<TABLE width=500>9 d' C3 d- g: L9 ^/ C; C' q& v
<TBODY>" u: ?/ y. G4 o% ]1 m& N1 [. a
<TR>
) T J4 k' l3 Y& G; M! s+ C7 m, I<TD><PRE>Method 01
& H' Z8 F( R H3 m: [6 B9 X. k. F=========
3 v& i( e3 ~( B! l2 W2 _7 m( U- @9 u
2 ]- o" h+ c4 Q4 k1 q8 MThis method of detection of SoftICE (as well as the following one) is2 j1 Y0 a- _: l; M) x) X( X
used by the majority of packers/encryptors found on Internet.
( P# Q! a: C2 }3 r+ G8 Q, }& \It seeks the signature of BoundsChecker in SoftICE# d0 M% V: {3 \0 Y4 q( l% L2 y3 J
1 I0 q* p/ H2 O) B6 k; \ mov ebp, 04243484Bh ; 'BCHK'* e6 b$ ^# ~4 z7 V2 K4 f$ ~2 q& N
mov ax, 04h
' ` e3 b8 \4 m& Z int 3 6 B. s9 p8 a O8 b* N+ U, o% Z
cmp al,4( ^/ w1 |' x6 [7 C x
jnz SoftICE_Detected6 a" i: B& k3 i4 e; t: G. l
, C4 f( g# }6 F- H: `
___________________________________________________________________________& v* Y8 O9 A# Y, ]
4 b* n( {; x+ f' G% F* B$ c, k
Method 02
! r/ L1 V) h2 S3 |( `=========, q4 l2 [, w& C: z
2 p% l" O" b9 uStill a method very much used (perhaps the most frequent one). It is used
0 ~. q* ]! b2 ~' _to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; I; `2 y/ O( y4 H1 Q' o
or execute SoftICE commands...+ Q, |: e" d8 R% H S! Z
It is also used to crash SoftICE and to force it to execute any commands
( ]4 v5 m7 @& F5 {& w(HBOOT...) :-((
; x: ~5 \5 o) C M+ {) r9 M- k- p* j' V1 t4 ~
Here is a quick description:
* `" o/ [0 b- w1 q8 s8 u2 ^- A. r-AX = 0910h (Display string in SIce windows)% A- ^6 [) M, Z7 U- l) P) L
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 z+ M9 N% P8 Q4 n9 R9 |2 g. G
-AX = 0912h (Get breakpoint infos)) b, w8 M }& `5 g
-AX = 0913h (Set Sice breakpoints)
* z+ A$ m- S" R; V-AX = 0914h (Remove SIce breakoints)
4 V" ~ V/ h/ U, d' L7 C$ x0 E
4 X5 t( j% [6 ^Each time you'll meet this trick, you'll see:% {+ n. ]% v2 ?$ g6 Q/ K* N
-SI = 4647h" d+ F j7 k; I ?5 A5 w% U
-DI = 4A4Dh- g& T" c3 M6 F# x
Which are the 'magic values' used by SoftIce.
4 |- _3 k6 |3 L( H! uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" ^: ^# n- t% S- E: q+ d1 ` h4 n6 O$ O& Z
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ e0 B- @; ~- [9 S8 i) JEnvelope utility use to protect DOS applications:
4 I5 g6 G7 }# j5 U" |5 g3 p2 I& B/ m$ z1 d' p
! {: C" x# _" z; B: K4C19:0095 MOV AX,0911 ; execute command.
