<TABLE width=500>
* D" P5 c- Q. b, C- k0 G<TBODY>
1 ?4 J; k0 O: U! k: o6 ^<TR>
! r8 N+ ~8 o0 i9 k% ?<TD><PRE>Method 01 ! N9 ^; h2 ]6 l( q* J. S8 c/ U
=========9 W1 C& [ \6 M' w- b
* i, ]9 U7 T6 y+ g; @' aThis method of detection of SoftICE (as well as the following one) is
% M' K, b3 U3 @& u7 }6 ]used by the majority of packers/encryptors found on Internet. J% t) D& c) y( C# q
It seeks the signature of BoundsChecker in SoftICE
3 F# A5 Y. ] N! H! O! K3 P
9 ` F- J( o9 A, m! y; h& s% ] mov ebp, 04243484Bh ; 'BCHK'+ N1 ^1 S t7 [. A! s& J% d) L& l
mov ax, 04h0 r; b$ X5 {9 ]
int 3 9 B6 X6 e. S2 x/ H
cmp al,4
+ ~& Z( Y. i% L7 ^" x+ t- w jnz SoftICE_Detected
/ y2 c9 O X" ?. k$ Z" ?/ e' @7 A8 f4 o
___________________________________________________________________________
; R N( k/ W( T6 X) z( y/ W7 @0 C6 h: l7 K, r9 p
Method 028 T3 s7 s o; R( v! R( s' x% @1 P
=========& c# l6 Q O4 s( m
2 u7 q2 v0 L1 B- ~
Still a method very much used (perhaps the most frequent one). It is used
& Y& I9 @) I% {" f" Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. ^) G6 l7 y; }2 Z5 Xor execute SoftICE commands...! H. a9 D. ]1 m# A* T
It is also used to crash SoftICE and to force it to execute any commands- @3 `/ n& K5 C3 q( ?/ i* r( a
(HBOOT...) :-((
+ j0 z- {) n7 b4 b2 f! h
/ Q6 L8 k, Q( lHere is a quick description:# v8 k- U; f4 n6 c
-AX = 0910h (Display string in SIce windows)
* t9 y5 W# B5 Q/ [( F8 a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' T3 A8 a/ ~4 n-AX = 0912h (Get breakpoint infos)
! \% B% E7 I4 N-AX = 0913h (Set Sice breakpoints)# n; x9 G* T% }. y% G! X5 Q
-AX = 0914h (Remove SIce breakoints)% K1 @" A9 l) A* v. |; Q! X
& Q# M& [% t0 o, V; \" u; U8 [9 cEach time you'll meet this trick, you'll see:6 U9 h0 N5 P. F' U
-SI = 4647h5 V7 {* k. F* X: p' b. q
-DI = 4A4Dh ?7 I, y! [% f N. Q
Which are the 'magic values' used by SoftIce.' C/ I9 I: T) f7 N# C; f5 H7 H3 W
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 s5 |$ @/ m! v6 i
1 ~9 R0 Z. C* c, ^$ `+ gHere is one example from the file "Haspinst.exe" which is the dongle HASP
! M* \" S) U6 ~0 l1 i: iEnvelope utility use to protect DOS applications:
2 j% z2 _8 h& u* n$ x/ T# u- H5 J3 f C, J" ?
7 T7 B5 n% ]: {5 d7 Y4C19:0095 MOV AX,0911 ; execute command.
$ D; K; D4 F4 ?1 v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 d, w; y2 v/ M( \3 k
4C19:009A MOV SI,4647 ; 1st magic value.9 E1 p: p" u, _! p! t% D" y
4C19:009D MOV DI,4A4D ; 2nd magic value.
& G0 P3 H( V" A; D; d4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 n4 V f- \9 V4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 y. H' d; {' r3 ]% `" o& I$ @ @4C19:00A4 INC CX1 x/ V' \+ V2 ?6 O
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 r8 L4 z# m6 _% g9 U
4C19:00A8 JB 0095 ; 6 different commands.
