<TABLE width=500>8 O9 K3 c0 q( Y8 I$ L. ^" \2 g$ r2 ]
<TBODY>
' H" l$ P: w j* \- ]! t$ T<TR>* u) R5 j- h, J" Z) g
<TD><PRE>Method 01
" C. h1 n2 R; p9 B0 r: O+ p7 L+ ~=========+ b, |- z8 a6 _* t4 X. n
& ~. X+ N/ V2 @This method of detection of SoftICE (as well as the following one) is
6 r. V9 U7 o6 U9 c9 ^ M% _used by the majority of packers/encryptors found on Internet.
1 v& I C' F& Q: Z6 sIt seeks the signature of BoundsChecker in SoftICE
1 \' V0 H& j9 Y: [* A( b ^. [' O: {! _
mov ebp, 04243484Bh ; 'BCHK'
8 g2 n9 g2 M' P3 Y( j; H% @# Z2 P mov ax, 04h
- ]$ w4 L9 z, `" M! u7 f( I7 q int 3
9 T1 o0 Y. G& X' a* h. Q cmp al,42 o ~. _3 Q: [
jnz SoftICE_Detected
/ W" A* f6 p1 i$ |! U
, _8 c/ n0 N5 `# p9 y ?6 `___________________________________________________________________________# [; q2 y$ x8 ~ ]
5 h" a5 X* V1 O& n& h5 kMethod 02
- u8 h% Y+ ?1 W3 K7 Y& H=========2 w; f `0 W$ |! D, ~, q
: S' T8 E& d1 j) J( KStill a method very much used (perhaps the most frequent one). It is used: c+ y* |. i7 m6 R0 z4 N/ R
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 g/ y/ P* E% ]* ]or execute SoftICE commands...# M& h5 v$ k: y' E j9 X
It is also used to crash SoftICE and to force it to execute any commands
$ ^9 ]2 P/ k1 K& K% v. w; R(HBOOT...) :-(( / ^1 M m9 U: \- }
5 t; ~9 K# ]+ P9 D- N
Here is a quick description:
/ r' {7 `) V g8 J7 @9 x-AX = 0910h (Display string in SIce windows)2 X' r6 J3 d2 _6 S' U" H0 ^
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' E+ ]8 l6 g5 Y-AX = 0912h (Get breakpoint infos)( S$ E: R- a& g- g9 A- x/ u: R% }
-AX = 0913h (Set Sice breakpoints)
! v6 {5 Y* q8 y-AX = 0914h (Remove SIce breakoints)
6 E2 u8 `( S: n* a; `0 F
' V2 Z; x: @% U6 Z- _) N, V, UEach time you'll meet this trick, you'll see:
0 u0 U/ R7 b k v. \5 F-SI = 4647h
2 g f) X3 n; Z) J-DI = 4A4Dh
& A7 i* h9 P: B4 ]$ [! b4 g7 tWhich are the 'magic values' used by SoftIce.# c$ B/ Z; c" C1 E6 D4 |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, z) P9 M1 t; }+ q, p0 f
5 x @( t! v5 V. T5 Q/ V" OHere is one example from the file "Haspinst.exe" which is the dongle HASP$ ?$ ~5 H6 q% {: p8 V$ h7 Q3 f
Envelope utility use to protect DOS applications:" o; d& W' \& j
& N/ I+ R+ X; a4 [ M) C2 P
) d" C% F0 ?2 v- r! @5 e2 l4C19:0095 MOV AX,0911 ; execute command.
# a$ L, f# f5 ]4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ z" k; K% c( C% G* f! Q- y) w. p4C19:009A MOV SI,4647 ; 1st magic value.
' Y( ], `+ j, ~6 B4 h4C19:009D MOV DI,4A4D ; 2nd magic value.
; D/ ?& q9 t I8 |( T% x! A4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" d, [3 K0 K$ }1 j* L1 `3 n* |
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- g4 v& x! {( u4C19:00A4 INC CX
( v5 o3 f( I: z2 s( `6 ]4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 r( T, P. f4 C- R& \4C19:00A8 JB 0095 ; 6 different commands.