/ ]5 a4 E4 \& W2 C! V4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* W0 h- ?4 C) B4 h
4C19:009A MOV SI,4647 ; 1st magic value.4 T3 ]% o- ~3 W9 p* W) }
4C19:009D MOV DI,4A4D ; 2nd magic value.- A' k% X; k8 T7 p" d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ t+ |! a; ?# n
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- D9 f- O+ j/ O8 c1 \4C19:00A4 INC CX
( e3 m( c4 G0 [+ C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 j3 y& J1 w( {! g/ C
4C19:00A8 JB 0095 ; 6 different commands.- v. q3 I8 v" d5 L: A0 ]0 n: q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% [1 d4 I" V# m! O
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' H* o4 f3 L! j9 L0 Q0 d" Q4 q
% P! P7 Z* f& P# \The program will execute 6 different SIce commands located at ds:dx, which
- \" W8 T5 F4 d; A4 s. x$ Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 B% v. G! G& ]+ F6 |& P- S$ T! f+ n% J7 d- [
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! A7 b8 D" b1 {
___________________________________________________________________________+ P3 c. ^8 O1 p2 n
/ `" E2 S4 h2 h, [
2 P: o6 N" _ \7 B0 z6 X# k
Method 03' I! u, W% ~0 b& P; {1 f' N
=========& Z* F$ S# d( e9 |8 ^% _% d
( R. ?1 U) n% f: m; w) S
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 |1 F( P( F; {8 t- s% W(API Get entry point)5 F+ J, Z) D3 A' D/ I5 \! G
9 w; c# E3 i+ R7 g! i2 o5 U
5 p8 g5 T% o6 ], r
xor di,di- O. F# M7 Z# {7 I3 s: Y0 g
mov es,di V( D, F7 [' Q1 E
mov ax, 1684h / {$ J6 e0 w5 O( C/ I
mov bx, 0202h ; VxD ID of winice
) Y' B6 S& i2 f; e" `- ^8 w int 2Fh& x% i: `) f, J
mov ax, es ; ES:DI -> VxD API entry point
9 D: a4 e, T, ~' j3 k/ \' b1 v) a add ax, di
9 P/ [/ ]" u! f' o test ax,ax
3 W' l d0 z& K6 u; w" T. S! O, C jnz SoftICE_Detected
. I6 w9 f+ G+ u( S# L7 O/ @% u% X' c% y: G) X5 P! S
___________________________________________________________________________6 X& \6 Z0 T: ~2 u. ?$ _6 U/ e
! ^! O2 G; L- W/ H8 b; rMethod 04
2 ]" f0 b- a' X: k( R |=========
; ~8 r8 l7 s m3 o" y# @$ i- _1 ~$ h3 l3 h) n( W" n
Method identical to the preceding one except that it seeks the ID of SoftICE# ]/ R" X4 ]/ j( D# B, i5 }/ q% f$ {8 D
GFX VxD.: A+ W( S! m* U# `/ v ^
/ Z8 H/ L7 b0 X9 Y: X2 c
xor di,di a' `$ ?) H* T, x: m9 }. ^) m
mov es,di$ X, @ J, K! u7 P9 L
mov ax, 1684h
' Z7 w: h% f0 O) |) \) \ mov bx, 7a5Fh ; VxD ID of SIWVID- V# m, M( S% Y4 i2 [
int 2fh6 T# C! X( D6 h. ~' b
mov ax, es ; ES:DI -> VxD API entry point, m; y; p" D0 E/ f
add ax, di# a( C+ X% Q. i1 ?6 B8 K% j
test ax,ax
" {% { K3 F1 B jnz SoftICE_Detected7 e& m: O& [4 N* \
4 O9 D3 q7 m$ c" c: `; a( Z/ P' N& | U
__________________________________________________________________________ v5 k/ g4 Q, k# Y+ T: `; S
: I! U \: k9 `! k+ r/ k: W n& g- E9 m
8 D' \. c( j# n; s7 H
Method 053 n& y! Q. \4 P. I! z
=========
6 P: J7 a. O1 R6 \3 _- x8 M/ `$ ^) }( t- H3 m# l
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 Z$ v& i/ f5 N) a/ X! B
debugger. It calls the int 41h, function 4Fh.: Q! @4 H4 m& m/ N& Y
There are several alternatives.