) b% Q6 P0 j" N' X4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 j0 Q4 O I/ V. b) ]
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ \5 M4 ?0 C1 u! a, i2 z% g$ M# n w6 H
5 N( g( f! q+ i5 I7 n8 _; cThe program will execute 6 different SIce commands located at ds:dx, which
7 W" g& r9 @5 d8 }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. I& X. O3 S6 Y E
0 |# ^ @7 E1 N1 x
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- m0 }3 i0 y; U
___________________________________________________________________________$ Y/ c( w9 j& H9 }
) N# e0 S; n) H @ `: K5 `" D* y0 H. P2 |- m
Method 030 w; z% N4 s1 f: j5 `: N: m
=========
& O' L y1 t* i2 g. K& I! u" Z5 m, y) ~- [
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: E9 d) q3 ~7 U; O" l(API Get entry point)
/ U5 s( b9 A$ l9 p) d' {
/ W M$ U2 u$ B% N8 `+ r0 c: j7 z4 }
xor di,di& y' _- W+ ]3 o9 I5 C# C6 \# k2 @
mov es,di
% r% y; M! L$ R2 k+ b mov ax, 1684h
$ D( Q& @1 }) W' Z+ E& \! X mov bx, 0202h ; VxD ID of winice
' h: u: I9 N2 V( F: J% u4 F: G int 2Fh
J# h- v4 f' Z9 Y9 }) {/ d mov ax, es ; ES:DI -> VxD API entry point
( l. x* U& n" ?* H4 v add ax, di
% Q- C" G" f9 W test ax,ax% I1 B% `+ g# `; T' Q* Z
jnz SoftICE_Detected
6 R4 i$ T ~( L* I& _
% t4 l$ v }7 o; E+ ] t3 C___________________________________________________________________________0 p- M! A1 _' ^4 |# W
; i5 K; x X/ q7 c4 q* _
Method 04
2 |& g8 P8 C: T4 f1 g=========0 M% g2 e0 S: ~8 s$ @* [- B F
+ z8 T7 E" v8 H" ~6 r* s- x& rMethod identical to the preceding one except that it seeks the ID of SoftICE
% x. @# A/ }3 s, g$ b9 @GFX VxD.
2 `0 e7 x" t2 v5 z+ f% s
) `& P) T! N, t; \7 _ xor di,di
' a* @8 q. Y" v5 g4 M6 L& l) @3 J mov es,di/ s3 z8 o. x4 p1 j
mov ax, 1684h * }3 ~8 y& A1 O- f* x8 b5 A3 U
mov bx, 7a5Fh ; VxD ID of SIWVID
! U8 y4 r7 ?+ R( O5 v$ z int 2fh
g# `( h" j! @; G# q$ Y; n' f mov ax, es ; ES:DI -> VxD API entry point* |, w* q) M# Z/ S5 f r
add ax, di3 s0 i; r" N; H2 b- |1 l/ H
test ax,ax
( ?: n/ H j6 c, S' V) F. M& ~ jnz SoftICE_Detected! o( }! {1 R+ _/ ~ ~
1 y# @1 |9 Z7 ~0 O! v T- n& h U
__________________________________________________________________________7 Z. n: F1 X" ]- [
1 @' c: ?: T7 u/ ?. {$ U/ y/ s. }! ?1 i8 {- C5 ]' i
Method 05; A0 x/ F0 q$ B" ~
=========
( c d' {# y' H
3 f f: G; t4 r8 }- {Method seeking the 'magic number' 0F386h returned (in ax) by all system
: O: u& ]0 j; |- i) f% Udebugger. It calls the int 41h, function 4Fh.& }0 w) e; |" `: C1 ]9 L( E' R4 V
There are several alternatives. 6 ?0 x" X$ f0 T8 Y. b
J5 z& D9 u- [$ h- F' P( _: `
The following one is the simplest:
9 [ l' ?6 Z6 _% s5 }$ ]" }. W8 D& M6 `7 E% u
mov ax,4fh5 ^; j! ?4 R. {
int 41h
+ M/ y% z. [2 |/ g cmp ax, 0F386
2 k) O) |& r* M+ U1 x2 o+ ^( x jz SoftICE_detected
4 A/ Q+ U3 N- Y; I$ e
8 Q1 o# G1 K! [4 X' H6 K* e, H- v% E3 J) ?( L/ y3 r% x$ _
Next method as well as the following one are 2 examples from Stone's
" R2 D& p+ `7 g9 d E/ W"stn-wid.zip" (www.cracking.net):
9 J0 T# o3 g, \2 ~0 M# ]: E# V/ W
1 W3 f( [$ r) F1 z7 Z! Z6 q# v" r% W mov bx, cs$ ?; ~. z4 r. `+ U
lea dx, int41handler2
0 L+ N' d% C0 C xchg dx, es:[41h*4]* b9 P; L' [7 t+ U6 q0 k
xchg bx, es:[41h*4+2]* P6 v0 K0 ?, x
mov ax,4fh" q/ O5 ~+ P( b4 h2 S/ w) H
int 41h7 T) }: ^1 D0 E( D+ v+ F, ?
