<TABLE width=500> q& @2 b& l/ _' R3 _
<TBODY> D9 e+ z5 k* I& ]8 l9 _
<TR>
3 Z! O+ r4 N8 l$ [$ O1 _2 s: M<TD><PRE>Method 01 : l& i9 K; Q x
=========
8 u# Q/ m1 |! a; M" f2 Z1 [ `& @- r$ d4 @4 k1 q# s
This method of detection of SoftICE (as well as the following one) is& T/ @5 \$ C. Y; q8 \& R
used by the majority of packers/encryptors found on Internet.
. @) M7 C5 A5 C0 n9 DIt seeks the signature of BoundsChecker in SoftICE
~6 s9 u- s* q" M' x4 q8 @
3 B* S( W% s+ l mov ebp, 04243484Bh ; 'BCHK'+ f- Q7 s6 Y) x6 o$ S- C O$ s
mov ax, 04h
& J2 W+ }. }" r3 } int 3
9 a- }- v/ V9 `0 P5 Z' R9 t& C! x cmp al,4" [2 D: t: ?6 c# O3 S: ]/ V; s, N
jnz SoftICE_Detected
, |3 a) j, T7 F( x: F5 E6 R7 V
9 O, D: x- D- }1 j___________________________________________________________________________2 q) ^, F1 p" [
0 j! a+ `# l& y1 C# HMethod 024 E! B/ f; |; k
=========" U! O9 h) P% d" k1 h8 r o& [- M
2 Z: A2 r. |. K1 H
Still a method very much used (perhaps the most frequent one). It is used9 V* Z4 h0 H0 ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 {5 S' m5 X& S( S( C: m" d7 _' @or execute SoftICE commands...
8 a) U) P: ]. C4 S: U6 D% X* E( IIt is also used to crash SoftICE and to force it to execute any commands
* ]/ i( {5 m8 K% X' a+ A1 L' h$ e(HBOOT...) :-(( / S3 o" m1 P* d8 n* |
0 k* P; P3 q; h Z5 _Here is a quick description:# n/ K. k0 _- f
-AX = 0910h (Display string in SIce windows)
8 Z: B, m9 [% v* a' D. j-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) u8 ?, A. l- H7 r8 f- ~5 U2 G-AX = 0912h (Get breakpoint infos)
5 c* G/ q/ N/ {0 z6 @-AX = 0913h (Set Sice breakpoints)! b0 `' Y3 b& K2 w/ [3 n
-AX = 0914h (Remove SIce breakoints)
5 P, S! I/ J2 y4 y. }& d0 H) ]/ ~# i! x! p( \9 o! I- _
Each time you'll meet this trick, you'll see:
+ G- p2 f' c, `2 ~) @1 f% ~-SI = 4647h
2 v( ]/ L; q5 g% E% M-DI = 4A4Dh0 X; r! }( O1 g) U: @! n1 R, d& ^
Which are the 'magic values' used by SoftIce.% O, S6 T$ e& S% F4 w( u/ D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 m/ S: {! [# K' T5 I- l' q) n& v: A8 ^' p4 @
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" b3 r. C4 i9 yEnvelope utility use to protect DOS applications:( ?- a8 g# [6 ?" P
* F/ C! |$ P! l( ~9 V! n* W
* O" U; @5 [% h: q' G$ v# h
4C19:0095 MOV AX,0911 ; execute command.
: p# P' i% v; U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 j7 [0 P, H% K' C4C19:009A MOV SI,4647 ; 1st magic value.
- K( }- I4 Q8 p: u4C19:009D MOV DI,4A4D ; 2nd magic value.
3 v% M0 |2 Z1 W- B$ E: _4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 u, q) J; D% d5 b* w; W
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' z1 K" H) q; i' Y5 o+ c( y
4C19:00A4 INC CX1 V8 }3 o3 V) O$ o) d
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ ^: R5 a2 c6 x# J; R6 i! _( ]0 f& U4C19:00A8 JB 0095 ; 6 different commands.
