p (function called is located at byte ptr [ebp+1Dh] and client eip is
/ L- h1 X$ O% A- s located at [ebp+48h] for 32Bit apps)
( T5 z/ \) P7 ]- A3 T4 b* h__________________________________________________________________________
: A' N, [6 F% H0 \' ~, P u; `: p+ h# L+ E$ y/ A, `/ z+ w
) ]/ o3 M6 i+ P0 K9 e" N
Method 08
/ j( f# Y P9 B2 G: j4 D=========! f/ X4 ]1 l3 e% r5 o
2 E" Y6 c2 k/ O8 U2 c, M; t
It is not a method of detection of SoftICE but a possibility to crash the
9 g( Z3 ^- k# t" }system by intercepting int 01h and int 03h and redirecting them to another
" n& F5 I# I" z$ A/ o7 iroutine.
/ b; T7 M2 Q7 d6 }# h, n2 QIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: V- z( X; f( ?$ Q/ }% V6 v7 Fto the new routine to execute (hangs computer...)
( E+ Y* N' y$ g1 x9 ~ i+ D& L
1 g1 X9 [$ s' [! H9 c% C mov ah, 25h
( f4 k6 h* n) ]6 d6 G2 | mov al, Int_Number (01h or 03h); g' i* z3 C$ L9 e
mov dx, offset New_Int_Routine8 D4 `3 }$ W- J
int 21h
4 v! c: o3 ^! X+ l6 F, U# B! E9 R# O- @' U0 q6 i- J6 a
__________________________________________________________________________
- m8 ?& @4 |' v' \$ \ G. X# P' ?% A6 R J6 i$ t4 i3 J0 A+ J
Method 09
$ e2 \1 e5 {& T; f) p! O9 }=========
F+ F, O% g9 f% p) \: R5 x. {
/ ^9 p& ]% ~9 f! QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 ?* z$ i- X/ s- l+ ]2 P
performed in ring0 (VxD or a ring3 app using the VxdCall).$ m' T- r7 R6 ^# U$ S& J, U, V) U$ ^
The Get_DDB service is used to determine whether or not a VxD is installed* c8 ]% |- Q; _7 v9 c. ]/ ]* {* h
for the specified device and returns a Device Description Block (in ecx) for
4 [' b+ ?+ s6 J2 Y# Othat device if it is installed.+ v8 C# t+ h; x4 W* q I
" x9 S$ j: x; \
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& B4 @4 {" m, a mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& f5 t# v P' U* T3 O9 |) B+ S VMMCall Get_DDB
' C5 T/ h2 i1 L( n- i% l mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 W0 N; p* V, L" W: w; l2 a# {/ M6 k4 @
Note as well that you can easily detect this method with SoftICE:
' C# S0 U c- J+ }. E" w: u bpx Get_DDB if ax==0202 || ax==7a5fh
7 L" Z: }4 d" R/ l: ]# k2 @/ M7 j6 b/ W9 C$ W. N4 R7 n! e
__________________________________________________________________________
5 E9 h. D0 m5 ?4 L6 L3 c- Y" r5 u: M
' W6 O# h: G$ lMethod 106 ^' h7 u# s8 S* k2 y
=========& S+ P" K+ g2 _1 L5 R l
, [5 _8 u0 u4 }- s5 V=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ c, D! ~, l" u SoftICE while the option is enable!!' }, d7 Q8 k2 t, Z) Y& d% v3 \
8 l1 P1 m' a7 C4 z3 F
This trick is very efficient:2 r! f) m& f( C6 R, x
by checking the Debug Registers, you can detect if SoftICE is loaded
( I& Q: p: n+ C$ C- ?(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 ^# @! f5 J& N$ \there are some memory breakpoints set (dr0 to dr3) simply by reading their
X/ U% A M% G, ovalue (in ring0 only). Values can be manipulated and or changed as well. s/ H6 G9 o4 i3 l# N
(clearing BPMs for instance)# ~) a5 S7 l* l3 [6 `. V
! z: c2 F& j# U& I& I' b0 i
__________________________________________________________________________
. Y/ E$ G& F' r, p4 m
' c. d/ C8 }/ ], C! h. e# ^Method 11" m$ Q) D$ e/ y, V
=========& ~4 L+ N6 _3 R: Q
6 p* \4 ~' f/ Q& K) I5 `, _This method is most known as 'MeltICE' because it has been freely distributed
& p+ Y4 C" |9 C; w% A, c0 ?via www.winfiles.com. However it was first used by NuMega people to allow+ ~7 T' ]5 J3 ]
Symbol Loader to check if SoftICE was active or not (the code is located/ {0 E, H9 K. K3 t
inside nmtrans.dll).