xchg dx, es:[41h*4]
5 [3 X) O6 B9 v/ G: J/ a xchg bx, es:[41h*4+2]
$ c4 l$ ^' ?% s8 M& Y; q, e cmp ax, 0f386h8 y$ m4 P! H9 w- Z9 ?
jz SoftICE_detected- @: Q5 h% ]3 z# z2 y O! {& {9 N0 y
4 r1 ?) R7 f0 `
int41handler2 PROC: {; @4 [) M% }6 _
iret* G; s. r" s/ x9 X* w. W: B0 k( L
int41handler2 ENDP
* H$ Y" {. M9 e6 O0 W3 i: s' ~9 n$ h4 N3 z4 h |
1 l' C; r% Q+ y+ {) Q
_________________________________________________________________________' h1 y8 A8 x; ^/ p5 I, P( J
, G/ V7 T& \# D! c) O! R3 p$ W. h" T* d% K' q$ j* f9 p
Method 06
- W& \5 x8 m+ U/ |3 d=========6 J/ p7 N9 a8 W3 i
0 Y- m0 A; X! F1 G5 m, B: v
% h4 R; I+ Y7 |3 \7 J: K! t2nd method similar to the preceding one but more difficult to detect:" V! H* m! G) w: j: ^: S
/ R: p, U) a7 T* M# K
% f) X5 p+ {; ^& f% y& K! Oint41handler PROC5 J3 b0 b# j; x5 i
mov cl,al$ S# x" T* U& n% T; j
iret l9 n: \4 v! b- ]
int41handler ENDP
3 R0 H, J; `! `/ [9 _4 e+ M3 T! q8 d, e1 O' ^
; T1 j0 o: r8 ] xor ax,ax
, z' e) L) ~5 L$ x) W mov es,ax# D& H% g: J' j* L
mov bx, cs
* s* I0 I4 t2 S6 Y2 m: j lea dx, int41handler; x' G5 W8 A' w s
xchg dx, es:[41h*4]
- }# X# E) h9 K4 h4 a6 R& B- d xchg bx, es:[41h*4+2]- v$ w- U6 _& H: [$ @+ \
in al, 40h
, ^# V$ M: S9 y; W xor cx,cx g$ K, w& N9 q% s
int 41h
$ C& D. j) l! W: U" U0 J2 p; C xchg dx, es:[41h*4]
: W$ ~! h+ ~2 e6 O9 G5 Q xchg bx, es:[41h*4+2]
, q5 g7 C' c2 S' k cmp cl,al, R' ?6 a* `4 v( s3 S5 P
jnz SoftICE_detected! }8 w% V0 O/ U, e% P1 A( ~# }$ }4 k
" ^ M. n$ w5 l: Q* v8 a_________________________________________________________________________
/ I2 E- _3 O( x: a3 G. ^, j
4 F9 h+ l' t( B) D& ]1 t* cMethod 07
0 Q5 V* b U: d6 b1 j2 |% T=========
+ g/ h0 x) Z4 W5 S1 e5 v. Z, b) N/ n0 ~, W4 c: p
Method of detection of the WinICE handler in the int68h (V86)
2 a7 {) F2 n, r& e
5 l: W" a; D7 A2 _' g mov ah,43h
5 w: B! k# ~# W int 68h Y/ |" B! w/ ?