- u) X% O0 Z, L: ~8 I( R2 ?4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 K6 l( P' @9 s: y. J6 S; N4 b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 }. ?" z4 D7 ~4 y3 g( X- I" [
) H7 s% N' H& R" ]' e3 x/ cThe program will execute 6 different SIce commands located at ds:dx, which$ s6 F" C2 C+ s' a! |* U3 N% d
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 F5 V: n6 C: s5 G( b- b
: A$ K& @! c/ O/ l: J* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" |2 v* Y! x( t- V8 V' ~' Y___________________________________________________________________________
- [0 y+ x" _8 x5 }! e# c" Z% q" u' f* y7 ~- X" j& i. h
# g$ k3 K. p8 l
Method 03
. f8 _$ K5 b f- O" ~; u; I7 C=========
+ T' v$ x! {% z9 v: Z; e$ @7 d3 t6 e0 @ ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( ]4 k" L' j2 Q0 j0 }1 D1 y(API Get entry point)4 I4 X% m5 T/ r, c0 a
. U6 l- D7 b8 \% s- V K
: @' L' d. S o( l2 N! y( i xor di,di, ?: O/ _8 @+ s, G
mov es,di
+ }9 i7 Z9 f' [, j- O mov ax, 1684h
4 m* `( ?% c( e. t mov bx, 0202h ; VxD ID of winice
& u2 i6 I- h4 K5 D% F" U int 2Fh
4 q8 ] x$ F4 B. r+ ^! [ mov ax, es ; ES:DI -> VxD API entry point/ ~$ S5 k4 ^- @
add ax, di
D4 C6 S) h; a) e _$ e test ax,ax) h7 o! Z$ p; n T
jnz SoftICE_Detected
8 q4 i$ F7 ]2 A# h
7 J1 ^6 x* c8 a5 D/ p) Q___________________________________________________________________________. }* Y% S' X) \- t9 M. K( t
9 x# v. n" E. F% ?: cMethod 04! Z+ V# v. h; X8 A! w; C- e
=========
# U( u b8 L4 J$ X: L$ W: c' i7 ^ }
Method identical to the preceding one except that it seeks the ID of SoftICE
) g( }, K% n$ A3 C0 d9 lGFX VxD.7 f* b& i+ P$ e- b
# R+ {$ C8 r- G* S
xor di,di
! M* ]4 x! R! c H7 M mov es,di2 Q o1 r& B- f9 u
mov ax, 1684h [* J! q$ e7 G* u s% H, y, e3 M3 B3 r5 R
mov bx, 7a5Fh ; VxD ID of SIWVID0 ^, M2 W8 J0 f& K( G% h* d
int 2fh
2 o! W0 k- E3 w+ r mov ax, es ; ES:DI -> VxD API entry point3 l: I+ h( |; q' @- {
add ax, di
+ T1 D; O! N2 q \: q test ax,ax# |- e4 {! @5 m e
jnz SoftICE_Detected
8 r3 C6 g: l: u! V+ p. Z8 Y, N! h5 n8 R' {
__________________________________________________________________________
& ]; i9 y. _! r' J Y) t; D% I0 \
' {% D) k+ e$ H& Y7 }3 tMethod 05
# y* f( k6 K8 Y) @8 ]2 T' @/ h=========& ]; ?3 |' i$ t# x2 N( `" I
4 s4 K5 y: e0 W |1 iMethod seeking the 'magic number' 0F386h returned (in ax) by all system
5 b! h% L- r: c: X/ A. g3 k zdebugger. It calls the int 41h, function 4Fh.
