<TABLE width=500>6 L; o: f, n) c2 t( H8 }! D
<TBODY>
* G" W% q- v. L! H<TR>* s# r3 a; m1 b7 w1 N3 U
<TD><PRE>Method 01
' K& V; \! p7 C( z* Q=========% a* U2 \6 n- D* z6 [" ~! a. x5 C
+ P2 w+ M c1 f
This method of detection of SoftICE (as well as the following one) is$ n% D$ I( H& F( t6 D) }
used by the majority of packers/encryptors found on Internet.( D& i6 W Z, J! p% V4 e
It seeks the signature of BoundsChecker in SoftICE# G6 f# s- ^# q- e$ ?. G" S
+ P9 l* J& a& b( F2 Y# d
mov ebp, 04243484Bh ; 'BCHK'' ~/ X. q9 n6 O" u
mov ax, 04h2 s% O, V0 v& P; C/ w5 b
int 3
+ N! E" f* D$ Z I% B& b3 P( t4 o cmp al,4
7 ]# {9 L- a" p, R# H jnz SoftICE_Detected2 @4 b5 r& `, \8 @$ w
, D7 K' N% s# o4 \
___________________________________________________________________________& Y( F: q! f% q2 g% L. }
( ^" W; r) y0 ?! r
Method 02% s( M. g) B5 R# c# X1 I2 M, ?2 O, H) b$ \
=========( k- k% r6 g3 N4 D# [. [5 p9 b
: c1 [2 ^. b1 f8 dStill a method very much used (perhaps the most frequent one). It is used
! i$ Z+ G/ C* i: J6 r" k, v/ Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 S/ r0 h; R+ y" q+ J2 W+ J
or execute SoftICE commands...2 i6 F3 F7 e4 Z! Y+ D2 }) |, L# v
It is also used to crash SoftICE and to force it to execute any commands$ x' v5 X2 A& y. b
(HBOOT...) :-((
3 e+ Z8 i* _( i# O, B. k. L2 t8 @ X B U% p
Here is a quick description:
: ]8 u9 Q$ ^4 _5 o3 Y8 B" F! x) z-AX = 0910h (Display string in SIce windows)
, [ S% ^+ p$ p' V-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 P" H8 T6 @- h+ y# S' |$ F
-AX = 0912h (Get breakpoint infos)1 G9 ~" n7 w+ O1 B
-AX = 0913h (Set Sice breakpoints)" q$ ]3 Z1 a4 o( E$ E: @0 w
-AX = 0914h (Remove SIce breakoints)
7 m# e( w1 N: Z7 W# H, n! S: A4 G9 ?/ d9 F
Each time you'll meet this trick, you'll see:- v* h+ h8 N5 V: g. f; b, u( c
-SI = 4647h
9 u1 S( i; K5 M+ q. U$ N-DI = 4A4Dh1 I: }3 T+ \1 z/ U* X
Which are the 'magic values' used by SoftIce.
3 Q P8 I" F1 t: d6 W7 JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 _/ L7 r/ f b" K6 h: E
+ K, g m% j- |8 ]# p
Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 N, s9 D6 y1 w( t# @Envelope utility use to protect DOS applications:: f/ I1 Z9 |# N: Y& d8 I$ r
5 l6 {# \" ~8 b( S7 C/ I% d8 l6 H
* J% W# z5 F( m- w5 Y# X# s" V4 V4C19:0095 MOV AX,0911 ; execute command.
* n* P( e0 h6 U9 h4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 O w0 }* p9 Y1 S4C19:009A MOV SI,4647 ; 1st magic value.