( k8 x8 `# n3 _" N# ~
' \" C9 u% B7 N* r8 W; a$ h5 uThe following one is the simplest:
& K/ g& l, \2 ~: i9 Z7 H; t( c
: X3 i. B! }! u! ^ mov ax,4fh" V: v4 `0 p+ `+ h& k
int 41h
& v5 F8 Z7 ?( M8 ? K0 j) { cmp ax, 0F386
4 Q! `$ g& p4 b( B+ a jz SoftICE_detected4 [, l0 x9 C& I
. I0 u+ z8 o4 w2 f+ c0 R n+ V! h) x9 d1 p" T; Q. W. M
Next method as well as the following one are 2 examples from Stone's ' k7 c) H( C+ K4 T5 m% E4 Z7 R
"stn-wid.zip" (www.cracking.net):# s# `/ t% K/ C0 y: D0 R9 S1 m
% C5 H% a0 M, q; P0 a mov bx, cs
5 x U: ]9 W$ Z( R5 B- K* h lea dx, int41handler2
2 X; c% {9 L% {: {8 G% N xchg dx, es:[41h*4]
/ v* R8 w/ A* E/ P xchg bx, es:[41h*4+2]9 z2 i7 n% f0 g5 S
mov ax,4fh
3 _: v+ `5 k9 |, ?- n& ~ int 41h
! z, b% d7 J$ `9 x0 c6 l xchg dx, es:[41h*4]2 _% ^0 j5 [6 {" w0 ?1 {) z V
xchg bx, es:[41h*4+2]
) X6 _! u3 T' p) }" K9 v" v2 \ V8 S. A cmp ax, 0f386h' P1 f+ _+ G' M: v2 p$ V4 {
jz SoftICE_detected6 f$ s* l4 V4 {& X2 f
7 Z# c8 s; o8 f3 Q1 C) o0 L$ F4 Cint41handler2 PROC
: o! }5 n1 s0 O i2 c iret; \! R0 y$ `* H2 O, C( o/ K" m
int41handler2 ENDP* [) s0 Z; X! [: P) @
" p |% d% N! Y/ t: Q, g
! r: _. } `4 v( F1 u6 z/ ?( X: j. `_________________________________________________________________________
, I1 P% l% S4 [; }/ M- g
, V' c) K! ~* f2 b! j+ ?% E2 Z" ]) o9 [5 z1 z6 s
Method 06
1 B/ V/ g, m/ g% M. M- N" Q, B, I8 W=========! u9 ?1 p" W4 d# E
' y" _, r. v# C# n$ N8 B
- e$ t# ~ m" E2nd method similar to the preceding one but more difficult to detect:
& m7 o3 B5 _# X0 J
- v6 ~4 j8 b6 ^4 q3 [( T8 m2 d/ e& M
int41handler PROC! l6 F; K ^0 @$ G! L5 l
mov cl,al
8 k; O6 _4 m# r& N' {' H iret. w$ ]4 [* |) O5 U4 N* \% V
int41handler ENDP
( ~2 H7 V3 Y8 }1 F0 P6 k
. M" A+ [* o3 S5 C# f- K: G8 G" J
; `1 e& I1 ~) T- [+ }3 F xor ax,ax X% Z* `; H8 U% a S% y# z2 _" u$ ?* f
mov es,ax- n6 p6 _! ~! `0 n1 X
mov bx, cs
" i" w. W4 T/ J& E+ d( ^7 s; b1 w lea dx, int41handler V+ P, X6 [- {/ j) w
xchg dx, es:[41h*4]) e- Y) y3 K6 B+ G
xchg bx, es:[41h*4+2]
3 [" x3 A! [$ a) [7 L4 t$ f" n in al, 40h/ t9 u; [; ]2 c3 ?