cmp ax,0F386h
! C; a/ R) E- I2 L/ n jz SoftICE_Detected B4 d h$ X2 w" S- O
j4 Q# [: V7 [) T" S: g9 N h
r. g/ O! b* W# |=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ J& j1 ~* P: K; H1 Z
app like this:- i. s: V$ K/ K7 u* Q' F7 V9 Z
# C U$ W/ E6 C) F0 \ BPX exec_int if ax==68
8 K0 `7 s/ ]! z) j! R3 u (function called is located at byte ptr [ebp+1Dh] and client eip is( n" n$ Z( R Y3 h
located at [ebp+48h] for 32Bit apps)4 j) J# Q9 d0 g$ j
__________________________________________________________________________
+ [/ F. |% c. k% g' o i" x- E v+ j; S0 a" {2 b
6 ]8 E/ Z4 R' ^ Y, g; @
Method 088 h/ R5 c3 t/ Q$ T: d# K+ p( j/ B
=========
2 l# K+ i' K7 a; V9 V4 C' ~" W7 {6 p. c# M2 S5 N& E% M& M+ O
It is not a method of detection of SoftICE but a possibility to crash the
( v% e+ |$ k" X7 y& x& xsystem by intercepting int 01h and int 03h and redirecting them to another, C) _1 c3 E1 k4 ~9 z9 v7 }- C. q
routine.
$ s. q- a6 ?# _- b" UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; |; [$ L* z& e0 @7 W. |4 K0 J' H
to the new routine to execute (hangs computer...)* J ^7 J& \: g3 _4 M* |8 c
) B! E4 {6 x" G" p
mov ah, 25h
. ~, |/ e' ?# Q- m mov al, Int_Number (01h or 03h); t f1 _) m# ~4 ~. n- U
mov dx, offset New_Int_Routine- e9 A2 U/ Q9 s* o7 z
int 21h" q) F Q; N+ K5 t
' B2 B1 P2 t) y2 u& q: f
__________________________________________________________________________+ S/ k( \& l3 v6 V
- Z0 m. `% q/ {: Z6 Y5 M
Method 09
8 U2 N! c3 V; Z" k* t: q- V& n; ^, j7 r* R=========4 c$ [3 q6 U& n8 W
) A# V7 q" p, D" g* g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 \; d0 k0 U5 `, p3 i: U
performed in ring0 (VxD or a ring3 app using the VxdCall).5 _1 @( ]4 \2 j* @- z! K# e
The Get_DDB service is used to determine whether or not a VxD is installed2 G% z& |. ]8 [& D* ] P
for the specified device and returns a Device Description Block (in ecx) for
( y n- ^/ |4 r; E& t% Bthat device if it is installed.
