<TABLE width=500>
% ?0 G2 R; \7 y! o! b<TBODY>
. X: f5 U9 S5 z9 ?8 k n& O<TR>
( o" e) E0 ?4 A5 V7 h<TD><PRE>Method 01 0 I& F) k2 ~6 z/ R
=========
& C. M# {7 q3 ?: A) i3 ^' o6 T3 P# @
This method of detection of SoftICE (as well as the following one) is
, L6 ~9 n; i% X) _/ e& }! ~used by the majority of packers/encryptors found on Internet.8 B0 z6 t: D/ ~5 q2 Q, m( I
It seeks the signature of BoundsChecker in SoftICE# G6 B/ V( B: s6 y" a$ Z
/ Y+ K3 z5 c! k' L) k/ q7 i
mov ebp, 04243484Bh ; 'BCHK'/ P) v) S. M, I& q
mov ax, 04h' u; Z/ ?9 u' h$ J
int 3 ; E: X2 Y T, _/ x3 ?+ |4 ^' U
cmp al,4 K d3 W- X, {0 L( |7 K
jnz SoftICE_Detected
* g0 X4 f+ ]; Y8 L" Q, y" Q3 s: Y' M7 O6 R4 E5 A. C- y
___________________________________________________________________________7 d9 L& [5 ?5 Q) J- e
3 p: \' U3 l. a& bMethod 026 K+ |$ |" T6 k
=========% [" N: ]- b& F; P6 ]! i! d, x
; j0 `' m( p! y
Still a method very much used (perhaps the most frequent one). It is used3 F8 s1 E4 q" F
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,( _! x1 x9 c, i* |- S
or execute SoftICE commands... b0 Z5 {: r% C+ ?2 {+ X
It is also used to crash SoftICE and to force it to execute any commands
" h) a( K9 _) f" X! ]) O, q" k3 u6 |(HBOOT...) :-(( # P; _1 ~) U. U- Y9 f" H. f
, u6 g: z- Y! Z1 Q% v4 ~
Here is a quick description:
& r, F$ K; C6 r4 y-AX = 0910h (Display string in SIce windows): m/ @& `: ^4 L/ V r
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 Z+ E/ y" x) ^( W8 M v
-AX = 0912h (Get breakpoint infos)( P, c( U. W: M0 s
-AX = 0913h (Set Sice breakpoints) h6 l. i* _: p, ~) C
-AX = 0914h (Remove SIce breakoints)4 J5 G7 w; _) F
- I$ |& h- t: h! r" f( r' i/ G5 SEach time you'll meet this trick, you'll see:; h9 h/ s; t% p q3 `3 ?$ z
-SI = 4647h3 r) G+ K; F: V' ]3 M4 L8 Y) W5 }; w
-DI = 4A4Dh' p1 x* g9 @2 l0 o/ }1 i
Which are the 'magic values' used by SoftIce.8 x( k. a1 S* O; s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' K$ Q! U: v- Z
; V1 `/ b( Y$ r. W0 W: cHere is one example from the file "Haspinst.exe" which is the dongle HASP
, }9 w/ b/ }; L2 Q; NEnvelope utility use to protect DOS applications:+ x* r! x- i6 j% i1 f: Q5 ]% y* }* S
- C0 P: [( q* y/ g
, t) I) f& n8 c' q* Y) Y- ]. d4C19:0095 MOV AX,0911 ; execute command.
