<TABLE width=500>
% D: U4 E7 n/ Z& y* Z' v<TBODY>6 G B; r, G/ Q; b# @
<TR>6 m- B3 q/ M! y+ V# d4 P
<TD><PRE>Method 01
$ M/ c9 ~" z3 x3 @/ D& {& j=========
7 v% m8 Q I8 B o8 \, ]# G- J! d7 Z0 q" ]5 d) [' z0 m+ j
This method of detection of SoftICE (as well as the following one) is7 ?* E6 V% @4 N7 y2 Z" t" k+ ?2 ~
used by the majority of packers/encryptors found on Internet.2 m) G1 K! T5 z) _: X) b
It seeks the signature of BoundsChecker in SoftICE
2 j4 ]0 D% X5 d$ M
4 ^' K- @) x# J8 q* A! | mov ebp, 04243484Bh ; 'BCHK'
$ Q. C; [- r, [; M# O: U1 y2 O% p mov ax, 04h \% i3 h3 |& ?$ Q2 o" t
int 3 ( h$ B8 `" w' Q, f7 \0 A& [0 k! p
cmp al,4
2 h6 F- P5 [# o6 l. u jnz SoftICE_Detected5 q) W1 ]8 x: V
' |3 s1 {# H) [& X4 H
___________________________________________________________________________% E; G* d4 x7 D/ D+ U
. L! ~* N% J3 t
Method 02
) J) w9 Y2 p/ E* @" V3 j& ?% m=========& j3 w: j9 m R) h2 X$ }3 z
. k/ D" {; ?" Q& }+ nStill a method very much used (perhaps the most frequent one). It is used; L0 [* L2 R, J7 X6 D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. }. D ?0 L! p, B1 m
or execute SoftICE commands...8 u9 P6 b1 p2 [+ ^" D5 f g, Y" w o
It is also used to crash SoftICE and to force it to execute any commands
. ?/ T. r$ W! @1 \. ^9 c" ?- q) y* V(HBOOT...) :-((
& Z7 C; c4 v3 J' o) Z
5 d, {& n, m' J+ w. b! j; ^; HHere is a quick description:: n) b ? o, U& a& Z" R3 d
-AX = 0910h (Display string in SIce windows)
# c; V0 M. o* D8 N$ o! L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 @+ Z6 M% e8 b. Y2 r# O& r- x-AX = 0912h (Get breakpoint infos)
0 h0 c' T8 ~4 `: q-AX = 0913h (Set Sice breakpoints)% s6 _; O& q* ?# [8 _1 d
-AX = 0914h (Remove SIce breakoints)
: E4 }2 j- k4 |- g+ B: f8 c$ e& H& Z1 P8 V+ D s
Each time you'll meet this trick, you'll see:
, K) {3 B2 C# Q. N- `1 ^2 {-SI = 4647h1 g/ K1 @5 f# E: `6 K) w
-DI = 4A4Dh/ t. L9 v& @5 I8 n1 k6 U# }: {
Which are the 'magic values' used by SoftIce.) i* S2 {% |; m9 `4 s; G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; p7 Q$ m. ^# Z/ Q1 D( x* K. V& a
# T( b+ a0 p9 X f, u# sHere is one example from the file "Haspinst.exe" which is the dongle HASP
* j- K8 E; H! OEnvelope utility use to protect DOS applications:
, N, e6 [: F+ r6 {
5 G- e2 H1 H3 u; B
: C f( K2 i T' H1 k. n, X4C19:0095 MOV AX,0911 ; execute command.: R9 X8 n- z9 P" Q3 m
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! m5 h+ E# q8 T' T! O4 r4C19:009A MOV SI,4647 ; 1st magic value.
' X- g" c b' a- y+ e ^4C19:009D MOV DI,4A4D ; 2nd magic value.& R% A w8 A/ Q/ d( o2 U7 i. ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
q. N! S5 Q- z4 U4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
n* ?$ \2 r* \( e0 @' \6 t4C19:00A4 INC CX( B/ \: o, n) A+ I' V# C& K2 d0 y7 b
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: \/ n8 u# Q: g, Q. z
4C19:00A8 JB 0095 ; 6 different commands.