% |4 S# W, l0 Y# ]9 C4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 O- M" Q$ o' e. C: ]
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- h2 c/ e: g& \! Z) ]6 H+ G
/ x* u( u8 D& Z9 OThe program will execute 6 different SIce commands located at ds:dx, which' b5 g0 W9 L! U6 _
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 M) M* N) X! m4 ^8 w
2 a/ C( O" ] T/ F* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 Z8 O, [& Q' ]. a' l___________________________________________________________________________
4 Q6 I5 F, B3 u
. _7 I0 ~0 m9 h8 C4 @: S8 `2 b1 ~/ B3 A! S/ d4 P
Method 03
. m& `5 B* `4 U0 o# P8 F+ r* L* f=========
2 q3 k) F+ B) ]. V3 a' G
! V, r: d0 {8 _% J! M# L. NLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, R0 y8 R2 Z m3 K/ Y0 D2 N' K# |3 N
(API Get entry point)( U9 h) x) {( b1 q! {+ l
' ^; D8 C' K2 K, B
% I+ x& o9 A( A# Y! j xor di,di
4 q- J$ I& _8 {3 a5 N5 I mov es,di1 O" n/ X) h U/ S p9 ]: `2 S
mov ax, 1684h
8 K) f% z! d9 B3 T3 a! ~) e mov bx, 0202h ; VxD ID of winice
+ r9 w, D ^+ @" e1 }1 b2 c- A) F int 2Fh
" F# x6 N) a. J0 s- b2 z mov ax, es ; ES:DI -> VxD API entry point
# j3 f& U7 s1 k2 P `- y0 w2 Q add ax, di
" `" U. R9 u. U1 g" K' i test ax,ax
1 }- @0 v# V, @6 g' _ jnz SoftICE_Detected
. n" `" \+ j9 O- F5 h3 y
6 E( g6 q9 d1 }0 O" g6 \___________________________________________________________________________) F6 t' o. s/ S7 D$ m: p9 Z
2 ?; K: b2 I6 U
Method 04
, l7 z3 S. Q X2 Q/ h1 y E, V$ O7 b=========
/ o& ^1 R+ C' l# G0 o$ B$ P3 |2 F% \: [/ ]3 }; w: J5 `
Method identical to the preceding one except that it seeks the ID of SoftICE
c0 ]+ P: ?8 o0 _GFX VxD.4 Q" O$ [5 n& L2 q
5 A3 u% K) @" n2 z, d1 F1 P! q& x
xor di,di ~6 ?/ G/ b3 U) S* d
mov es,di
1 ?5 C6 I; |' w2 N7 c7 J mov ax, 1684h
% h$ H2 I5 U4 q( t5 M mov bx, 7a5Fh ; VxD ID of SIWVID
! l+ I& ]8 K0 P' n int 2fh
6 p% i* o+ M& k9 H; i% G3 @ mov ax, es ; ES:DI -> VxD API entry point8 @; I" }8 p0 Q% r6 n
add ax, di
' y7 M [8 R3 v8 p4 w test ax,ax2 i* D6 a# h) H1 _7 W1 ?5 l0 n/ g4 l
jnz SoftICE_Detected
; t& T" \4 ~6 l0 X) B5 V) y) j* u: A7 Y5 o* k9 c
__________________________________________________________________________4 a- H6 ~" ~" o
. U, V" @( M" |7 x/ r
9 l9 }: |- E% Y$ y
Method 05
8 q0 @) b1 \) f=========
2 l. o- x3 ` c# n& _$ U6 K+ ^! G: h, ^6 E5 V8 k
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 q3 g" F$ n+ o3 u+ tdebugger. It calls the int 41h, function 4Fh.' y5 e8 Z* v$ V# H5 \; K0 @
There are several alternatives.