! f$ v' j! ^2 }2 @1 t/ f4C19:009D MOV DI,4A4D ; 2nd magic value." R3 U- R1 n& w$ o; M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- |# Y- U, C5 X/ _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ P5 x8 N" |4 M% {1 G
4C19:00A4 INC CX
' F/ f# U9 D) j- o6 U4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ A5 Q+ C, g9 ~4 W9 x
4C19:00A8 JB 0095 ; 6 different commands.9 l! h2 D# e2 L: d4 ]8 ^& X$ W8 U# m) v& I
4C19:00AA JMP 0002 ; Bad_Guy jmp back.! n j- i' }# Z2 t# i+ {
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 j, y7 l# s! h) |7 r* D0 {% D5 v2 x4 X
The program will execute 6 different SIce commands located at ds:dx, which
1 b7 y% {# I3 v" \$ ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' K' s8 A* m4 Z' Z- T
$ z V. [% M. O5 A' X W
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& T- ~- P' U5 }
___________________________________________________________________________
! X" \; _2 p) M5 z4 T2 c+ P
7 m/ Q* E, }0 A. ?
% B8 e) @6 \3 b# p, ^) hMethod 03
8 {6 r# O2 J4 U$ V=========
, h3 R H# {5 v* s2 F& }
1 E9 u+ R& t" ~+ cLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- A) z; u9 d1 B4 l
(API Get entry point)
( ^# x5 J: W( I. Z9 P) r! M4 M
4 y) L2 x8 v0 O/ ]# z( ]7 l8 \' e6 W% R! V' |/ L
xor di,di
$ d e+ o9 \7 c mov es,di0 }2 j/ d2 N) X5 L$ B2 W# @
mov ax, 1684h - C- V+ s$ c* A7 r8 x2 u( n
mov bx, 0202h ; VxD ID of winice/ T8 m3 h, C1 {, r. N* N
int 2Fh8 U7 r% M4 O' j2 K) V, ?: A2 M
mov ax, es ; ES:DI -> VxD API entry point
8 `, k. W/ l4 ?3 K add ax, di
& Y5 m& W+ \& Y; }% o; K test ax,ax
* R' R- H7 l0 a0 c jnz SoftICE_Detected8 ` @1 z4 z5 _: P8 a5 ~
4 {5 c- t+ `/ y1 x5 {4 w/ G. s
___________________________________________________________________________
$ Q/ u$ m$ ~: P# c$ I4 S6 Z3 y
W# p% c& T9 x5 d0 KMethod 04; h7 T$ r0 L# Q& B7 n
=========
: @; G5 G& H( k. V$ B) f+ }( F& V. z. @ o
Method identical to the preceding one except that it seeks the ID of SoftICE
6 A" h1 T6 @& {5 j) y1 T- nGFX VxD.7 ?5 t( c7 r7 b& W/ T1 k, b
: `8 |0 a. s7 Q" H* v' } xor di,di0 g# Z! {2 e0 O+ k! ~& }' y! E+ P+ ]
mov es,di
! m+ x6 }$ {% d. u% P" ~ mov ax, 1684h $ {; L5 |: _+ l( W
mov bx, 7a5Fh ; VxD ID of SIWVID
0 L- {5 {' U- D int 2fh' a% Q* Y* n' M8 b* Y- Z$ ]# N
mov ax, es ; ES:DI -> VxD API entry point
# e6 n: E( t; ~! s add ax, di
; S# j* D( v9 L* C3 S c5 j4 [; y test ax,ax
( {) u' j) Z- K& |5 b- B' C& D2 ]/ C jnz SoftICE_Detected
! Q5 W e: a9 H9 g; U0 o( I; n$ L1 M3 U2 c& F6 o# W
__________________________________________________________________________. y# C7 Q$ `1 c; ~. H, y3 h
( s" X( g# ?/ c0 Y9 N& c+ c% c! ~
* a7 d }1 O& f1 q+ {1 A7 N1 I8 p
Method 05
* |4 o+ H! w( {=========
; X7 N3 {2 E O9 D- x+ D9 W