% V& R2 j' m$ `" \9 N4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 V/ L2 y) s, A9 o" _
4C19:009A MOV SI,4647 ; 1st magic value./ A8 d8 h+ a. \, d( @ J" N" X/ G
4C19:009D MOV DI,4A4D ; 2nd magic value.& d" E! P. ~: x' ]2 n1 E. o2 ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" B% M( p7 @9 f G+ ]0 ^
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 H' M) f1 m; S& e3 Q" q% U. p
4C19:00A4 INC CX
F8 h* [& \1 |8 a6 M; U' |4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* x t0 b1 n# Q3 O l* {! W
4C19:00A8 JB 0095 ; 6 different commands.3 Z9 G- l2 x# c0 u Y- g/ Q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 |3 z0 ?: E3 h/ }
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) S3 T5 f5 V' G/ M) n; k& n# b2 r" B
* S$ u! V m& G2 U6 j9 ^ @! NThe program will execute 6 different SIce commands located at ds:dx, which
; i7 ^/ `4 N5 `1 i# f, Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; ~' Z) c$ {, U4 F% c5 z! r, p
_4 B) @! g8 T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( F7 W9 i$ h3 c6 T( y, L ~% \___________________________________________________________________________# M' [$ E! s9 t
2 t. }* I6 Q1 R8 O- o/ s# L# y: x( M% F% E" G/ d$ L, p4 m
Method 03- G7 Z! P7 i- f6 M6 y1 ?, w6 q
=========
9 ]$ L- K. w/ u. M8 Y2 X- v) z5 `
: y8 M0 D! G4 Z1 KLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 W ~. I0 a) |! M! C; L& T
(API Get entry point), y3 O! T8 h y7 Q/ p
* ~0 S& d+ {8 p- A1 q n6 y
, Z+ `4 A: M$ s xor di,di
8 W5 p! w. c- Y! d7 V% M mov es,di
/ f3 t; f: N& L! y/ @ mov ax, 1684h 7 q( r, o: a3 i) p9 p* Z
mov bx, 0202h ; VxD ID of winice
; l% i- s$ W, o8 H; G: j int 2Fh+ r) G ^, _: l- T7 U
mov ax, es ; ES:DI -> VxD API entry point( X4 w" F4 e5 G; |3 {: ^% s
add ax, di- n. f$ B3 @0 Y3 [# j& @3 m4 O
test ax,ax4 l8 S( F: S) F& f
jnz SoftICE_Detected
( h; b# E# y4 ] e$ L+ `$ c# Q4 _2 F7 L: V7 B* `% n
___________________________________________________________________________
+ P2 Q" K0 h; ]
% s4 O9 P' ~1 O# g7 r; q+ t3 x& iMethod 047 a- c$ w8 D" y! ^
=========
4 y. X+ D1 X- k- g0 @0 B0 ^
' _: v. a( h2 {4 QMethod identical to the preceding one except that it seeks the ID of SoftICE" o+ r0 j5 ?& M, D1 W
GFX VxD.
5 \+ {. T/ c. E
; M' L- W) W8 P; v# }7 L" ~$ G xor di,di- g3 v5 w! c3 j' a
mov es,di
5 p. N0 Y4 B8 M$ A) E mov ax, 1684h
2 Q8 l! t) D# ], U |- m mov bx, 7a5Fh ; VxD ID of SIWVID% B- D9 s8 C9 k3 t
int 2fh
1 Y( P* I! l3 u mov ax, es ; ES:DI -> VxD API entry point( o, f2 ^6 _# t' c2 m% C' Q8 o
add ax, di2 U" F- ^4 t7 j- `' T! ? g
test ax,ax0 @ ~" w3 z @6 ~$ i
jnz SoftICE_Detected. j! l6 v; Q, H2 ~# g, D5 z5 q1 B
& V* _( p) b& W5 w2 b* x+ D3 T/ W
__________________________________________________________________________0 M( B' h- ?- x, X- H
) ^4 ?; R6 N( z8 C8 p1 q
7 f& f% L4 b, _9 D) o# W1 g- l* eMethod 05
9 V( }. L8 I1 d" S ]0 _4 |1 M# n7 n=========
2 ^; h0 k9 _# d+ C+ o+ h( M( X% u+ I t+ O0 H+ z
Method seeking the 'magic number' 0F386h returned (in ax) by all system) K5 o$ M; c- l, \8 s* j( {
debugger. It calls the int 41h, function 4Fh.8 L- {: y K3 n6 o1 B, W; W* U: j
There are several alternatives.