; V( F% l' r, D+ O7 T. a, J! x5 p5 S7 P9 p; Y
The following one is the simplest:% x1 r" b4 Z7 w O; c' Y$ Y& X
9 w6 p+ o5 ?) }+ F1 B mov ax,4fh' G& W$ x+ y; e8 q _+ k
int 41h- j6 D& v! X2 t7 [
cmp ax, 0F386, a7 R; T* d$ M
jz SoftICE_detected
9 O4 w) m# \6 V, g- f( l$ N* R8 S9 P
% a0 L7 D. \! o% j& U1 {
Next method as well as the following one are 2 examples from Stone's
# K8 i8 g" g4 m7 _1 P) _% u"stn-wid.zip" (www.cracking.net):, g- U& @, B/ u, Q
* F* \' g- j8 p) W) y" g mov bx, cs
& `' C% C; ~* ? lea dx, int41handler2. ?, ]; [$ m1 A& z3 ]+ ]+ E
xchg dx, es:[41h*4]
/ d# l M, D# M; X8 K3 C' N( F xchg bx, es:[41h*4+2]+ [* X: V2 j- M3 n0 C9 [" ^
mov ax,4fh
: j6 I9 d: H; x+ x int 41h
- c. U9 B0 O& {, V/ c xchg dx, es:[41h*4]
9 s+ ]+ b9 N3 [) @; M3 O- } xchg bx, es:[41h*4+2]
7 a P+ x$ p8 E' O; a! Z) p cmp ax, 0f386h2 @' H9 n" x) l, M
jz SoftICE_detected: u L& z$ ~. `/ @+ T
( z: m' W" J8 ^5 ] s7 f
int41handler2 PROC
3 U3 k3 V) X: `( M. X+ D iret+ o7 l) }. z9 |( m1 v! ^: l6 a
int41handler2 ENDP: Z$ ~2 r( _7 @$ Y, r2 O
, v# v7 @! b1 L( r+ x
5 @* L2 ]4 [, a
_________________________________________________________________________
# x6 H/ S/ \: z6 t: N9 _' ]& Y
Q0 M6 D9 S/ Y0 |# r$ P$ F& s
1 L& w. G1 V; x; eMethod 06
v- Q2 `" s# f9 E( x$ Q4 q: L2 P8 T=========! Q* @' o+ m1 n* e' ]' m
% |: Q# `, d: V: k
. P# m, c6 ?, C+ p" q
2nd method similar to the preceding one but more difficult to detect:
- x' L7 y( q S# F) J4 b/ i T" s# @; _% [- O: V+ k% R
; i& T8 D+ _% J" ~* q6 e: Oint41handler PROC
" T5 c; w% h/ U b mov cl,al
0 L' r- h) P( U7 c- B6 b8 ^. n iret' {0 [8 {' {2 S6 d5 b1 J
int41handler ENDP
3 c9 V9 C# G+ e* D3 g* k
5 ` X9 g7 a* a! H$ S) r4 x& a$ g# x$ K. c
xor ax,ax! u2 L7 N" X5 g E1 Y7 S
mov es,ax
5 A5 f9 Y' D; x$ t! w3 | mov bx, cs
# D9 O' J4 l( P- n lea dx, int41handler& J2 y4 e8 G) h2 f+ ?6 i% f
xchg dx, es:[41h*4]3 j8 h* R9 Z" D% f; K/ s, _
xchg bx, es:[41h*4+2], i# e$ r6 h2 k. Z" r* [/ ~' d
in al, 40h
5 ~. |5 j* w' v6 F Z0 v xor cx,cx3 X! L) V: O% v' J1 B
int 41h
+ `. x1 C7 A) \4 M; v3 a xchg dx, es:[41h*4]- L2 p7 N+ _6 n4 `; P: G& c% g* |
xchg bx, es:[41h*4+2]5 l8 f6 I( s! m* I9 B
cmp cl,al
4 l$ I8 i# o) U- j( @ jnz SoftICE_detected