3 w! @5 J! Z' s _" r' A2 ]; h. l8 P( i" b1 t" Q; L
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 C- _- W. o4 T6 r# i, O6 N mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 `8 O" q! b( V1 G8 P
VMMCall Get_DDB. d5 R6 h8 ?" i+ X8 n
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 d! P4 O. q+ A' g( S* J0 ]
8 O5 X" e: x: L$ q) E9 H
Note as well that you can easily detect this method with SoftICE:
7 }& `4 H* [' J& ^) s bpx Get_DDB if ax==0202 || ax==7a5fh
9 {. J4 B4 d' v1 m, \; j- D: ?% W# r% [( h. w9 o9 c( `$ d
__________________________________________________________________________- E8 o& ]' E7 Z# C* }. x2 Q
" n8 l! L' f) B( T! c, e" p6 aMethod 109 u( a/ F" t! P. U2 N2 K/ K9 k6 m
=========
3 p, C6 [* R7 i, w) @- k. {6 i2 q/ a- J4 q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
( O9 J. L0 D4 d" l8 }- C6 Y SoftICE while the option is enable!!1 Z1 J, m: f$ `2 ^* \6 S% I
1 Q" n J, q/ i5 {
This trick is very efficient:! K& d! i; k r6 N2 E
by checking the Debug Registers, you can detect if SoftICE is loaded
. a4 ^ {7 o: {- g# g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 r* C" ~7 X f6 w
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' C# a9 s v8 V9 avalue (in ring0 only). Values can be manipulated and or changed as well
1 n5 ]/ v; ^1 B(clearing BPMs for instance)& x0 A) x+ E7 [1 w3 M, F
$ S* y4 j ^: e1 t6 X
__________________________________________________________________________1 r0 S2 l! F/ C3 a" l( d( b
2 M8 w& M, `9 D% m% S' pMethod 11
5 W2 C$ ^4 w. {0 Q+ }5 N! A& Q=========7 X+ O( Q% |4 E) F( J3 O b% W: X
9 X1 I' [3 K" E8 m! ?$ M4 T
This method is most known as 'MeltICE' because it has been freely distributed8 {" I, E+ X, D* p
via www.winfiles.com. However it was first used by NuMega people to allow
" E9 l' r6 s& I4 d! m1 TSymbol Loader to check if SoftICE was active or not (the code is located% V! H3 U) x" ^ h& z0 H p
inside nmtrans.dll).
# |# w$ K/ N6 J5 M/ ?, C
: G; `* z% k5 Z; H4 H( `$ T4 cThe way it works is very simple:
* F* z1 M! a* y: Q C2 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- c/ H9 q1 ~2 J# }6 c! Q
WinNT) with the CreateFileA API.
1 W( }7 Y9 w: j( c$ h* L
1 T c7 O- }9 F( ^3 l* hHere is a sample (checking for 'SICE'):* x' U6 ~: P7 g3 M/ R! x
7 d. L6 l: i" G( k) h. t$ u! I
BOOL IsSoftIce95Loaded()
6 H7 l6 l& R% z& k. t8 \0 P- N{
- K* E2 t. T q5 o0 S7 R+ T HANDLE hFile;
6 \$ T! Q* V8 n) B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 F1 g5 I/ u& o
FILE_SHARE_READ | FILE_SHARE_WRITE,9 h+ F, N5 h0 _0 l- h
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! v' |9 \1 L# }: a& j# K if( hFile != INVALID_HANDLE_VALUE )
" A9 y, j) L" C {
/ r# W0 H7 A( C1 r. \* @4 S- [ CloseHandle(hFile);
- X: G( c/ A# k3 o' }6 I return TRUE;
1 }0 N! U: e0 L" Q9 e- H- p( M }1 w. K) [- P! N( h3 _% Q0 a
return FALSE;
& F9 [: R7 Y! ^1 T/ _# T}( ^ @* Z' b- u* f# i" h
5 b* ~6 S1 w* O2 A5 tAlthough this trick calls the CreateFileA function, don't even expect to be$ R+ T3 [" h( K* A9 c5 w2 u+ Z% L. a- W
able to intercept it by installing a IFS hook: it will not work, no way!+ c. z0 O5 J/ o3 A4 d/ Y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F1 m! J! n& L1 z5 U
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' H# }( ^9 x; v4 Z; J5 I7 ^+ d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 s9 n0 g' t$ F7 @; }! Z" gfield.. A$ N# F2 B5 s7 I
In fact, its purpose is not to load/unload VxDs but only to send a
+ K& H( v3 O3 m& T( iW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" l7 K& [3 k& P6 `5 Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 a8 x z% m5 L# R4 [7 l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& @. G" q# j, Q3 Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow" @! m! p2 B9 a7 U# v7 {" Q7 i
its handle to be opened and then, will be detected.* z I2 ? w; S2 R% t
You can check that simply by hooking Winice.exe control proc entry point
) K5 U: [; |. w/ T; g8 |7 [- J' Zwhile running MeltICE.