xor cx,cx
6 x4 P) `) W( \1 m/ d, C7 Y int 41h: l; g" }: e3 v9 H
xchg dx, es:[41h*4]- g6 H) T$ M8 E5 D7 `& c/ X, u$ O% |: `
xchg bx, es:[41h*4+2]5 L! W. H' f& Q) @& x( \
cmp cl,al
6 m L6 }0 E$ K" p jnz SoftICE_detected
( _3 J) P; C& ^2 g: I: w0 S @6 S
, W+ @6 ~) r, p- z6 o5 _) W_________________________________________________________________________
7 W1 \; f! E0 S% ^" C: ?( A6 M" N; u; e3 I2 V+ r; `
Method 07
0 i- k: w' z! `, u% y" F5 l. N* h=========- [; \' i" B" e1 e9 ^. d
* f2 e1 @) x9 R0 Z* M0 q5 i2 m
Method of detection of the WinICE handler in the int68h (V86)- M/ V K; }$ L! T' C# S5 S! j
# \. Q' Y5 n$ K% m2 t4 ]# t" b mov ah,43h
0 Q8 f- a' p1 |( m2 x2 A; @ int 68h
: `: t* b! q/ f" Y) Z4 J% y% V cmp ax,0F386h, P( R2 y& ~9 @: B, M
jz SoftICE_Detected
@9 @* D3 u+ V5 L
; x+ T( T! T1 t$ `/ `; \( B
0 i! ~% {$ \0 v1 @% P, j=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 I3 Q& a! j' E6 i
app like this:
5 ^% S5 A2 E, ]( q! W5 s! y) e3 N! R6 R4 X4 e3 N( O8 |1 d$ c
BPX exec_int if ax==68$ ]& f; {0 E6 Z! ~
(function called is located at byte ptr [ebp+1Dh] and client eip is
2 @/ o( q& S: S* A1 G located at [ebp+48h] for 32Bit apps)
6 l$ F# i; D9 x# J' Z- _5 Z$ z0 s4 y__________________________________________________________________________% s) X. h; I8 Z! }. ^
0 L3 V7 n- z3 T" C
, T0 @- { X2 R7 H: W' eMethod 08
6 [ [0 }! A# s4 E=========
+ a3 [* W- A) \& w, Z5 [, E/ s8 d f
It is not a method of detection of SoftICE but a possibility to crash the& `/ M# M- b, p$ w+ m4 Y" w
system by intercepting int 01h and int 03h and redirecting them to another
+ Y7 g5 x. M) T* L( _routine.
# Q3 q9 ]- R2 l" mIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 i( o0 o: D! {8 X: z. mto the new routine to execute (hangs computer...)
( C4 P- b: A& V, A/ y0 X2 [
) ~+ ]- k% {, b! g' W5 u& [4 C mov ah, 25h. `7 R+ r* x! e; z( ?2 \
mov al, Int_Number (01h or 03h)
7 ]4 Q6 [: ^( E( o B/ b mov dx, offset New_Int_Routine7 f% p# A1 H- ~" l# h
int 21h& T4 F3 A( l. w+ W7 `
9 i; M4 [/ [% C( a p, h- f__________________________________________________________________________6 I2 V# l* w- T! A8 ~$ o9 i1 }
8 |3 x$ K. I: g) S
Method 09
3 M( l- ?& V- o8 ^" e( t0 d6 [" ?% I=========
5 {7 G# l3 k* d$ l2 t5 N4 E4 d% k W9 t6 p! }/ P8 f/ H
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) `3 k. L7 i- P) R6 f/ _8 g
performed in ring0 (VxD or a ring3 app using the VxdCall).
1 q7 s( w4 h! U5 fThe Get_DDB service is used to determine whether or not a VxD is installed$ U3 Z. Q+ k+ z2 v6 k% [( E
for the specified device and returns a Device Description Block (in ecx) for
? K/ R/ v& N2 i$ gthat device if it is installed.