) A# a: F/ l! \/ @% P$ v; [- p6 D8 X, m- ^3 U
_________________________________________________________________________( ?- e, J) S+ H' ?3 H
2 {" R Z5 D& x9 e9 T1 Q" ~, B7 ]8 v
Method 07
( z, p: o6 }' u. r4 P3 c=========% g; i5 s- G o' \- k T
5 d. Q! p% r# b4 }/ X* a
Method of detection of the WinICE handler in the int68h (V86)
4 N* i# j P" f
, {) o# D- I) o- U9 { V9 p- O8 e mov ah,43h
3 k) v6 }& l/ h+ D int 68h( c1 [8 G7 e4 Y+ Z4 u' R- I. G, t; l
cmp ax,0F386h
. J& T" B7 u/ ^% d5 t# r0 Y jz SoftICE_Detected( F9 n B T I* s8 ~$ @1 Z
: @' s. S, Y- c9 i* {9 V+ I
" a7 ?% e3 P9 [4 ^0 W$ \=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" s. q2 F N1 y9 k+ x app like this:
( _3 s* s* F" ^, T+ T; K( P& e7 I! @, ?: k
BPX exec_int if ax==68
+ K: \1 k2 y2 D% \5 y( {) L (function called is located at byte ptr [ebp+1Dh] and client eip is
) a5 ?! Q: F1 O' t& G4 X: B+ H: z- y located at [ebp+48h] for 32Bit apps): F. K5 W5 d5 ]; v' Q$ {
__________________________________________________________________________
5 m! c* y8 w" k6 s8 Z& k4 L7 R+ a( u
9 Z8 n* w) i9 s! K; ~; b, g4 }* V3 v0 b
Method 08
3 q I% o) b i1 L) d) _' T0 B2 D=========2 G. o2 {( u! }3 ?0 W/ l1 h0 V
+ q) K: R3 q3 Y* D
It is not a method of detection of SoftICE but a possibility to crash the+ X, ~) q4 x$ i& y: E3 p6 X
system by intercepting int 01h and int 03h and redirecting them to another
% ?) u& \ W8 x8 r5 Croutine.0 h. T2 o: J, N
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: b g- }- U3 _# ]# }( \
to the new routine to execute (hangs computer...)+ b0 b' H! Z3 ]2 ]$ e: j
0 T# O, @8 K! h( o- x4 A2 C mov ah, 25h
7 f7 V9 c7 S& w" N E; F mov al, Int_Number (01h or 03h)4 g& ~% F4 Q3 g) c9 @
mov dx, offset New_Int_Routine
: i% l- l7 m! l# T% ^8 H. C int 21h
: |/ i; I. @( H# m7 E, U( c# U( K) B( b7 B/ h1 t8 ^ S
__________________________________________________________________________
1 x! `# v: d7 }0 p) H
, @, u Y7 Y5 V5 o0 @3 x5 J6 \. VMethod 09
- x. ]6 ~" s) C) Z" O=========
9 k$ y4 p9 n' q' a: }1 q* V! S; _# B, v' p" H- O8 B0 Z" c6 v
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, F: u6 v0 v& p
performed in ring0 (VxD or a ring3 app using the VxdCall).