: e- K' @' B! ^5 L, w; r" l; G) J4 Y' a! L" G' G2 c8 W7 ]
The way it works is very simple:
/ Q7 u4 J0 S' H/ n+ d+ u0 O9 [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' }; `+ o7 [+ Q* E! q
WinNT) with the CreateFileA API.5 ~2 q9 i t4 G* j& n
$ s8 x4 U# S: I2 u1 a3 q& [Here is a sample (checking for 'SICE'):
# J$ q% T( h4 H1 o# s. v- e, Z+ U7 T) a/ @3 a5 s9 |. U! U* n
BOOL IsSoftIce95Loaded()- y3 t& J/ W" E4 Z
{
/ L; F, r3 l3 K: T( K& Q# ]+ r8 b9 k4 Y/ Q HANDLE hFile; 2 Z0 \$ c' X3 w: }' a0 ]
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ @0 u" g% l, `, X# q
FILE_SHARE_READ | FILE_SHARE_WRITE,
7 T; q& H7 \6 R& _- W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ y7 Y& O" [4 D% h8 K: b' |
if( hFile != INVALID_HANDLE_VALUE )
5 |! ~+ v9 |* K* @ {
/ v8 W( U0 C" \& |: C+ g CloseHandle(hFile);: }4 A2 [/ O- `1 l3 y
return TRUE;
1 ^/ P/ I( G' O2 p }8 T& h0 y: L, s( i3 O1 q
return FALSE;
/ r! ?7 i- f1 _ m4 ^}: c+ r- b5 c2 @5 j. k" E$ y
], `0 I" Z2 J- Z! s
Although this trick calls the CreateFileA function, don't even expect to be
9 u/ [9 }, V4 T" ~3 Iable to intercept it by installing a IFS hook: it will not work, no way!
; p+ p; e# k) h/ P3 v( x: UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F, q# ?" ?$ U7 y s- n) g$ c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); V6 ^* w. A7 p: ~5 `
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 i7 n8 t" ?) `+ r' y5 `; d5 ?- n
field.! L \ _5 x7 f0 g- a0 T
In fact, its purpose is not to load/unload VxDs but only to send a 1 ~8 ]) P Z1 n- c1 f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( |3 {8 @$ V7 a) f8 P- Y+ O
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 \8 a1 _0 e+ q0 N: B6 ]) P$ pto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 I/ G- X- [) v8 A
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, h2 n3 ]/ E, r h6 j& y2 M3 Pits handle to be opened and then, will be detected.6 L6 ~ B) k1 [# g( v
You can check that simply by hooking Winice.exe control proc entry point5 }4 U% c/ z5 F0 O
while running MeltICE.
7 n% W9 Z& j2 {7 S
4 Q& Y9 O# z3 |& t
* c& n- ~; O# ^ m9 v) L+ C' E8 ^ C 00401067: push 00402025 ; \\.\SICE2 T2 l. r3 x( J2 a
0040106C: call CreateFileA0 v6 S _& m0 w% J: P
00401071: cmp eax,-001
* E# p* \: z6 Y 00401074: je 00401091+ e- a- `" J, I a: p/ `" I9 E J
8 M5 P q& R+ `9 G
9 [ G8 s6 p6 E6 w& W; Q" kThere could be hundreds of BPX you could use to detect this trick.
/ Z+ s$ o: A9 O* [# \, L" g& L-The most classical one is:
6 H5 K3 V' l2 ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 I1 T& h; d5 }/ z *(esp->4+4)=='NTIC'' e' v# ?1 C, K
. y' ^! p3 B9 ?/ i-The most exotic ones (could be very slooooow :-(, H+ Q& C: N+ K
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! g; n5 |8 I+ n4 E8 ~# I* E0 m
;will break 3 times :-(
) N3 ~: Y- X0 @9 }9 l
0 z$ ~ M# i4 N. \-or (a bit) faster:
& U: R, J6 H5 W+ L6 k; a2 G3 S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! }9 Z' _" S% A0 C
" v* e, V3 a" m4 H# r BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, x" W M: l% D9 ]/ n8 O ;will break 3 times :-(: `% e3 N. ^6 n. _; }
/ p5 u0 _4 l b- X
-Much faster:) b! R7 V( F1 s2 v
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 Z6 ]: i% t% S7 h- {% o. Q0 |+ ]5 \; z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; L6 D6 }1 }& @: P. \1 b2 \. k
function to do the same job:
7 ~; f! E" R$ Z! }1 }; ~% h/ n' O+ C2 N
push 00 ; OF_READ
# K8 _9 `* [) y! m mov eax,[00656634] ; '\\.\SICE',0
: p% _! G. a2 L8 X push eax, ^1 u0 ^$ p: x( Y- m! N
call KERNEL32!_lopen) q0 |; z m; V
inc eax