$ S$ _* l5 }8 P! w
' |. E" e+ N% \4 E4 G# ^! ~The following one is the simplest:
! Z& C1 u3 }! g* k, o' E# j
. [" g/ y; x4 O; w- Z; g mov ax,4fh
* G- S1 Z% M" Y/ N int 41h. [$ ]( D8 Y8 Z8 \) x4 w+ j6 e& c
cmp ax, 0F386
; ^) ]7 k; p& w+ ^4 ?; ? jz SoftICE_detected: H0 ]4 {# L7 Z0 G8 ~% e! T! a3 K% ?6 s
4 e) {0 j! S* R& w( X Q! Y8 R
/ E5 j0 h% `1 @3 t( T: p; |Next method as well as the following one are 2 examples from Stone's
+ V# H$ u5 V) [. ?* j8 Z"stn-wid.zip" (www.cracking.net):8 B N" `7 ]" y, ]" B8 }6 d8 H( i
' P: ~ v7 ?1 ?9 r; q; q mov bx, cs
7 \2 M/ l- U: J0 P" Q: |" l lea dx, int41handler2
; R5 u7 M w' r7 n. }8 s" d8 } xchg dx, es:[41h*4]
' g* U9 ~- n9 | xchg bx, es:[41h*4+2]0 P B2 u z: Q* n, b
mov ax,4fh
" J; N4 G' ?+ z int 41h) p7 q9 K9 g: ^2 L- B
xchg dx, es:[41h*4]
$ s8 z, o) Z& d xchg bx, es:[41h*4+2]
' W9 j7 V+ z, t cmp ax, 0f386h
6 A1 v: d; S. u$ K) C jz SoftICE_detected
- R* J' K( D) s3 a1 ]; W$ z- ~
. H5 B2 ~" @/ y' ^: U( u* Tint41handler2 PROC
) V% v2 R" d/ _& b4 h+ p- i) ^6 k iret ?# A% ^) n3 k0 K! M$ Z! Y
int41handler2 ENDP
) K3 i& U; @- a, q/ x2 d8 T+ `8 B+ c+ V0 O# o! w
6 ~6 K. ~# k7 K+ e' V. s_________________________________________________________________________
) G! K, Y- p+ c* |. J, k7 l! D
9 P7 s- A. P: @: Y; E5 g+ Y1 c( q
: \0 O) ]+ ` @) }. |2 i& j; N. CMethod 06
. n. l5 n% f" Y' W8 D1 {5 W$ ]5 l. {=========
% J- Z$ z/ y y* T% o2 R9 V6 W7 X/ R( ^0 c
- F3 z; U8 J7 A- X' l' D& F9 G- z2nd method similar to the preceding one but more difficult to detect:4 V- E7 ]' q! Y# n
1 R' k6 ?3 R6 f" P( i- r7 l: t- d# B6 v, _$ d
int41handler PROC( |: j$ y& Z/ R& G# V
mov cl,al1 S- k7 U8 G( @* Q- B m
iret) c, F# M" L4 \6 ?' J
int41handler ENDP
8 U; d7 Q0 U( i" Z$ |& o( L9 a0 Y$ d; {
" M* c' E+ ], {
xor ax,ax) o# F5 n* n4 X$ H- N+ v
mov es,ax$ b$ v$ Z1 \4 r, J
mov bx, cs8 `) s1 [1 ^8 \4 I- W' s! f
lea dx, int41handler8 e* O" J% F2 l+ w0 \- H4 D
xchg dx, es:[41h*4]) u" d1 w) W2 b7 I3 U0 X! m/ _
xchg bx, es:[41h*4+2]
8 Q* c* Q! Q: d7 A5 e in al, 40h
. [# z3 S a0 d9 v. Q) C8 O0 P xor cx,cx
: t& J |1 ]9 q7 b. g7 W- A int 41h
5 H4 D+ L( u' {5 @+ n: O xchg dx, es:[41h*4]
" x7 @* k; o- @4 P1 g% k; N xchg bx, es:[41h*4+2]
8 g1 r/ ?9 }3 O. r8 j6 | G8 r% E4 E4 e cmp cl,al+ q' J% k j2 p
jnz SoftICE_detected0 J& @4 O+ H& n3 ^
3 B% C+ H% l. F4 V; {: \_________________________________________________________________________6 J# X# `- u: N) q) P8 P2 M
5 H7 s) v' J9 \! vMethod 07
7 X" p0 j. M# G! X" L9 ]5 p. \: F=========
$ n3 \1 t e1 }, b
; F# w Q1 B* L4 qMethod of detection of the WinICE handler in the int68h (V86)
. v+ V& M6 K1 H6 c3 B5 y3 K1 w3 K, k8 q$ L8 j, Y
mov ah,43h
9 E U, M9 \+ C) Y1 f0 w# }, m int 68h* H' o6 N) M4 |. X, Y# u
cmp ax,0F386h
8 G& a/ S( f) R! d, z jz SoftICE_Detected
6 c3 I# U4 V4 t/ Z8 H: e0 Z9 Q9 Y) F/ |