; I* F4 T$ S( @9 `( Z( mMethod seeking the 'magic number' 0F386h returned (in ax) by all system: L& y) b9 s8 P% d' D! ^4 M4 ]
debugger. It calls the int 41h, function 4Fh.5 u3 h6 q$ V; q
There are several alternatives. , Y$ R6 {0 [: j' r2 G+ U
; V; f; Q, g& o' { a' X4 F
The following one is the simplest:
- Q( `* Q- S" ~/ L2 t, d' l, |
, O: t$ @. g/ U mov ax,4fh
5 Q7 E& B% H# A' d7 F) Y: @+ N int 41h0 F( V3 U) ~! f2 t; k( r
cmp ax, 0F3867 U3 w6 F N8 A& x4 V2 Q, s
jz SoftICE_detected
8 y$ w( S3 @5 S3 s" J2 n+ Y1 p+ o# R# U' Z
$ F1 N2 A) J+ S4 S8 Z6 @
Next method as well as the following one are 2 examples from Stone's # U6 J7 P% P; \6 Y
"stn-wid.zip" (www.cracking.net):
- i6 |! h4 u: [) ?* e& O5 U7 R" z$ q/ u, b$ }9 g6 V, G; D
mov bx, cs: U2 v8 ?2 Q- {2 x S* n% s" ^
lea dx, int41handler2
0 z* |* U2 a2 h2 n' q xchg dx, es:[41h*4]; Q1 d; k- E. B# O
xchg bx, es:[41h*4+2]( l" t& e$ g9 P% r7 w8 N
mov ax,4fh. [. G1 ~3 P4 ]) [
int 41h
: h; s1 A0 p9 d# Y' P xchg dx, es:[41h*4]$ b) T/ M. l* P2 p/ T& i. u
xchg bx, es:[41h*4+2]
; Y0 E: K% q& i. P% N cmp ax, 0f386h
- w B" }3 H8 K$ j- L9 v/ h jz SoftICE_detected, |8 |! |9 Z9 X( ^; Y1 v% \
: a$ u F9 C7 R2 D3 Z
int41handler2 PROC' q% l7 J5 N8 T3 h2 r+ g
iret
& U9 [' Y" v) z8 I2 F0 p; q, U# [int41handler2 ENDP3 d# R" S: c8 v% v2 U
' c8 z. }6 j5 ?/ W
: @4 J) I! Z" R( Y$ x8 t; ]
_________________________________________________________________________+ S9 C) u* R: p; s
$ h( k6 e' i& N8 \
: d, [: U9 V/ i8 e8 J) P$ NMethod 06
# r+ X |$ I4 s=========
0 T3 r; ^' l6 D7 U" N5 h9 }' i# {9 s, H4 h- Z0 ~6 d+ k' n
* o( d' [$ U( u7 B+ x/ W, M2nd method similar to the preceding one but more difficult to detect:
; x" z, f/ b' L4 f' |. m( j5 c9 z/ w- x4 A: l7 M% D
, C6 {7 N8 z$ x9 L) }' ~
int41handler PROC
9 w$ b7 L1 c- G, g3 v$ b% \0 G0 t mov cl,al
' k. |& b3 D& @# W7 [% D7 R- | iret6 ?' ~: k3 W. l
int41handler ENDP
) o1 a: P" Q' u( W6 ~
$ y! \! t- w8 }. c
$ C2 Z4 d; P1 x) q$ X5 B xor ax,ax
4 |( v/ N& b! Y$ G: A mov es,ax
! ?# J' i* v7 q5 Y mov bx, cs
& M6 B7 U" n- w& G# I d* Q lea dx, int41handler5 R8 M& z/ W+ N
xchg dx, es:[41h*4] S. B3 Z/ r( f/ J
xchg bx, es:[41h*4+2]" d! w+ D' E" G# I7 t
in al, 40h
& t# l: X3 f; ]3 w# x xor cx,cx6 \- u9 Z, t% t6 Y D& ~ e
int 41h1 _+ P# G; b/ `; n0 N( k, G3 |
xchg dx, es:[41h*4], N* o8 Z8 |" w2 @8 ~
xchg bx, es:[41h*4+2]5 N! B, R7 P# [& w
cmp cl,al1 ^& u$ l" D1 [( N( U
jnz SoftICE_detected
3 R3 j" V0 w( B9 M" i9 l f0 g
_________________________________________________________________________
7 P' e* d4 S( f" [$ w
- I8 j+ p+ v4 r- p, g6 iMethod 07& ~2 S! z: h( k- R( h( ]
=========
2 M8 K# ^2 B: W% [% h7 P+ m+ |
! |9 c; u/ A* ~1 Q0 eMethod of detection of the WinICE handler in the int68h (V86)
! v& d, l+ Z7 W$ j o& h
6 @- T, m8 Z: U mov ah,43h8 C8 T+ t& S* t( N8 L! K( A V; ~/ J( ?