7 H: t" t) l8 g( A$ s& k X' ^& Z jnz 00650589 ; detected
$ k4 `1 Z1 R- B' _& X push 00 ; OF_READ' z; f, c o# H1 t
mov eax,[00656638] ; '\\.\SICE'5 L/ j& r1 L- n- T
push eax
$ @9 Q; t) A6 Z5 @ call KERNEL32!_lopen7 j2 ~0 M1 ^, h$ `
inc eax J, C% |5 J p0 N$ M3 r2 k
jz 006505ae ; not detected' a6 b9 P: u+ L, B
; J" t. M( U" D6 J/ K* {9 C1 J* ~
- W, y. I1 I; ~3 d, `__________________________________________________________________________
* J/ r F7 T8 b8 A6 v- \6 ~% f+ L/ } H& A1 ^
Method 12
. h! k4 H# G4 R A=========) [" [- O$ Q# j. G+ g0 R
* y* c/ D8 @) ?, O
This trick is similar to int41h/4fh Debugger installation check (code 05( I! S$ z( B% H
& 06) but very limited because it's only available for Win95/98 (not NT)
% x3 P0 E8 s6 |, ~6 eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 {: S! g& r- E2 d
K9 }' Z4 L6 E2 D push 0000004fh ; function 4fh; Z. k# D2 `0 r) a$ m# E9 S+ F& q
push 002a002ah ; high word specifies which VxD (VWIN32). `+ ^0 \; K9 w+ }: e! B5 {3 h& I
; low word specifies which service
' ~4 x5 j0 R7 [3 e9 F! }% Z! w) _ (VWIN32_Int41Dispatch)0 x3 P% f2 v1 y
call Kernel32!ORD_001 ; VxdCall
9 {9 Q3 ?1 w" d; K. D# P2 K cmp ax, 0f386h ; magic number returned by system debuggers
( f7 R( r5 F5 K7 j jz SoftICE_detected2 o/ D2 J1 c& I6 n }! a# n
3 u3 B8 Q. n0 t. _& t8 Q. d0 c1 JHere again, several ways to detect it:' Z3 Z9 I7 V6 F
# y: K: T) m7 X+ j
BPINT 41 if ax==4f; S4 K4 G% v' ?* R$ ~
' J8 J y) J1 i" P, p
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' F1 |9 _6 c- A, z4 t
4 C' U' i+ v/ r BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% e8 J0 V) N4 G! p6 G% b& C
) }& C/ o0 O2 u6 z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 s# O8 F& r' N5 J9 J7 M* h+ k* q! V! A; J1 y4 N r
__________________________________________________________________________/ D( w$ H( f' G6 p4 O8 [
; Y8 b. c' p8 P& M3 Z) hMethod 13
' ]9 {+ g: g- I8 o$ G+ U=========3 G- ?- i" S3 E
& H+ w, ]# \4 P: C
Not a real method of detection, but a good way to know if SoftICE is
- o1 s1 D# H/ z$ F$ finstalled on a computer and to locate its installation directory.- H. j B6 F2 c, F8 T3 F+ j2 S
It is used by few softs which access the following registry keys (usually #2) :
. \6 ^; ~% [9 M" H6 K. V
7 a$ N5 F& f2 {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- Z6 N# D8 H: Z1 h
\Uninstall\SoftICE
/ S- X! _+ q: u: R `1 u: ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 a3 r N: f/ x! n
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% ^: c; P; ~1 u4 I
\App Paths\Loader32.Exe8 g7 S5 q. N3 ]
' t$ A- i7 B5 n, {
, D( o+ g3 ^8 i/ a* @
Note that some nasty apps could then erase all files from SoftICE directory
) G) _4 b! Q) C: X. u: I(I faced that once :-(
; v5 S# D% f7 U, y0 M! N& G' M* C: D2 }3 y
Useful breakpoint to detect it:8 F7 R8 G' \2 G
! |1 O D# P7 Y" y) W; T BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 l9 M& O+ {- O& W
9 u' a( F# h$ q( o+ J3 V5 Q4 B
__________________________________________________________________________! T8 y/ n+ Y# T( J
/ s! \( x- {7 p8 Y) K' _; l. B
& V8 C6 W/ s/ @8 ]$ r! `8 ~- @Method 14 # @; [2 c3 i7 ~0 R
=========6 D; V+ R& p/ P- Y1 `
& j% J5 T/ S: S) f& B' o+ r, e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 h7 i( |* S- p% y" [. P
is to determines whether a debugger is running on your system (ring0 only).' i# z$ Z- h/ U
2 o9 G3 d. l+ z! h7 k6 { VMMCall Test_Debug_Installed2 X1 w9 l+ k0 F( W- Q
je not_installed
! Q& d* |9 ]9 r+ Q: f
! g+ M" {) {/ W* JThis service just checks a flag.
3 x; Z/ R; q( G6 |5 U! Q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