! h7 U4 S5 P0 i* QThere are several alternatives. ( I2 q, i4 X; q: d l
3 G; {6 t/ f7 Z, s0 D7 J% g! o, k
The following one is the simplest:
9 B. ]3 h) X% W0 B* Z7 s- z6 ^ R* g! v3 B! m( t6 ]
mov ax,4fh, } j ^& Y7 b# {8 h: U. G
int 41h" \( }1 i6 }) S) ?* j
cmp ax, 0F386
) z5 |5 c; c5 F. {8 T- I- c jz SoftICE_detected% X' q$ L w- Z5 A
, {$ Y3 p6 X- C9 F$ y
: w4 I7 b8 U) v/ b9 ]* h, r/ H7 w5 fNext method as well as the following one are 2 examples from Stone's ; S# ~+ {7 a; _) ~. Y
"stn-wid.zip" (www.cracking.net):% V5 O4 @, Q# C; A% [
+ F1 K a" i0 \- E5 X5 x' Q
mov bx, cs
" o8 L% h( _) D5 M7 B& `& |$ \ lea dx, int41handler2" y" J c. i; S. b4 `4 W. b
xchg dx, es:[41h*4]
4 e' K& J* l$ ?$ `: M xchg bx, es:[41h*4+2]
; k+ a* F5 D8 B1 T+ d mov ax,4fh
& V: q. q& r: G5 [" K, J1 f0 P& J int 41h% A0 E( j7 z- V
xchg dx, es:[41h*4]% D9 S# p! r9 W- z5 y5 T5 t m
xchg bx, es:[41h*4+2]
$ L- L3 o0 E% h+ Q cmp ax, 0f386h
7 v" j: D. e( p' O7 p3 ]7 y9 M; b9 y0 n jz SoftICE_detected
) t) t8 F: ]& A9 M/ s* J& j9 l# y2 p; H
int41handler2 PROC
3 C6 Z" C+ r6 x- h6 G9 X. \. ?. }% N iret
" B1 }: }% B) v1 _& |; n$ R* e! |' T* }int41handler2 ENDP
; P H c3 {. d5 p/ e# y, k' u+ a* u! y: a
$ o2 R' s; v) f0 G0 R0 l6 ?
_________________________________________________________________________
: ]7 |1 m8 L7 m- Z2 A/ m- ?& h" X. f ^! A* h9 A7 m7 i8 B, |
: F [: Z4 B0 O- `, e
Method 06; ~5 k$ E4 ~4 d' z) w& u
=========/ P! v: i1 F: L" k3 B: ^
6 h6 v7 U1 a8 g+ h8 B0 g$ ^; v1 [' A5 p, X. p- t0 j# F2 v1 H8 @
2nd method similar to the preceding one but more difficult to detect: P' q2 ^! J4 R, L0 z
4 C( w( a, a2 J2 i+ _8 Z7 `: _: k( A% |
2 C5 Q! B7 `0 n- d0 a; dint41handler PROC, q9 Q1 ?: S9 _. C0 r
mov cl,al
9 @3 m" K! U9 I/ D: A- A iret
/ f. j5 ]- D0 c% ]4 H/ N# a& }& `% _int41handler ENDP
0 ~& [, t+ \/ J3 w+ S
7 }- v# w8 B# f1 v; c+ }7 T
6 p {9 W" j1 C a: p( X" h9 J5 C xor ax,ax8 p4 m1 W6 ]5 M
mov es,ax4 K" ~8 m0 b1 e8 O; U$ K- q
mov bx, cs- L$ t- C* Z" T' R3 v# G
lea dx, int41handler3 _" m: u" C7 \% l( V' C/ M
xchg dx, es:[41h*4], F/ O0 ]3 I& d% A, ]1 p7 Z. ]/ f
xchg bx, es:[41h*4+2]
# U( `/ P6 k Z3 ^" p in al, 40h. @9 N7 t; h9 M) x" ~0 V
xor cx,cx
) v1 u& F/ a+ C: R1 h# q. c int 41h
5 O0 Q: y6 n4 {$ g6 X8 r$ Q xchg dx, es:[41h*4]
. r% s4 P" c5 X' M0 e xchg bx, es:[41h*4+2]
& {8 H: w9 ^8 ~% @, i cmp cl,al( i; m, B( n. l" h+ n5 J
jnz SoftICE_detected5 P1 e: J3 F* F4 v! D" N
+ Y+ r/ `% G1 i: `, }
_________________________________________________________________________
# B( [1 o; C4 K) [8 n; S( S: Z5 |4 z6 @* V0 ~8 k# |3 j
Method 07
- b7 k9 z& y2 F0 S- K* s5 ~, R=========
) |8 ~2 u2 H8 i! _0 s. t% Z1 w- i/ Z
Method of detection of the WinICE handler in the int68h (V86)9 Y5 t, w# z: K' P' g9 R) \