int 68h4 v' e9 a0 r# ]
cmp ax,0F386h4 m, }& j" i; }& k
jz SoftICE_Detected
7 |* j" w1 N! H0 Q5 y7 u. t. f% T1 J1 }* ~# |5 {$ C
, i$ ^' G6 v2 K=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ [# r: Y& w! L5 q app like this:
& P% i: ]$ u, o$ `0 M/ L3 p& X! K" T) p9 W( e
BPX exec_int if ax==68
. x4 S- E* P. i$ Q/ u% L6 r% P (function called is located at byte ptr [ebp+1Dh] and client eip is
6 I. D5 x9 r @- K, Q located at [ebp+48h] for 32Bit apps)3 ?4 d$ Y% a7 y, _- T
__________________________________________________________________________
2 M8 E0 y& Z) x3 ^0 Y+ }8 [. g8 F4 g% y; N' `$ r" J
D; G% H$ T/ q; O- Q) {+ i- i% R
Method 08
1 H u5 q0 g2 a$ _=========: K' u6 k) G# y. q
/ ]$ p5 I# @0 ?9 q
It is not a method of detection of SoftICE but a possibility to crash the
$ t+ a8 W) o2 f$ M! Q8 Asystem by intercepting int 01h and int 03h and redirecting them to another4 [" T2 @; R3 K+ c
routine.) Q) M9 d: a2 h7 X
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% e4 u4 @$ _/ w) n( W" B+ f
to the new routine to execute (hangs computer...)) L$ C/ m, K6 t1 I9 _0 }' S! g
7 o5 Z* D6 I# `: x6 P! B& M; j
mov ah, 25h% F; h* H; S: {) J
mov al, Int_Number (01h or 03h)/ F2 w, T8 X. A$ l3 A/ ?0 U( j
mov dx, offset New_Int_Routine9 c- l+ n% r8 B) C9 ^
int 21h
# \4 K; F- l% c \+ t: {4 v# X
4 Q( A9 F" ~ `! }% \ l__________________________________________________________________________
7 p% w g }7 l, ~ Z
) w4 X- m: y( o) P1 L* j4 z, lMethod 09# K/ h- {' Q4 D; z" X" g& a7 V
=========) e3 E3 P+ H+ `- b. R' {* S
' b/ S- ?! P3 kThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% J$ F1 L" o5 L3 R& U8 G$ h2 ]7 kperformed in ring0 (VxD or a ring3 app using the VxdCall).
% D# h, O4 a4 {' M1 }$ V8 _The Get_DDB service is used to determine whether or not a VxD is installed
- j Q! }0 ]: X' A! b# vfor the specified device and returns a Device Description Block (in ecx) for
7 k2 n4 P: d: Tthat device if it is installed.
& V; r) L6 V9 X, g, Q3 G* }3 O
# g6 `! I5 c& Z; R' Q& e: s8 K$ z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* i! r/ [$ a4 B5 y/ }) d+ F
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 ~, G$ O% I& `# b
VMMCall Get_DDB; x. h! V8 P, T2 n x+ C& S
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& i) D6 E1 i) W) [
: D4 S+ q6 ?% Y: d# X0 w7 ?