# j4 }0 C# V* d0 h) Y; K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 q6 j8 q% G4 X% T
app like this:, l6 x" }6 \) @2 J- ~4 p
) V( d- M0 I9 z( w, f BPX exec_int if ax==68
) g4 a+ D' u, H' d1 F (function called is located at byte ptr [ebp+1Dh] and client eip is3 n( J% w6 v0 Z/ m) I
located at [ebp+48h] for 32Bit apps)5 d7 h* _2 S0 a5 _* Q' N
__________________________________________________________________________
9 C: |0 ~* E1 |
1 d0 m- M s# r: l3 a* A: C$ X- n$ I% z" W
Method 089 A" i' r; x1 V/ _! U p
=========
' t. h0 N4 {# F4 Y) e5 a, f% M0 x. M6 C
It is not a method of detection of SoftICE but a possibility to crash the: r+ }) z, @. P! F! G* p' T1 E
system by intercepting int 01h and int 03h and redirecting them to another1 ~% K2 i! r/ G" ]( p- c8 q% U/ \2 D
routine./ ^- w; g) f, e7 k# {7 _( ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) v7 ?* I! W9 o" w) _
to the new routine to execute (hangs computer...)
2 R* Z% O( l. B( [ Z3 l. I' P& z& R7 `2 C- T3 X) h
mov ah, 25h/ B2 E1 }8 \4 L& a0 R
mov al, Int_Number (01h or 03h)
; _! b% i. N+ ?- `6 k mov dx, offset New_Int_Routine
/ W+ i/ b9 ^5 H2 l B; M+ g int 21h' W9 X4 I7 Z: p6 R t, D8 s
$ @; e! w$ m) ]' I j/ Q; N
__________________________________________________________________________! c' ] [* f6 J' K2 P. K
- T. y0 \/ h* M& e
Method 09; B# w7 ^* p P/ H# l( K( \" D
=========1 n# y1 T; q4 h) D: }# N4 A
: D1 h) @% z" {% I8 N3 L! N: hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 p! B6 a: S& c5 Y
performed in ring0 (VxD or a ring3 app using the VxdCall).; O# U% ~7 C0 s9 c9 y& w2 j
The Get_DDB service is used to determine whether or not a VxD is installed9 y5 b) ^' z% H B# d
for the specified device and returns a Device Description Block (in ecx) for
9 s# d- H/ M/ F6 a$ c% |" @/ t: r4 X: }that device if it is installed.$ Y* M; q8 T, l: U3 o9 k9 l
2 Z% u0 g1 L& Q6 q. e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 e t( a( N1 B+ T1 v- a1 y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) ^" @5 Z9 J Y. @9 s
VMMCall Get_DDB- J9 ?7 ^; B! o! Q! S
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 B0 w+ m1 C/ {8 r
; ^9 w8 j! w* x3 F" ^7 g3 W: K& k4 yNote as well that you can easily detect this method with SoftICE:1 S/ ?( S: n: ^) X: g4 W
bpx Get_DDB if ax==0202 || ax==7a5fh2 u: w/ p' T U& g7 G$ Y
0 ^+ M& Z$ L" H__________________________________________________________________________% H i# ]' _4 s" d+ Z+ Z
$ l1 P' \$ c! i0 ^" `" gMethod 107 f, F7 U- K( ~+ S7 R
=========
& J3 M$ m3 K* F6 s U! v: S( G+ F, M- D: V/ R7 l5 K6 E
=>Disable or clear breakpoints before using this feature. DO NOT trace with
. ] m Y) y$ ^: w5 @9 p( \, I) B0 G SoftICE while the option is enable!!" f7 t3 v e0 o, D% j" \, |
: S; v. o* C4 x, \7 M9 a3 j
This trick is very efficient:
1 e6 o4 t$ o% D( w7 Iby checking the Debug Registers, you can detect if SoftICE is loaded
, d+ \9 E4 S" Z+ `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' a6 ?0 i4 K4 ~2 e' r
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 C0 O5 ?& O/ P
value (in ring0 only). Values can be manipulated and or changed as well/ ~8 T) }- J* a
(clearing BPMs for instance)
* q' X6 O+ ?( G. y, D r
0 C) u, t( H3 R. s7 o9 ]__________________________________________________________________________
. s: g' |$ _) e% m9 a; B3 @# k# o: [
Method 11* O' g8 D2 o7 |; b
=========3 B# ~- q0 T2 V6 i& g
1 r' W2 j' E W
This method is most known as 'MeltICE' because it has been freely distributed
( l; Q6 W6 f# p% G5 c( V$ Vvia www.winfiles.com. However it was first used by NuMega people to allow
; d4 X9 M4 [3 f6 l' ?& V: O0 z( bSymbol Loader to check if SoftICE was active or not (the code is located
( S9 T( l3 |- `6 J C+ C: p) Einside nmtrans.dll).9 {* f; y1 w1 q$ I4 g8 o# s
+ n. S' e u: D" v: VThe way it works is very simple:( @ u1 d L& q' U3 B: j) X/ c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( E& Y3 P# g8 I( h4 \7 ^WinNT) with the CreateFileA API.
+ K+ k* q- Y* [: F V) Z
4 {. `# d: [, AHere is a sample (checking for 'SICE'):1 b8 {# N/ `" b: P s
) F# g3 _; l9 `6 _' b( s
BOOL IsSoftIce95Loaded()" P% |. A0 [& f5 _' y6 r
{
/ S! t1 U3 h1 I HANDLE hFile;
1 e; A2 L6 P; K: @* N { hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. H+ `9 ]/ ~: q+ ]$ N I
FILE_SHARE_READ | FILE_SHARE_WRITE,- T# D! n" l* G! Y2 I% q' Z2 h
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( ?2 y6 {( w1 z2 A* N8 |* T5 i
if( hFile != INVALID_HANDLE_VALUE ), R2 m$ j2 j1 O' [
{( R/ A( O! s* w8 _9 {6 r
CloseHandle(hFile);
6 V( R. A6 [2 V. U return TRUE;$ s3 y, s/ ^; Z, w2 _
}
3 Z: j% h1 o' j/ A return FALSE;
: K) g$ J. u: |1 K* s) m, _}: F# ?+ s, r2 M$ g
4 g G* _: |( b9 V8 C; c3 y5 m p
Although this trick calls the CreateFileA function, don't even expect to be$ M2 B Y- s! X$ S
able to intercept it by installing a IFS hook: it will not work, no way!
, z3 j2 p- _, F: \, ^+ t. h' W2 }- ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) j% A' [" X& g' x: ~$ B% Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). |9 m0 k: G; q) X4 i+ M
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% y8 W& l; M. e, m% F4 Hfield.
. D7 @9 \2 ?2 U8 JIn fact, its purpose is not to load/unload VxDs but only to send a
" v7 @6 m5 s x; a6 N, CW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" k' V! E/ p' k4 g3 w; G
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# }" _! S$ @, l; k3 J9 ^* Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).& [4 t% {7 M" {# e$ t& Y( H5 v4 Y8 r
If the VxD is loaded, it will always clear eax and the Carry flag to allow! U: |8 ~1 [3 J6 F! v/ B8 {
its handle to be opened and then, will be detected.