7 o: _5 S" q/ e/ Q5 _& T4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( R+ P8 B, w) j. A K9 F. D* a8 M4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; u1 C) k0 H8 V' L5 e' L- p/ T! G8 z2 r% b2 s+ u7 B$ `; p
The program will execute 6 different SIce commands located at ds:dx, which
- a9 y0 e2 @+ T3 v; O! Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% |+ |/ [( o4 ? u5 `# G6 c0 T `- h9 [0 G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ t* K, H7 ~6 ~8 ]( ?___________________________________________________________________________2 A' v6 f# g) a5 ]& J
9 h" A% N* C# k+ o
& u# ]/ i# m( ^1 N) @+ ?2 CMethod 03$ P. C+ m0 P: B! Z/ f8 c
=========
4 O9 b6 m) F: l( }1 X2 _
% Q* g. a5 ?% \9 I0 {7 e% P; \" _Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 f$ t9 Z2 X# I, B
(API Get entry point)& y. a8 H+ t- t- D2 a" }1 D; s" C* H8 M
% ?/ d' p, N3 l; g& l+ t+ V6 d
- R% F) E( C- o& r4 G; [* P xor di,di0 t7 o2 a/ j0 H7 h
mov es,di8 m+ l! T- ~# n) ~8 j3 L
mov ax, 1684h
9 \& P- g0 Q4 B% `# m6 \0 s mov bx, 0202h ; VxD ID of winice3 P' P b' j3 s2 E3 j: T
int 2Fh
* k# ]$ {2 X" P& F2 |# ^ mov ax, es ; ES:DI -> VxD API entry point
4 k8 ~# _! m' u, j8 g$ z. d add ax, di' z/ ^; _, Z1 n# @5 t% w
test ax,ax7 N7 B& L2 s+ A/ H1 G! H
jnz SoftICE_Detected
) C Q2 L% Z3 ]7 s) i2 f% G% w& O3 ~/ Z/ [6 D; t3 Q
___________________________________________________________________________
& `3 s7 L) J L5 p/ `# H, k0 E$ f# Y; z( T
Method 04
( H+ W+ e; C% H) H6 b. D=========
" ]$ c' I( N/ d8 E- H5 U! X, o
. `' X5 b- ~; M/ Z7 FMethod identical to the preceding one except that it seeks the ID of SoftICE0 ~* ]5 m/ f0 |9 \) [" v1 E
GFX VxD.% z. p' ^0 A5 ]
. f( d+ s- |2 v# B- \% Q# ]1 v+ w xor di,di7 g( S J9 t9 d9 W* R' V/ p2 g
mov es,di
! k, B& a2 e5 y8 ? mov ax, 1684h % b/ [7 l8 K* j
mov bx, 7a5Fh ; VxD ID of SIWVID
# l; l! l* p8 R2 i. V4 H- j int 2fh/ G1 U' j# I* T7 Q- L
mov ax, es ; ES:DI -> VxD API entry point& O0 B, e: l! Y! P Q
add ax, di1 g+ @; z- J3 i- P7 S- B
test ax,ax
8 m& ~3 x5 ]" [$ e+ @( h/ I jnz SoftICE_Detected
+ x& I) }2 C9 O0 z) C b( x4 S! F; B% L. @# ?# [; g' ?4 u
__________________________________________________________________________/ o; W- k2 b0 V7 p7 R+ c
% q& r" t; {) n6 u% |9 H" D
9 X( F+ g h R' G+ ~Method 05
$ r: Z: v3 Y4 p% k+ `+ Q=========
8 J) w \0 t" ?$ [( }" L% w4 a. {/ t# s1 a# V