Note as well that you can easily detect this method with SoftICE:1 m/ e" ]' [3 \7 J. }# J# `
bpx Get_DDB if ax==0202 || ax==7a5fh
; x2 w: ]+ L$ I0 z
0 @. V1 l6 U+ n& O E4 f9 Q__________________________________________________________________________/ N; [/ P# M% U+ l; E
/ \' t7 Z8 y- X
Method 10
7 a+ F1 S ^+ x1 \+ r% t: l=========
; b. p" s( J; m E7 g. D' t7 r. U% Q4 @. U6 T' m+ ?
=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 ~/ K3 w. A. h% y, C( S SoftICE while the option is enable!!
$ [# G7 y: ]* J# ]9 q
" F; a4 }- w! l* z* Y5 ]4 }This trick is very efficient:
/ _' C* U" S% Uby checking the Debug Registers, you can detect if SoftICE is loaded
3 M4 N: X" l2 c# |1 s, d t" l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 q5 r: t6 G' z6 nthere are some memory breakpoints set (dr0 to dr3) simply by reading their6 x6 L9 d8 F4 a; g& E# `
value (in ring0 only). Values can be manipulated and or changed as well
+ U# Y) A" Y) v- s ?3 C8 Z s; F5 u(clearing BPMs for instance)8 S& a" O& Z9 ^/ p* |
7 |1 l4 n8 \7 `, |5 u& y' c' @__________________________________________________________________________0 @1 g2 Z3 p% e' i" q+ I
4 _7 a5 k' G1 r. X' X( U% v2 J& D0 _Method 111 W, Z; S& _5 ?9 q* m
=========
5 r" b9 c* m; |1 b6 j+ o J1 I5 \ v
This method is most known as 'MeltICE' because it has been freely distributed! C1 M4 b+ J$ ?5 x3 M
via www.winfiles.com. However it was first used by NuMega people to allow3 O4 X* c! ^9 d4 J- z" z- L8 D
Symbol Loader to check if SoftICE was active or not (the code is located* x+ G9 v3 X' q. e% Z
inside nmtrans.dll). I* {7 {$ q4 }/ ?
+ W$ R- z0 ~( v4 Z
The way it works is very simple:
, Y2 _7 x* r( uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) D: u5 i. C2 z: p& F- b8 KWinNT) with the CreateFileA API.
* F& i: h, |2 d2 D8 K, B+ j$ I3 _, q4 |; x( ~2 F& O L
Here is a sample (checking for 'SICE'):
* X! M* I! l0 {3 ^9 b [, j! y/ ~0 ^3 C
BOOL IsSoftIce95Loaded()0 R) `9 S/ h& }
{2 m/ K: q9 ~/ y) Z
HANDLE hFile;
0 Q( f8 E! z8 t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 B9 q+ o: k( n+ g" f$ }* F& i FILE_SHARE_READ | FILE_SHARE_WRITE,
% W3 u: S% H8 ?, b( W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ }6 Q; J! Q" L, C
if( hFile != INVALID_HANDLE_VALUE )
2 ]' q, ^! b- U {' n5 @. z. T( |/ c: L; Q) s
CloseHandle(hFile);
: @: f0 B$ M6 P3 c( I, f return TRUE;
' i5 T2 k( Q8 ]! d; T; c9 I* u }: q j3 ^) J {6 ~
return FALSE;
8 @. r1 U8 _# y2 y* I* g8 M3 G}
# ^- p5 y# I3 `+ u% f4 |6 d3 k; |: ~+ }5 M
Although this trick calls the CreateFileA function, don't even expect to be
8 L! F) ^) [" O, }: c6 L/ {$ H& t4 `able to intercept it by installing a IFS hook: it will not work, no way!
' B/ |& k6 {" ^+ t5 x Y; |In fact, after the call to CreateFileA it will get through VWIN32 0x001F! a. v9 b6 o1 ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 y' g1 Y' w V2 Q5 V& L0 \4 Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 D8 y v7 ^) \+ Y9 gfield.- v3 v# U/ ^: R
In fact, its purpose is not to load/unload VxDs but only to send a 4 K1 K% U' k# M! A3 f3 W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' p8 m8 T+ E8 y; \ O8 j
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 P# ?, e1 W( k4 S1 i3 b& Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 U: B0 z' b$ S# a9 X4 m
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; {( F9 w B- M0 t1 c7 E7 x1 S* s o9 iits handle to be opened and then, will be detected.