% ]1 s$ T1 ]- B" K: r/ S mov ah,43h+ {5 f& T2 a4 ]/ T/ i8 }2 b" q/ N
int 68h( P: y' I" M3 p, `5 s" y$ p
cmp ax,0F386h
/ V/ Q: e: B$ O' z ?7 _ jz SoftICE_Detected# Q& J) |* S7 u! L$ n: a
" r. D5 A& w H, D1 b$ [5 [
! u( R, C$ d) n+ N y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" T. S$ j4 ~7 G Y! n: E6 U
app like this:& Z- s8 p" p, U% N. m$ ? J
8 V/ o6 f P2 ?$ S( T BPX exec_int if ax==684 e! j i/ r, k R1 ~
(function called is located at byte ptr [ebp+1Dh] and client eip is
3 |! ^, i% s, K. i) d located at [ebp+48h] for 32Bit apps)
: x3 ?9 a1 Z5 Q/ [__________________________________________________________________________
7 O0 E7 i& R( u' K6 x1 q' z
& v ]9 u2 v X" z0 c& ~9 a' y+ p9 L4 |, E' C$ L
Method 08
% c7 O1 S# Q2 p& m- E& v=========
: G0 o1 O- {' ]5 E1 p# Z" G w/ m% p" \8 g& N2 m( v; z8 |+ g
It is not a method of detection of SoftICE but a possibility to crash the
9 _$ m' U% O/ `" [$ g* dsystem by intercepting int 01h and int 03h and redirecting them to another1 C5 R! E# M. _4 ~" Z
routine.
* Z2 [6 @- Z9 @* F4 |' b- fIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. i" i2 m0 W+ h9 N( w0 f0 |; O9 \
to the new routine to execute (hangs computer...)
# d: p. r l" u1 @( u' I0 O. I5 E2 v8 g1 x7 v& @
mov ah, 25h
- C0 A3 x* m' Z" m; q% P2 r mov al, Int_Number (01h or 03h)
0 R/ k. V* b2 l* G. ] mov dx, offset New_Int_Routine6 q- y$ z% o' Z
int 21h2 j) Q4 z! z H* f3 }
3 Q8 E& W6 b' {4 v__________________________________________________________________________1 p, e. e% z# i+ |9 b
' n |- F' I' E$ F; J* s/ L& W3 DMethod 093 n1 p% [4 u' r* \0 m2 I; |
=========
: @9 f3 l% w6 Q' j/ u) @: o. M
0 t, B7 q8 F. x+ T. g+ u) a. JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. Q1 p0 h- H7 l
performed in ring0 (VxD or a ring3 app using the VxdCall).- x+ @8 _4 ?9 Z- p$ u2 n9 ~) H% D; N! T
The Get_DDB service is used to determine whether or not a VxD is installed; ~+ s8 A" |* \' N8 |* g
for the specified device and returns a Device Description Block (in ecx) for
$ v- H K Q" Q9 [that device if it is installed.2 r( s1 d0 Q# {" A# H" t
- N; r; D1 x2 S3 o
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* ?3 Z4 W t: M( v0 _( ` mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" C8 U. x2 V/ N) i, X
VMMCall Get_DDB0 N$ k2 m. k7 E5 I) }& V
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- J) X3 F2 i2 D7 `- Q+ e- K
8 ?6 N( }2 M/ k6 c: J/ n4 ZNote as well that you can easily detect this method with SoftICE:$ K" q- f- P$ y+ [8 A- S
bpx Get_DDB if ax==0202 || ax==7a5fh
: s$ \- b" I5 c; A5 [9 C! A+ E* b9 }- h/ _8 o. R% N
__________________________________________________________________________2 [0 T4 q, }& r- p1 q7 _8 t' y
+ u+ }4 f0 ` d( J2 X# n' U' u4 c