7 ^: l, Q- M9 G- I" y" ^
4 j$ G+ o) r& G: Z9 a% I/ _( ?) ]9 h6 c" U5 n5 B7 S* [; Y! j
00401067: push 00402025 ; \\.\SICE* b, G( ~6 V( B
0040106C: call CreateFileA3 X# Y( O/ D; z5 B. s
00401071: cmp eax,-001
* E2 h5 `. D) ^ P4 M7 O 00401074: je 00401091
6 K) Z& ]" k; T3 L. H& l$ O3 {
; T/ e3 @( d# r4 b! a4 F) G3 c0 @( `+ ?, r: Z) x! L+ F# S
There could be hundreds of BPX you could use to detect this trick.
0 `# L# N, c0 R5 E8 r, M* Z-The most classical one is:
9 O9 c/ M" q; U B% |# v2 s# J+ B BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- G ?% k2 r2 |, t& N8 J
*(esp->4+4)=='NTIC'
" G+ _# G' I( Z+ K4 a# i( j9 u% D/ a3 q- F2 q4 A# y# I
-The most exotic ones (could be very slooooow :-(
( y3 q4 N2 V% ~) [. T5 P( N BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - J1 K7 k2 v; b* {7 ?" G" A) @
;will break 3 times :-() }5 E+ `: X. x0 S8 M E1 n" C1 A
2 w. N( |7 C% j3 [5 X
-or (a bit) faster: 5 |7 p3 H# Q6 I
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 j) ^, i# Y' D: u( s* _5 ~
. Y, ~( {6 S8 d2 J: Z+ Z( ]5 Z$ n BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' u* m k2 g/ t( K! ~2 t' t ;will break 3 times :-(1 p; `- w r9 M0 Z( f
' x% V. b- c) u1 U. s) V7 j7 X/ @
-Much faster:# N9 G8 Y! X4 Z% E( U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 |! O& ?& y" e \3 s2 u* n( M( a( B, s, J8 L- _6 r8 }" R. k8 b7 @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" [4 e' T: i( w' `% n7 ?function to do the same job:
5 ]) H4 ~- A) t# q3 a) W$ B% H% t( T: f
push 00 ; OF_READ4 w% z6 ]; P2 J+ U! Y# q- _. i% Y
mov eax,[00656634] ; '\\.\SICE',0
: }0 ?7 G5 w" o4 Z6 A4 L2 A, j8 a push eax
- L7 P# m$ ]% ?( g call KERNEL32!_lopen' p3 d/ T+ i, G8 z/ g3 [
inc eax% C8 B: n9 f5 m( i4 `
jnz 00650589 ; detected
2 U, U! p" q7 u push 00 ; OF_READ
- Q+ v% P9 d% T4 L; B" Q mov eax,[00656638] ; '\\.\SICE'. D; }0 K- t, [9 S
push eax; v% `& i7 A* @1 k5 \
call KERNEL32!_lopen
. K! w; }2 ^6 W* q! ^ inc eax
o v, \: B- w9 q jz 006505ae ; not detected
" q! c E$ J" M9 n' [! q' O9 E
" \ A0 W0 J: e2 s3 K* ~% m, H9 ^1 V m6 N: d+ N) w0 q5 N9 ^
__________________________________________________________________________4 M& O0 q$ I: a% z- h, }
0 @ r# U/ f' I, X/ x& e- s& ]! f5 ^Method 12
6 l7 p, }% {& T=========# s' _% N* t' r8 i5 O8 S7 T! ?