; m4 t# _! p8 B0 r' VThe Get_DDB service is used to determine whether or not a VxD is installed
( B: @: m9 O( d; U1 Efor the specified device and returns a Device Description Block (in ecx) for) N3 ^ _! f' e$ w' G
that device if it is installed.$ p7 N+ {( Z6 K( G
8 r% z7 Y) g6 D- @3 w1 n% q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
I" p2 {* a- K" ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& d! J" q6 f' w! g l
VMMCall Get_DDB# u1 ?7 Y. B7 y! d# [
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 c. E4 U, b! t% |0 I6 ~7 A2 c: ~: c( l1 [; Z
Note as well that you can easily detect this method with SoftICE:0 G4 G1 i. ^& r5 R; S3 v
bpx Get_DDB if ax==0202 || ax==7a5fh4 H: f2 z, k4 P6 R
8 y c" k- o. m! v( g
__________________________________________________________________________4 O( [) i* X7 R" O
$ T B, F9 D8 X: q5 Z" l- _Method 10
6 N1 [% ~) M/ `7 \' g1 g=========
4 J+ D0 r4 L) j3 G/ G8 J0 E g
! i) g& _! ]( x+ _7 K=>Disable or clear breakpoints before using this feature. DO NOT trace with. x2 S' T! N% b8 P) }
SoftICE while the option is enable!!# Z' i" N& a. ~- D' [5 A: y
+ J( |& y: q- }9 ^: D$ N9 RThis trick is very efficient:
/ T9 t4 N' {$ Z" ^by checking the Debug Registers, you can detect if SoftICE is loaded, T! H6 {% r* g! T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 M S8 S" {% P3 ^- e; Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their- Y- M: J2 s3 Y* V! ^5 A( {
value (in ring0 only). Values can be manipulated and or changed as well' d2 }% o) j# v4 ^
(clearing BPMs for instance)5 G& b- N5 V8 V) |3 |, C
z( L" a3 Q8 y2 F) T__________________________________________________________________________* h; L7 H1 e9 Y; U- O2 s c7 r
5 {+ u; o7 Q; I9 X% V" y1 U
Method 11
) O2 ~2 k2 {* i+ v" {; e=========% S! [- c% B9 [
$ J- x' p, U6 e0 p _# q
This method is most known as 'MeltICE' because it has been freely distributed
+ N" l$ [5 K7 K; Gvia www.winfiles.com. However it was first used by NuMega people to allow
9 r& _3 L. B7 y6 W4 L( i' n3 ISymbol Loader to check if SoftICE was active or not (the code is located3 T$ j+ v+ i7 g4 P; l
inside nmtrans.dll).
7 x' U. S- S. h
& X3 O( ?7 b, U. t0 `! XThe way it works is very simple:
$ R, b+ N( x& d$ w6 ]It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 S( E8 R: {# o1 f2 iWinNT) with the CreateFileA API.
' A: o! t5 j1 ]- m) U
% I3 O+ H5 D6 @: _* uHere is a sample (checking for 'SICE'):! s! { W) P6 {1 `) e! l; }
+ E2 u6 {2 h9 n9 E+ [" lBOOL IsSoftIce95Loaded()
2 r$ `% J4 t) ^: o7 L$ i0 Z- s{$ t' F; }7 c. F+ h/ u: R
HANDLE hFile; 6 c0 A* t n2 w! m2 m
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ R1 ^. N5 N: m1 S* w; n5 \4 A9 m
FILE_SHARE_READ | FILE_SHARE_WRITE,, ]( z+ w$ E+ q6 t2 e. u! E
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 f' a" D- l. s$ ~9 o/ P; l if( hFile != INVALID_HANDLE_VALUE )
$ e8 @, ?/ g3 c7 Z {( |6 p5 e) C2 }8 w+ {
CloseHandle(hFile);
2 _, q* O# w$ K8 t7 ?0 u return TRUE;
9 C" g' T; x- ^/ k' t# A. ~/ |* R& x( B3 ^ }
* h3 d) c& H C: I' q! @% S return FALSE;
* o q0 o, F; j- H) J}8 {, L/ D: |) q- }
: c/ j G5 {& g+ N$ T! Z9 GAlthough this trick calls the CreateFileA function, don't even expect to be0 N D7 G! k& `$ [6 }! R
able to intercept it by installing a IFS hook: it will not work, no way!+ @3 Q0 b! F# z3 V! r" G3 V- B# t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& ^4 F+ [( x$ u1 X1 B: g9 Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). S* d. K8 S: C) D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 z* `( S. p2 I3 `* Pfield.0 l- ?4 {/ i( J# F; I8 x; p2 S+ h8 r
In fact, its purpose is not to load/unload VxDs but only to send a
4 e$ x4 X L, f' AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 T* w( F0 h6 [5 D# f* `7 e3 ?