Method 10
% X$ |# d! n7 j" k7 C( d=========7 v; j/ v: C3 H& f3 t' M2 I% f
( v$ \ o J u; r9 Q=>Disable or clear breakpoints before using this feature. DO NOT trace with
g9 q( `& U% o J" ~" ]6 r/ _ SoftICE while the option is enable!!* t. y4 Z2 G Y" H* E7 U) h
r& v$ \ }7 ~* U' Y }& b1 @# F
This trick is very efficient:! i, a q/ _3 _. {' f
by checking the Debug Registers, you can detect if SoftICE is loaded7 P$ J2 r, m I, F$ N5 t3 F% r
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# h i" ]: M3 \+ T5 Y, l$ Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their- d. S' _( ~! g( N1 Q1 F# E
value (in ring0 only). Values can be manipulated and or changed as well
3 j' C0 o7 J M% Y3 _4 U. N( f# S8 ~(clearing BPMs for instance)% W" ?* u; ^1 y+ X, o
) y7 n6 f9 y% z# I__________________________________________________________________________2 L5 y, A# e0 H( {
6 D2 C* w: ~7 J" U) J4 b; `; _ pMethod 11
8 [) J( r% S E( ?% ~=========! ^) R# h. k5 B5 }& \
6 o% A5 n+ z- @+ e( GThis method is most known as 'MeltICE' because it has been freely distributed+ |4 _2 y: A% \* U/ Z
via www.winfiles.com. However it was first used by NuMega people to allow- W9 W7 r D( |" v
Symbol Loader to check if SoftICE was active or not (the code is located6 X% O+ m8 e! d6 U# g! [& A" N" Z
inside nmtrans.dll).
/ O7 D ?$ I) ]' q# r5 d0 j( L6 r
The way it works is very simple:, [) n, H, a# d7 p b/ g' z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 b7 {) a& m# j. E5 `
WinNT) with the CreateFileA API.- p4 k2 {. [* {% F! a6 j1 f# `& d
- e/ ^% T+ o! |! r" y& q
Here is a sample (checking for 'SICE'):- g4 x6 I j- E0 I- u
/ M0 r. k3 Y. ~
BOOL IsSoftIce95Loaded()' Z! d9 Y$ c/ p, h; y3 Z
{& U0 J' r1 T9 O5 r/ N
HANDLE hFile;
5 m! }$ g& N/ c9 t) ^" C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; L1 H3 ]) B% s7 ~. j
FILE_SHARE_READ | FILE_SHARE_WRITE,3 ~: k5 a+ ?# S2 K# ~
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. |* q+ `* X" o; i if( hFile != INVALID_HANDLE_VALUE )
& H! |5 u) m. d9 J9 d6 F" ^ {6 K5 h1 Y. u% h8 t/ F
CloseHandle(hFile);
7 t8 h6 C3 j6 } ~) m return TRUE;; B- f2 n9 Y. a( B. s8 Z& {
}5 d8 x+ A* a" F* a$ O
return FALSE;
. v" b: k* Z- g+ ?' w; T}
! J, ~" j" a$ H# |
8 t3 w+ ]4 C$ ~% n6 r) s8 D& GAlthough this trick calls the CreateFileA function, don't even expect to be2 Y! `$ R: ~% O- s
able to intercept it by installing a IFS hook: it will not work, no way!
: x8 t' u& x* W$ q% [In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ l n" x6 e/ n# C; M Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 B6 Q7 N* C. X& v: \, land then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 a- ^2 N( u# B& Q+ k& @6 ffield.