/ f: D; p( P) ~6 F' tYou can check that simply by hooking Winice.exe control proc entry point
' v" X8 s% p. n! dwhile running MeltICE.% f2 G1 O6 l* ]$ Y* c3 M
9 V1 V' E" r1 K; l! Z
6 t' l" b& ^8 o: X1 b) e3 X 00401067: push 00402025 ; \\.\SICE
0 G% ~' ]9 Y0 ]5 A$ p- N 0040106C: call CreateFileA" x$ a/ m: V X% P" C9 y# G1 i
00401071: cmp eax,-001
& ?; f5 `- o& N% O- n 00401074: je 00401091
9 O/ Z `$ I" h" G. B4 ?8 a. K: E
& R2 h) }0 I; r$ Z8 `
There could be hundreds of BPX you could use to detect this trick.; r+ J; m9 |! @' h' ]
-The most classical one is:- {1 ?' G6 a. W% s4 I& A
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- }/ V) \ K) s9 L8 _: U- T# N; _ *(esp->4+4)=='NTIC'" B3 k) K- n" N1 Q7 x2 S6 f! _+ k7 j B( g9 c
_3 \$ b% u" _( Q" Y; n4 @ E3 k-The most exotic ones (could be very slooooow :-(8 |0 j* ~5 p V( o: F
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ [+ e$ C' @' R1 |3 d9 ] ;will break 3 times :-(
% U; D$ |- o8 W, Y
9 R# a4 ~0 h, i$ O-or (a bit) faster:
3 ^: X$ {) ^, A R8 b5 ] BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 i: V! `+ B5 r# u; H/ N9 r. r) X3 _* A" X! H, a
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 _, ~3 O7 k3 _5 _: R+ D. T0 [ ;will break 3 times :-(! b0 l" y5 P8 M* C7 V+ B
" i- y$ u) |( S$ a9 Y-Much faster:
8 @9 ]1 t3 |% N1 c BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 x5 ^& q2 l& r) E8 Y
4 @0 ~- {& Q3 D* R) g: R) ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# r; U- j$ `# e
function to do the same job:+ i& J' A4 [* R& ?5 s
7 {" N* Q6 Z$ a* F l3 W! O7 f1 F; b push 00 ; OF_READ
6 c3 v3 U( k$ ^- \5 y5 A" M; G mov eax,[00656634] ; '\\.\SICE',0
4 v! E6 u6 Q$ `& Z push eax
8 Z, f# b8 e- u9 A! m: x/ X call KERNEL32!_lopen. o6 @5 U/ I; R7 q
inc eax
! u, Y- M2 t6 x$ P4 F9 z' T/ ~ jnz 00650589 ; detected1 p1 x0 [+ D) K( c0 r& d
push 00 ; OF_READ
8 P9 v( k* [0 A! p2 C/ D/ k4 } mov eax,[00656638] ; '\\.\SICE'
9 b' p' s; {1 I; v. C push eax
& S) t0 { P/ s8 I' X/ T call KERNEL32!_lopen
( J. D+ k9 x. `- R1 b, ]9 o inc eax. U3 u$ ~2 n2 B2 {" a& v! }) |( a- d* P( _
jz 006505ae ; not detected
& h2 V7 [/ _6 j. B7 r
& p9 \+ x& t. \/ m3 y& c& e3 M! X
__________________________________________________________________________
- s' d3 e9 z5 M* O. S3 n
0 [4 u/ G0 Y7 Q% e+ l3 OMethod 120 Q" L6 b% e' e l; F8 W
=========
; m$ v! o& B5 N5 F. p
1 b. t! I8 }6 Y; v- m, _& Y" SThis trick is similar to int41h/4fh Debugger installation check (code 05
+ p$ \# \2 ^! e' S6 ?7 R- i8 ^& 06) but very limited because it's only available for Win95/98 (not NT)
2 e# b; b( u/ q+ F7 l$ Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.! k- m8 h5 F7 ~) y( A a! v N
' q( o3 T3 w g$ r' i# c3 d push 0000004fh ; function 4fh" G( Q! U, U% O a
push 002a002ah ; high word specifies which VxD (VWIN32)% ?& Q3 L0 K6 F8 m1 b( i- k( B
; low word specifies which service
7 r) j# g& b; k2 v (VWIN32_Int41Dispatch)
! u; [* y! @( P2 K1 M( q7 ] call Kernel32!ORD_001 ; VxdCall
4 w4 B2 o* O+ Q- N7 q1 i' M cmp ax, 0f386h ; magic number returned by system debuggers
6 ]% d0 @. N5 z jz SoftICE_detected: q$ w) ^" k0 [9 T
2 a& G1 Q& j" q1 A' B1 N2 ?