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% e, {9 b9 u' R+ y6 p3 J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).0 S% r$ Y/ w E$ v
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& m6 s! W6 V6 J1 r/ I8 I7 f8 r9 }its handle to be opened and then, will be detected.
& G) \7 D* @ T/ \' T! SYou can check that simply by hooking Winice.exe control proc entry point) f! t/ g3 U# D2 T) _* E
while running MeltICE. Z3 L1 K: Q8 r
. ?5 r% O2 z t& E
6 M3 c; C* Z; q9 W7 I- @% F 00401067: push 00402025 ; \\.\SICE
% K8 c; \9 L. W% ^! F7 V5 [9 M- u 0040106C: call CreateFileA
+ w9 u I; |, W/ R. Z/ { 00401071: cmp eax,-0017 o0 x, g. M1 d
00401074: je 00401091
- Q! L3 r# | S0 E, ]' k) ?* C9 \* d. j' i# D
% N* m* l' a3 t
There could be hundreds of BPX you could use to detect this trick.
3 H; l8 o+ L" ?3 X& X-The most classical one is:
3 c5 z4 G" _# {& a" N BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- a' i! B) `9 a2 K
*(esp->4+4)=='NTIC'6 V! d* p' W N+ d
3 P3 B- \3 y; p1 D S" r
-The most exotic ones (could be very slooooow :-(
) ^1 P$ e i. `# v" j BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& s) G$ |3 m6 M2 A ;will break 3 times :-(
* Q5 k4 P5 }# \/ c( e8 U
, r( z9 Q( L: o) b2 W$ C4 X C' T7 a-or (a bit) faster: 8 z2 ^" ]1 Z- m9 {; [. S
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( N: k# A( O- L Z2 O1 `
2 \- I& G. S: Y2 I! L/ v5 _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& A7 f. ?% l' ?6 B* V ]1 r ;will break 3 times :-(2 E+ x. {9 i& h
$ ^$ M5 ^! d4 m0 P
-Much faster:4 {$ \, y2 n0 r7 G; q" T; J
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; c+ Y/ S& ^- n' d# R* P4 e
: J6 ^1 e) V% Y9 |% Q, o% D# HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 W$ n* c7 r6 L! n8 f' kfunction to do the same job:
! L" r4 X: l$ C" z
6 D9 K3 e; h! P1 \, a1 Q. N push 00 ; OF_READ2 G G, ?5 ]2 a' P( V3 i) o
mov eax,[00656634] ; '\\.\SICE',03 y3 F d8 |, K/ c
push eax p( |! `: h5 Q4 ]
call KERNEL32!_lopen/ V2 T' O! i' q4 I/ O
inc eax
+ c0 u8 w' \* u! h& b p4 _ jnz 00650589 ; detected
; x9 D& ]) Y8 w( d& T! I2 G( F push 00 ; OF_READ
6 E# X9 `+ Q' Y8 o mov eax,[00656638] ; '\\.\SICE'
# }5 i5 z! H B push eax" D, p- ]5 J7 B% B1 o& h
call KERNEL32!_lopen
# C `8 d7 k3 ` inc eax
+ p" T5 t6 }# {! v7 G. U+ I# y9 @- N jz 006505ae ; not detected- q4 J1 Y; r4 m# z
: s3 E3 e( E9 G& s3 r2 `
) V3 P' ^; ?/ l6 j# }$ F6 K& g
__________________________________________________________________________
2 Z. J6 j! Z: ^4 y+ J8 l2 ^: L. P' w( x& v; i- L3 f
Method 12
# L) G2 \3 P! j9 K=========/ i, I+ w$ y* f0 o5 c1 p1 K, B$ X" A
4 h1 J/ r/ u/ fThis trick is similar to int41h/4fh Debugger installation check (code 05: }- `* Q8 X( Y& _" d+ i
& 06) but very limited because it's only available for Win95/98 (not NT)
* g" Z4 y+ G! F. P! J& has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 c' a0 p: p' G# T$ N' K3 P% r