, ]# r7 ]% V) |& t) O: XIn fact, its purpose is not to load/unload VxDs but only to send a
4 [- x) k3 B. G0 \: V* ^# hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! H! e P u; U+ `. }9 Mto the VxD Control_Dispatch proc (how the hell a shareware soft could try
# H7 H5 k V$ B6 M) P/ |to load/unload a non-dynamically loadable driver such as SoftICE ;-).( p9 x& P7 b+ w
If the VxD is loaded, it will always clear eax and the Carry flag to allow% d7 E. t b. p2 _2 p L
its handle to be opened and then, will be detected.8 g0 C" Z/ e; L
You can check that simply by hooking Winice.exe control proc entry point
( B( t4 G# j! _) P. p( wwhile running MeltICE.) w4 q8 t1 s6 J( m2 {2 a* \5 O
! K, q6 D/ r, M; X/ p/ D
, S4 ]8 x# h0 h
00401067: push 00402025 ; \\.\SICE# F4 f" z- G1 h, _1 e: T
0040106C: call CreateFileA: [3 \$ n" H$ M6 ]
00401071: cmp eax,-001( U4 S5 _% h p" \" t
00401074: je 00401091
8 K3 P8 y* n0 ~% a8 f; E
. S+ [# g0 `; y
8 P5 H# d8 m! Y' d$ t' xThere could be hundreds of BPX you could use to detect this trick.' ?0 l( T. C8 x( t
-The most classical one is:
! G5 j6 g( Q& J3 x% f) a7 B& `2 n BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ p2 j& U6 ~. \& h8 A! N *(esp->4+4)=='NTIC'( F- `1 {% v( g* [
4 x, ]! E: j1 ]. F, x* q
-The most exotic ones (could be very slooooow :-(
4 `7 t, H! |' \1 ? k" N7 [ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # o( `& a- W$ }/ n9 {6 l
;will break 3 times :-(, h a$ f$ i9 Z) v* {' h% P
- R) T2 V- G7 z0 ?-or (a bit) faster: ! P- h; \" e9 K6 U, s6 j
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. c* b# [3 V" Z2 E+ M) Z( W" e' b4 t; ~/ X' I
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
{% v v' g1 h1 s ;will break 3 times :-(
# _& K7 G: Y' E# k! N1 A2 Z( d0 ~' z% h3 n8 i% v, m0 `! {
-Much faster:
! A4 N+ T9 [5 N5 y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') J5 q) i7 x$ @8 V- e
/ d1 s* Y6 u" Q3 k9 ANote also that some programs (like AZPR3.00) use de old 16-bit _lopen' j! K" c; H) C9 N+ k( D) G
function to do the same job:0 F9 ]: F- n' [0 r; C" Y: ?
& r5 W9 s9 Q: W2 H+ r
push 00 ; OF_READ3 I& w; v1 ^! ^0 s* v7 {1 m
mov eax,[00656634] ; '\\.\SICE',0
" z$ q! z1 d, @: x! C; v push eax4 D, b% k. J1 V2 N) n `1 {! [
call KERNEL32!_lopen
% ]6 U" M* q. M3 {& x) ^ inc eax2 k& I0 ~0 I: }$ Z2 Z2 d
jnz 00650589 ; detected
6 b$ J$ x" c: @3 x, t/ p- g push 00 ; OF_READ+ @) `0 ]: a4 y2 j3 M. o o0 J
mov eax,[00656638] ; '\\.\SICE'' `2 {4 u8 c. @
push eax
* l8 b, j J' l; v' V0 H+ |1 x call KERNEL32!_lopen+ f9 `' H5 J0 E! B' H0 a: ]
inc eax2 f6 x: J0 T( ~) Z" f9 r
jz 006505ae ; not detected6 Q0 w/ v8 W# g+ k+ N5 ~
1 O" D5 h/ z$ y1 z
9 h0 M4 B$ C3 Y; w__________________________________________________________________________. t1 N( l7 |+ b7 u* ?+ R
9 W0 ^9 u$ W1 [+ R6 IMethod 12
2 G0 F+ Y1 Y3 }=========
# b) @' [, V4 p. l1 Q; J1 P9 M' T1 [9 u
4 I9 m! v+ ~. A1 a/ P5 SThis trick is similar to int41h/4fh Debugger installation check (code 05$ h o* p3 p- r7 ]& a4 m