1 o9 O4 W p' d0 V/ O, ^+ D9 zYou can check that simply by hooking Winice.exe control proc entry point$ U( a ?: l- V. {
while running MeltICE.3 C( k# b7 a8 L2 ^( `' M1 g' G
3 R! ]3 H( I$ I( l
9 Z5 G: Z+ n8 ], I
00401067: push 00402025 ; \\.\SICE* G3 m, {1 a7 Z) b, ^
0040106C: call CreateFileA' j9 C6 @8 q+ D1 G0 m* U! m6 ?2 W
00401071: cmp eax,-001
$ J/ c: {% \7 x% \0 W+ L 00401074: je 004010916 {! \! X, W' l) S8 ]# e, ?" h
% Q7 j8 E8 k& z# @- A0 F, R/ T* P% i9 F6 Z! m T
There could be hundreds of BPX you could use to detect this trick.
( `7 c4 M& Q( Z6 g# M7 C-The most classical one is:5 N3 i c# ^ j7 b; |
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 P6 Z: d( s1 z# A" ^9 N/ x% R+ V *(esp->4+4)=='NTIC'; \0 V; N. ?5 P3 P; U% a
1 d+ s/ `( D: z+ A1 x8 I/ @% C
-The most exotic ones (could be very slooooow :-(0 z4 a3 G( R& ^9 {% ?. d
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" P- f0 t* G7 J, i+ j) Q ;will break 3 times :-(
8 H# `& M6 \; m6 i8 O
# X6 ~$ [7 s3 |/ Z8 o- G, {-or (a bit) faster: 1 [1 a* {; W) {3 h f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 ~! k% Y! M [% u* C. w. u! U. m. U
" b% i; r, a7 c4 u$ H$ U+ ]9 }8 z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! c6 L7 ~7 X( O
;will break 3 times :-(
0 W7 u' r' @1 |# E2 N, u! R1 [6 `2 F2 b3 X2 K2 l/ r# `
-Much faster:
; k; a( W* [+ a' H( c: U8 i BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" \; ^9 z/ b' _/ l# Q& R- K3 u$ E* f# l! z* K& G3 }9 |6 I/ i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' ^) n, S x/ J: a0 a8 z& |8 ~function to do the same job:7 b" l$ G4 }2 }4 T' h
( {0 L' Y W" ~, o4 U push 00 ; OF_READ9 o2 x) ?8 Q3 q% m4 n Y0 q, [
mov eax,[00656634] ; '\\.\SICE',0
6 Y% E3 m; E! G8 f+ i2 _ push eax
; q9 N0 S# E: ~% U call KERNEL32!_lopen
0 f; K8 ^# U5 ~* B5 g" [0 s inc eax
2 \9 b7 e- w) f# ~ jnz 00650589 ; detected8 c* [% D; w1 L4 k9 o
push 00 ; OF_READ
7 Q) F K" ^; g) ~4 q" R5 e mov eax,[00656638] ; '\\.\SICE'. A8 X9 }8 ~8 k# [+ f1 X
push eax U" J2 G& q7 U
call KERNEL32!_lopen- ^' u1 [6 ~' h% z
inc eax
) W0 f5 s2 r* b0 t* W6 D jz 006505ae ; not detected
' y* b" o5 v% r, I
" F! G0 O, B4 s0 h$ G
( k1 |) U+ N9 o0 X/ I2 E; a. C8 p__________________________________________________________________________
' [9 N! D0 X s7 D6 x1 P# v. k, @; q4 P
Method 12
. N) W8 T( n' t; h4 ~========= T% d% n2 o3 `2 ^8 n
4 ~( q* h. A$ V
This trick is similar to int41h/4fh Debugger installation check (code 05
. M2 N! [: V1 N( B/ G" b( n a& 06) but very limited because it's only available for Win95/98 (not NT)
0 y- Z+ u+ A; p# V3 Q% L" `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 }2 v$ P9 G2 @4 B
4 W# D! q" p8 Y2 R
push 0000004fh ; function 4fh+ F+ d; I5 Y* z- C0 K