5 c; c( O8 B! k) G) i( I* R7 Y, l push 0000004fh ; function 4fh- f0 e: Y- W* Y3 S+ J$ l' g, x# ^
push 002a002ah ; high word specifies which VxD (VWIN32)
+ s" E! i( i3 B2 r4 g+ U5 s- k. r ; low word specifies which service
& z1 s' p4 q% H1 M+ Q7 e# m; \ (VWIN32_Int41Dispatch)0 `& F! U, O. `. G1 J1 ]$ }) j
call Kernel32!ORD_001 ; VxdCall
2 D6 E: j. `; Y8 a! \# k cmp ax, 0f386h ; magic number returned by system debuggers" ]: u" l" f' N g
jz SoftICE_detected& v+ `' M) p; j! x4 `
$ s* {2 e% [ `/ _! F5 B5 T1 W) g
Here again, several ways to detect it:, |: V9 S; r" v( [! t0 K* o* z
5 V! f' ^7 s, x a& S+ B BPINT 41 if ax==4f
6 D" @; K" g/ L1 s' Y4 s, d. P" V K+ J7 h% s: u; O2 V
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) V/ P6 E- v, M$ s
& l- X6 P* N' J: D BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
L+ y& e4 Q, X* R2 R5 G
; Z3 o P& _' o) q8 f BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" o+ W! {( V, m4 _" ^( k/ G
: L$ e; I0 {2 A4 Q$ f
__________________________________________________________________________9 } X* y3 u" m7 L
4 |4 g1 |3 e9 v" l8 |
Method 13+ K- M, c: m5 Y" l/ _0 e
=========! O/ o- ]/ U% G# p
1 K& |8 `% \0 c$ T# S uNot a real method of detection, but a good way to know if SoftICE is
! e. |1 x, T$ W9 A! ~installed on a computer and to locate its installation directory.
8 t% w' u3 U$ b& ]It is used by few softs which access the following registry keys (usually #2) :& o9 _; Z. v7 @! J n
8 D# |9 ~. T: w( i2 U4 V2 C2 H3 M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# X8 U# F2 A- L5 J, Z
\Uninstall\SoftICE
$ ^+ ]# ?# R" n- u-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 Y: \( ^: x( e. r1 F-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' s, D; Z, C, j. K. Q
\App Paths\Loader32.Exe9 e$ C% e5 c1 q# q9 O& r, \
; o' q" J( q; B) S) `" D @0 o
& k& D5 o7 i% O# t2 Z3 G) {Note that some nasty apps could then erase all files from SoftICE directory3 d: j3 e" [$ P6 {
(I faced that once :-(: d: W8 z" ~9 q. r
9 e6 e' J4 Z$ G- @4 J
Useful breakpoint to detect it:& T( r* K. L2 V5 W; \
* i9 {( O: r8 T4 I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' U+ P7 L9 G8 ]6 F& J
4 [7 o% l* G# ?: [__________________________________________________________________________* [3 S: |# M; Q
& h( ~9 ~0 g6 j5 g4 h# @: E Q- A: r* ?$ U( }
Method 14
: {4 |: m+ O- ^% ^7 X* u" o=========+ G% s. c8 I2 n/ B& l2 N7 o7 j, k
/ r; i% F O1 E; t# u0 G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, l1 R0 ]& [1 t- f& s6 ?) zis to determines whether a debugger is running on your system (ring0 only).# o0 k4 e' f, @6 L3 _
1 m3 g) z9 b! d; O! g% }) m VMMCall Test_Debug_Installed- M' O6 g7 c+ o8 r
je not_installed2 O5 h5 C3 T4 T' o0 _0 V
8 S5 m7 M) d: i, F8 E
This service just checks a flag.
2 y- G* s5 h& L! M% m, y</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