& 06) but very limited because it's only available for Win95/98 (not NT)) r! B) M. V1 L* M9 n4 B
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' z* _* b7 L+ \; N3 c/ }" m/ U0 m
push 0000004fh ; function 4fh' I) i( J: Y0 p, e
push 002a002ah ; high word specifies which VxD (VWIN32)* R d& N1 i# h9 m$ D) l
; low word specifies which service
5 |4 B1 o [$ K (VWIN32_Int41Dispatch)
W$ D: J9 |2 R5 v' v( p call Kernel32!ORD_001 ; VxdCall8 [$ X6 r2 y4 w1 J+ k
cmp ax, 0f386h ; magic number returned by system debuggers
2 r; a2 p7 m1 p jz SoftICE_detected* j- c' K. e5 y
/ w* P* e7 K- l+ O" H1 a. c6 }/ _Here again, several ways to detect it:8 C$ S5 l! ]/ s9 T
- P$ |) ]! h3 S# ?% v
BPINT 41 if ax==4f
8 H& e$ b" \( M9 w6 \6 M! I: d
* `4 I% q9 b; } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ z- x l% y* @" Z/ z
5 Z+ w$ [) ~$ ?! a! a# {0 X
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% x, A( L8 l$ C
; d: P4 z9 U0 ~( m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- D( B4 m- R' {% D
" g; u# @, D# f; v8 z8 S' E
__________________________________________________________________________0 p6 |/ F/ e# s& N
, o: T u g2 W' F" {
Method 13
( h: r/ z! t# F8 M# G=========0 O" W/ i+ g9 o" V' D; D* o* E
" F0 i) u ^# J3 L/ i* x/ Y
Not a real method of detection, but a good way to know if SoftICE is. D4 O/ n& ~$ y' ]3 d
installed on a computer and to locate its installation directory.* d& |* D4 f* M3 j! F+ ^! V
It is used by few softs which access the following registry keys (usually #2) :. B& U: b E' F* c4 C! Q; y! F* l
: i$ B2 f, t! Y: h-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion ?& q% z( S- j8 I4 I# n% M
\Uninstall\SoftICE- W# N$ s( x) h2 m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 O* [: \% t* z2 w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 ]! i3 i( w- P$ [
\App Paths\Loader32.Exe* q3 P7 ~' G5 r4 H- Z( k% t% k
6 j6 T1 H2 ~! V' Y
9 h M1 p+ X7 Z& z! L; B) D
Note that some nasty apps could then erase all files from SoftICE directory' Y7 H. U! g& e" i- X' z
(I faced that once :-(
, S" j! U8 b* x, J. B
% l1 n( I& \+ f8 n0 {Useful breakpoint to detect it:" k6 I4 u0 S, [$ {2 v; d" `" e7 }7 T
0 L. E- r ]7 A3 G5 @& X# b. E
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; j# j! W k; s! F3 A9 w2 e) A* Q r$ V- }! s1 B: W
__________________________________________________________________________" ]! q# t( o! o
1 F3 e# t0 F' D2 n( D2 `# w4 W3 s% F, ~6 t3 h
Method 14 2 I: v! A9 ~! X2 v, e! B
=========
) @3 G) k7 D* T. V! L. W% M* c& i4 ]2 C( ^
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# l1 f4 N" u+ \* L+ O0 }is to determines whether a debugger is running on your system (ring0 only).
P/ H8 h, d! O- `; B8 R
% d, u2 i6 Q! A VMMCall Test_Debug_Installed
; q# W5 ^: u$ ]7 q3 t- T je not_installed8 J9 Y5 N: B: \. Y; s* S
, O# t9 C; {9 ]3 wThis service just checks a flag.
H' i1 W9 t! i8 Q3 u$ f) Z7 J</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