push 002a002ah ; high word specifies which VxD (VWIN32)9 g4 K w) K" F D9 S4 ]
; low word specifies which service, z4 t ?# b! e7 C$ Z4 S6 \/ l
(VWIN32_Int41Dispatch). o+ Q: |. B/ r+ Z/ M$ X6 o
call Kernel32!ORD_001 ; VxdCall8 [+ |; R5 f9 q6 p3 B# H$ u/ ^5 @0 F
cmp ax, 0f386h ; magic number returned by system debuggers) P, N y% |1 w1 w _/ x9 f$ V
jz SoftICE_detected: O# G2 g& T: G9 A! [
6 m% b$ f7 S1 g: w
Here again, several ways to detect it:- k+ g5 R4 r x0 N( c: b% N3 i
9 ]7 H. V4 Z# g% D
BPINT 41 if ax==4f
6 Y+ p3 z9 S9 e7 k0 n
! Y; I5 E/ [( d9 G; ?9 Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 a/ L. }+ j: {% U
& ]8 u$ f' b1 m) o. D BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& L3 Q# |6 p d
0 R# \. ~+ v2 o BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 u9 y$ X+ \0 A+ S3 J9 j
1 R! e3 m) u) i2 x1 x__________________________________________________________________________- }9 d; Z" t0 ]% }' f
0 V( ~' ]5 @9 ^8 F0 p3 x
Method 13
* ]/ Z4 c; z$ }! F, ? t3 H0 v U4 Q=========
' a* |4 {( i0 {* R9 [0 ]" Y0 ]$ G6 x9 }4 N, i; {9 q: s4 p1 F
Not a real method of detection, but a good way to know if SoftICE is
6 N$ d1 E! R# t9 y2 Qinstalled on a computer and to locate its installation directory.
2 m4 {% {4 c/ [ o/ j( \It is used by few softs which access the following registry keys (usually #2) :7 T4 [2 W* |- S7 Q
1 }: R; ~! v/ c* R* C: T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 E7 T- U' e0 F) Z7 ]. o\Uninstall\SoftICE9 \: u* \. m. P3 N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! r! I+ z* v! {8 d& [: Q _1 O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 b( x" L# ~+ v( {! q\App Paths\Loader32.Exe+ Y4 S, G3 c u2 L0 K+ z: J
% l0 w0 J% U" X# Y: a
) A; T# [8 H1 pNote that some nasty apps could then erase all files from SoftICE directory
( G( g7 i$ e# P: p0 f5 O(I faced that once :-(9 u+ K( j. g, ^0 |, D$ b6 j
5 A1 E2 @$ w, G4 G/ e
Useful breakpoint to detect it:
- C4 s4 _. w" ]' s( |/ A5 r0 [1 ^. P# C+ E. a1 g
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ f9 @, q- J: [9 G, z
$ t# H- K" _9 r J8 [# l+ g- e9 G1 p
__________________________________________________________________________$ L$ ]: g7 H* B- W( z8 H9 n
' P7 u j0 j' n; k! z# J
/ e9 A# X6 c5 L) C6 i' m9 ZMethod 14
+ H% r; v" a: ~8 _8 x, {3 P1 q=========/ Y" H; H; p" e: `( C2 q
* J& k) E+ M! N2 [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( V9 _( W8 L+ p4 r
is to determines whether a debugger is running on your system (ring0 only).
- Q, s; ]6 h, A3 r: S0 {- l
6 l- q# }1 ~* i; K# ? VMMCall Test_Debug_Installed" |/ C6 k3 K& T9 b9 ~1 J2 o
je not_installed% V% r+ F$ B! |# |2 z$ @* a
+ Y+ D5 _: c# s% s$ L/ s$ JThis service just checks a flag.
* ?6 u# g( j& o</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