Here again, several ways to detect it:% c0 G" [; i+ z# _2 r* `1 o
. G* h% g8 X' f BPINT 41 if ax==4f
8 ~% I+ t* M1 F: \
6 i A5 T- F+ u" U BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 B3 G/ v. ~- G1 `
7 C: G# K8 ^ s* V8 F1 f0 S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 q8 H% ]/ H% W ?8 N* q, L; G8 k" I, R
U, M; R8 V" M ?- n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. x8 U* ]( z& w5 ^; U0 X
G: j: t( F* v, I6 G" [__________________________________________________________________________) y- i9 [, I% X& z
+ ]+ J( o1 J; kMethod 13
1 }( z5 v7 a& p% Y+ K; F# u=========% m& t4 d: L( s
3 y) }, M% @. d3 j1 c* a% C3 SNot a real method of detection, but a good way to know if SoftICE is
) A! I( ?* h1 k6 qinstalled on a computer and to locate its installation directory.
" s4 g0 M: |' h+ [! o* u$ kIt is used by few softs which access the following registry keys (usually #2) :4 S; k. _; Z1 u2 ]. i5 V7 j
+ O O6 I) _$ f. o1 |6 G$ a
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 _+ x5 r/ t# ]: I* A. N
\Uninstall\SoftICE
8 X; R) R0 l! A8 }! r-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( X" w. Q6 b3 h) i. H e3 m4 G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# c3 T5 f& G% l/ ]" r b4 Z
\App Paths\Loader32.Exe* a1 w! j4 T( b! P
$ v9 q4 l; ?0 Y
: b" y/ b1 U1 ^3 @Note that some nasty apps could then erase all files from SoftICE directory
- z9 S5 o# H& \* a6 H3 S3 ?(I faced that once :-(
7 U4 p% i$ j* j7 _# h# J
& M. T2 D/ z v$ v, _Useful breakpoint to detect it:
4 @# ^ V+ W8 W5 M' z2 u8 X4 d/ w( @: {& z, w5 ^" m
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 F' Y9 S6 y" k& v* I9 _- A
& O/ V( v& v; v3 y8 Y__________________________________________________________________________! Z' c a: t* |: `+ n4 b+ D2 o
) F. E1 a4 g) D) I3 c
# X* N" u5 x* gMethod 14
7 F# T: }( t$ S e: t! k=========
_: t2 q( F: q% b% N% v6 c5 `$ n
* @# b1 S. v! m6 Y( u! vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( h0 w/ ]: U. @7 c7 e/ p
is to determines whether a debugger is running on your system (ring0 only).
; n% O0 X4 n7 w# O
, x& N: ]' d. p VMMCall Test_Debug_Installed
- e6 K3 z0 }% C, v je not_installed1 r1 h8 V% p8 j l7 { |! U# {4 _
S( R. b" s* }* [
This service just checks a flag.
1 P/ p8 M3 W& l! ~3 U3 P( A' t</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