/ {5 i& k( |, t$ P: O" Y
1 P L+ p6 r J% m$ ` mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, }6 X# G0 l" F: ^
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! ]: `" R' @% g. b, j9 j! M VMMCall Get_DDB
9 b! p2 e" T- V- m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 M" V" a! \5 _; \7 t; X: }. Y
% p/ L$ ?8 d8 r9 Z& O' aNote as well that you can easily detect this method with SoftICE: U! W5 D, T8 F
bpx Get_DDB if ax==0202 || ax==7a5fh% {& K" c9 J$ D# j& u
7 k5 |( a' N+ E' V$ ]$ U
__________________________________________________________________________
5 W1 a u4 W6 c3 D F) f) z" M% N5 s- p# V5 C
Method 10, `7 d6 q/ a3 P( U g8 Q T
=========
2 q5 T$ U+ c+ g
9 C& p: g6 h& E=>Disable or clear breakpoints before using this feature. DO NOT trace with
( ]( B9 U3 f4 R! r SoftICE while the option is enable!!& P" t" W- d1 b% z; s9 m
9 r5 a4 g0 X9 J+ a' xThis trick is very efficient:4 k" g& f% W* \* }2 T6 B2 z
by checking the Debug Registers, you can detect if SoftICE is loaded
/ T- ], P9 \( ~+ f$ O o2 _0 _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' a5 I! i0 g9 A4 pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
! j6 O$ J; Z8 m6 i+ pvalue (in ring0 only). Values can be manipulated and or changed as well! `2 X6 {9 R: y: L
(clearing BPMs for instance)% j- {- b# n9 q9 }5 y$ k% a. W
: F# l7 S: Y' B( X- H7 ~( m9 X__________________________________________________________________________! f# B2 x' n- {
: r& y D/ f) Y& u6 G
Method 11+ t. _2 [" b0 v" B _* `
=========8 _" M/ ~6 d3 x+ x- j9 L2 }4 e C+ M
" G( l1 \ n# A, O
This method is most known as 'MeltICE' because it has been freely distributed
% ], o3 U# p, g! d0 v4 h2 Tvia www.winfiles.com. However it was first used by NuMega people to allow, p3 f. d0 k6 Y* k/ H3 x
Symbol Loader to check if SoftICE was active or not (the code is located
2 K# n! @" y) A( @inside nmtrans.dll).
6 L" f2 R$ t( [: h
5 H4 Y1 i: m# O, V- z, d( xThe way it works is very simple:
& [* f' m! u* D7 sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 L. f) z- Y$ j2 T }% ^2 S6 g
WinNT) with the CreateFileA API.9 ^( R! J. X# c! n5 K( L: \5 \
' G4 ]/ J3 [" t+ x$ A0 S
Here is a sample (checking for 'SICE'):
- k0 w- d4 r/ K+ Y( P0 _: V' ]+ m( B1 r$ b
BOOL IsSoftIce95Loaded()
/ } |' f; n) [# H6 L{ F" R! t5 ^( H8 Y j6 {
HANDLE hFile; I2 u. r4 g g! l0 M
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 j; ^: V, o2 G( I5 \! p FILE_SHARE_READ | FILE_SHARE_WRITE,1 X" L4 Y I4 w9 @# S& w8 P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% y( J1 x- f( N8 E& R3 |$ [ if( hFile != INVALID_HANDLE_VALUE )' @4 b4 Z- Z' a0 y
{
$ S- P7 J$ o V* b. d( ?5 Q CloseHandle(hFile);+ a) X4 ^$ V4 s. J
return TRUE;. Q k; H b$ l8 F& a+ M8 w; m& |
}
, V I6 s8 |9 U; C [! s/ a return FALSE;+ j# V( |. n1 A, v
}
: @3 e% x7 _, l7 f4 L% f `* |) @' _; g6 e* {1 n
Although this trick calls the CreateFileA function, don't even expect to be
6 t! W4 z- p+ j' k! P' rable to intercept it by installing a IFS hook: it will not work, no way!