, c( `. j R# C" [This trick is similar to int41h/4fh Debugger installation check (code 059 n% B; k' e2 h
& 06) but very limited because it's only available for Win95/98 (not NT)
# [$ W; j* Q4 u% `7 p# Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo., B' S) G O7 a0 u
v7 @# Y( c* K5 Q4 w
push 0000004fh ; function 4fh* K0 w* P; i6 A) n# k1 S, `; `
push 002a002ah ; high word specifies which VxD (VWIN32)
, ~- t" H" h% r) M1 h) v) w ; low word specifies which service
7 ^7 d9 Y- n3 H5 D% c (VWIN32_Int41Dispatch)+ ^. _# ^( z6 u+ b. b
call Kernel32!ORD_001 ; VxdCall
3 ~4 R+ `" k* \ cmp ax, 0f386h ; magic number returned by system debuggers5 K9 F2 q: `* ]0 p' p! w! I. t
jz SoftICE_detected% g7 h1 e1 ]5 y6 c
* ?) p5 C" ^% x' `0 ^" V) a( k
Here again, several ways to detect it:) V! R. N: u. m0 f! G# x
, R0 P2 d" c) k& Z' q* u& Q* e4 ]2 P BPINT 41 if ax==4f
4 @* k7 l7 H: I I% e- Q) w: @5 K& \
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ N, P) N, ~$ ~* v4 ~* Q
, l5 H; G! n0 Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 |' N' z$ Z2 o/ l( G$ t* L
% _4 ~3 ~3 F5 h" g: O3 d3 Q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# X+ x5 Z) M9 M p9 N) s" u& n" p& ^% j! Z; F0 g; c' R& o
__________________________________________________________________________5 F$ y* S6 w6 Z8 |9 f6 y& F6 C
6 c. |' Y' t& z) S; l% r
Method 13! |+ {" Q' {+ M0 _1 w* `: V+ O
=========2 B' }4 a2 M' w7 J
/ ?8 `! a4 C9 jNot a real method of detection, but a good way to know if SoftICE is6 E9 O+ x2 Q/ B7 J% z! ~& g3 U
installed on a computer and to locate its installation directory.8 q9 \8 P0 a% p6 ^% ?
It is used by few softs which access the following registry keys (usually #2) :" J: s7 v9 e2 K, A3 P: i) Q
' G/ X# b3 j3 u5 p. _" B9 r8 Y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: S% E8 t0 z* V$ @' B; r& r\Uninstall\SoftICE& d- @% Y, O/ J0 [% Y& V0 u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. T& a! J/ p4 o% B; x. U* ?8 l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 @1 k& Z3 O3 B; [9 A/ ^& c3 s
\App Paths\Loader32.Exe
* R \# ~0 m! T+ T5 A
8 q, e& s- m1 X9 n8 }0 S
9 x5 {5 D/ H7 l+ sNote that some nasty apps could then erase all files from SoftICE directory" }3 U% r0 E" V/ N6 }
(I faced that once :-(
7 N; ?8 j) V0 w, h) ]! j, r/ x
6 }' ^$ j0 w5 K1 d8 P# TUseful breakpoint to detect it:5 b- e$ t, s, W7 S! s. G! J5 }
( v. W/ K4 O- [, `* |& [1 i2 E, {
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 z c* _6 C; X0 D+ h) U& z
0 \: X# a5 p+ [( ^% f2 E7 _' B__________________________________________________________________________) |. B- n# }- v
1 q1 X( g3 E, |
' e1 R9 N; B2 Z+ G2 S0 f
Method 14 1 n1 l% T# `* U" j) s
=========
$ t) j9 u' g( |/ A/ y! s9 l
% @+ n( g6 t- x8 DA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- y; n1 b' t& ~5 ?( v
is to determines whether a debugger is running on your system (ring0 only).* x- O4 y$ s1 c" D7 D5 U/ i
: G* N& ~- u: X% G5 S! Q
VMMCall Test_Debug_Installed
& h5 K, ^. P5 E% `, O- r je not_installed
6 T; D4 r' D% q' B% F9 W4 m4 M6 z
. ?3 O! p u& u: {' `This service just checks a flag.1 U! F3 O1 t- F- ~- Z% X
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