- g8 W0 f: R* j; ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ I; F/ S* f0 W3 _
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 C7 w$ G- P$ p; W, u$ Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc
, u+ {6 u) ~9 Q% ]field.. I( ]; }; ^; T) q, L0 d
In fact, its purpose is not to load/unload VxDs but only to send a 7 {* W: r# p$ ` E
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 z: v5 m' g" S# |
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ m7 ~, N9 L4 `% ~ M8 k% r
to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ U3 {4 J1 [* @6 A; j
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. e+ {2 K6 d/ @5 ^1 T1 B+ Xits handle to be opened and then, will be detected.
+ a/ J+ \. @. T" L2 cYou can check that simply by hooking Winice.exe control proc entry point
0 W2 t" Z1 S2 |while running MeltICE.
! U5 W: s9 j) P& _
. e( F0 W0 |4 c: d9 M G/ A* E6 `& v+ r
00401067: push 00402025 ; \\.\SICE
, o# @6 G; S9 j& j$ p 0040106C: call CreateFileA- M5 E4 f& r0 Z. v+ o8 U
00401071: cmp eax,-001
1 ]9 R7 T- ~, L1 ~ 00401074: je 00401091
0 \+ C m3 d. X& g/ ~ c" z' G& v$ c3 r. l1 D+ G+ S
, P. ?/ N( M" W6 k6 [1 G% F6 z+ {There could be hundreds of BPX you could use to detect this trick.
6 S6 g4 v) z( Y6 _-The most classical one is:
9 [- I: B u( X$ h* E, o BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. |$ w" P: Q6 i *(esp->4+4)=='NTIC'
4 ]1 @8 c- _4 T2 Q) a
$ I2 C) `6 K: G) J1 q H-The most exotic ones (could be very slooooow :-(
7 K3 p# a2 B; n4 ~ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# H% `4 X; u* y0 \ ;will break 3 times :-(+ [" c' D/ e0 G: P+ j( f4 R, t
- m4 C3 A7 `& X: S-or (a bit) faster: 1 C1 V& s( s$ F' f0 t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ d, U; \' X* E9 S/ }+ L* h2 o
# c& u3 [4 f/ p5 i2 }' i
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
W0 S, o3 W) U8 j4 I ;will break 3 times :-(' y: N0 }" w" j4 B
. v( E# Q5 [% Y; B* I4 u) h
-Much faster:
, W U! Y2 b. i2 U7 z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% Q/ i4 n1 L$ n: z3 q; ]/ C/ E) [/ s" [. r
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' x% K4 I0 k- s7 P: S! R2 s; D" J! |+ a( rfunction to do the same job:
+ R5 J& T4 {8 p* P
$ j [' z7 d# @/ c- l push 00 ; OF_READ
9 X( J: y, U0 n8 W- N3 {) B: z mov eax,[00656634] ; '\\.\SICE',0
/ ^$ w# Q. a$ \ push eax
2 _" Y. i4 D/ e7 n call KERNEL32!_lopen
- A3 D1 S6 C4 q7 t% W5 Y2 V inc eax7 Z3 S' g: m5 U8 x7 H! S
jnz 00650589 ; detected
9 g" S! L* Q5 m; [ push 00 ; OF_READ
{& J0 Q- Y3 L5 V: ^8 v; M4 X6 t mov eax,[00656638] ; '\\.\SICE'
0 a+ u) C8 C8 t& E A push eax S7 R1 i; w E+ B
call KERNEL32!_lopen6 X) {# @, n! Y4 p
inc eax! u& o- w2 r* l* ^- O* \
jz 006505ae ; not detected5 f( _ q V- C5 B W$ ~2 z
/ n# r# f/ L9 }( E0 r6 ^4 ]* \* j* }. k, D( ^7 h
__________________________________________________________________________& i1 R# l0 L2 u1 \) M
0 O$ {8 w/ z2 X$ \
Method 12
" T2 H2 ^+ t: X3 V- f=========
: a, x1 K" _: R' s7 Y: s" u( O( h
% k- P8 N! a6 X( I% @' j' nThis trick is similar to int41h/4fh Debugger installation check (code 05
. Z# C1 d9 P: t$ ]% B0 D5 q& 06) but very limited because it's only available for Win95/98 (not NT)8 `8 t/ x' F% B- ?
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 ?8 R$ ]# p; o5 ]6 t8 P) x
% K: a5 Y" c: M6 L2 Z' C, X. u# }
push 0000004fh ; function 4fh
6 D9 l! Q) x3 b" ]8 Y3 n' m7 s push 002a002ah ; high word specifies which VxD (VWIN32)
9 Y! f# Z- i8 g& \' n4 e- [9 B# d ; low word specifies which service
4 x! z# }) q6 W. z7 q. G (VWIN32_Int41Dispatch). {$ m9 w6 N$ Z8 M6 v& a
call Kernel32!ORD_001 ; VxdCall" n$ B( Z, @" z1 M
cmp ax, 0f386h ; magic number returned by system debuggers
/ W7 a: `& G% [+ ^: b4 u8 _ jz SoftICE_detected' H' Q* P0 s$ z8 k0 l# D; v0 _
( a; _! @; E1 W& v+ D
Here again, several ways to detect it:
' }% ^3 i/ c! e* U" J+ D9 E
: C* `2 W# P- e+ ]$ z. C: S BPINT 41 if ax==4f# s- |* w0 i# l2 T! S$ l
# s- F/ d: G4 e; H
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! b4 j+ D8 i4 ^
+ r! Q+ I, i h BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) D" X. M3 w. I0 [# v. j: u5 d* ?
, m! O$ [! d2 y. ^5 a BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 z3 I, O2 X5 T4 K$ N
4 i+ }) @# z$ R: d$ Q__________________________________________________________________________
: ]9 [# V6 G: x& O" D, m$ d ^, B5 f. J x6 y# r
Method 13
+ n) J9 Y+ w9 G. [6 X4 \6 t=========
6 q, j# i. h' @' b
( s( V' l" q* L; o3 hNot a real method of detection, but a good way to know if SoftICE is; H! b/ }# ~3 H) F, @( B
installed on a computer and to locate its installation directory.
* b. ~6 p0 a+ _3 Y/ CIt is used by few softs which access the following registry keys (usually #2) :1 {/ F/ f- M3 I& { a
6 C: ^# P7 Q4 j; w" V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, P. C4 N4 D+ C' L& P" r\Uninstall\SoftICE6 J2 U! Q% P, S+ Q! r: ^* H
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 |, P- W1 C- N% t# O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 Q3 v7 `% p3 n
\App Paths\Loader32.Exe
; @- M1 e/ m0 ?- \- i e0 |' d* n7 J# G5 ]" e: z: T L
3 z( p1 p+ q8 Q- [
Note that some nasty apps could then erase all files from SoftICE directory
. V: `1 H' Q1 V. p- L# G(I faced that once :-() b4 F, J/ w% N3 N7 [: ^" Q7 |
2 H3 ~9 X( h) R, `7 |! _3 z
Useful breakpoint to detect it:: T* d- V# N+ H- {
2 T# F Z9 N1 W& ]/ |, J
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 k3 m' q* \) ~$ D5 l
6 B# x0 n5 `! l4 K9 h8 X__________________________________________________________________________
2 p- G* S+ w$ l, |. z6 F( r# {# V! c- l9 C
% V) Y+ Q! V U9 b8 n
Method 14
: e4 a2 a5 M7 y6 [=========) B. X: |, b' l# R# z+ h$ V+ N4 ?( K
; t( ~9 p0 |( W" y8 M$ _8 }: n, CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 z, h" o" v1 n0 _9 e
is to determines whether a debugger is running on your system (ring0 only).7 H, i: x; h% k M
, Y+ H/ Q, ~) o) f& a8 F3 Q VMMCall Test_Debug_Installed8 g7 q- H" Z8 W# ~" m7 ?1 G
je not_installed4 Y% y" G4 K6 u) T0 p. O
7 T: q B3 p* I$ w# hThis service just checks a flag.4 Q2 V6 W( X: g$ P" w. p
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