Method seeking the 'magic number' 0F386h returned (in ax) by all system: C1 _+ n4 n! q/ g+ u- a
debugger. It calls the int 41h, function 4Fh.' C4 G1 P3 `' S$ Z. F5 {# b: g
There are several alternatives. 4 I3 A: E0 f8 S
7 h9 Y( z: o& V) `3 gThe following one is the simplest:
8 N7 T; U4 M7 w% z3 g" B3 a
1 X. m; [' y! U' @ mov ax,4fh2 N( X& }! T; M* b1 _
int 41h$ X* H2 l$ ]5 {! h, ^5 s' q* \6 C
cmp ax, 0F386
* V. @; K: d; F' K6 l8 u jz SoftICE_detected
! D6 ` X) p3 a4 K3 |
# }- R1 V2 i! T, _. B8 D0 d$ H( t9 h- M' @# i n" B
Next method as well as the following one are 2 examples from Stone's / k* R: M0 P0 E( S
"stn-wid.zip" (www.cracking.net):; ^# j/ J; s+ A5 j1 _7 v
- f# t# P0 H M2 C; | mov bx, cs4 L( q3 o- T' c+ M
lea dx, int41handler2" t1 K1 x# ]# R8 A& x% C9 q! b
xchg dx, es:[41h*4]! K& t. z1 e# V: p
xchg bx, es:[41h*4+2]
: U: C$ G% i# i" Q/ E/ ` mov ax,4fh5 X1 V$ L: l8 j- {, ~
int 41h6 s0 Y7 D7 h e( h5 G
xchg dx, es:[41h*4]
' q0 z6 [6 x S- J. K xchg bx, es:[41h*4+2]$ o0 r% _0 U1 W. s, L h
cmp ax, 0f386h2 `4 f: y* t3 }
jz SoftICE_detected
( N3 o! l% {% C9 g' r4 N. {* G3 e9 P/ A, g! r4 d e; X
int41handler2 PROC
Q; V4 c+ Q$ N3 R- N iret4 s% q+ c) G {5 g! S8 ]/ f9 g
int41handler2 ENDP1 N! _. J! F) ~) N' [! R( Y
/ J$ [ c' y4 Q W
& E5 M) C7 k) ~. Z. i' T
_________________________________________________________________________
! C2 \. [9 A5 Y$ e: Z$ p2 @
& ~9 O6 K" B& M9 |+ j
9 c/ k7 P' a( |9 X7 x. {& lMethod 06
* x7 i5 G% P7 S5 r3 h. F" D3 \=========
0 H' }) L$ A, _* x( F n
1 K* @+ K$ {1 W% a% M" x# g s2 v. p+ f
7 l- k/ J+ L. j8 Q2nd method similar to the preceding one but more difficult to detect: n( O4 W: A' i
. r) ?/ j) k0 c: U B
, K4 Z$ U4 h" t( p$ H
int41handler PROC7 c* _+ y8 J. G/ g6 @) W1 M
mov cl,al5 T4 Z+ Z* m* g
iret) O& n; t7 _4 Z& z* G3 d
int41handler ENDP
' u" M+ m8 ~& |- h+ k" X$ q& r4 i5 e9 x/ i7 \
% f( f4 I4 T' q% R+ }1 N' z- @
xor ax,ax2 |) z2 \# m3 `/ I
mov es,ax5 s; a( b, f# h' h, ]. q; x
mov bx, cs2 O @" w c+ Z1 r% x# i
lea dx, int41handler
) k6 d7 l& @: ?5 M0 F! Z6 s xchg dx, es:[41h*4]
3 |; G7 ?" }& ?3 E7 \% F. b xchg bx, es:[41h*4+2]6 G# F6 R% L% X! k
in al, 40h3 B7 T F) g* `$ y
xor cx,cx
9 O1 S/ |: c: g. N( t* q0 M int 41h, ~4 [: L3 D8 h5 O: n8 _( t D) w
xchg dx, es:[41h*4]9 j9 c* t- `7 r+ b2 [; \
xchg bx, es:[41h*4+2]3 n% R' b4 v7 _/ @+ R6 ]# h
cmp cl,al
# g! E1 X6 |: J5 J& }/ v jnz SoftICE_detected9 N6 x8 _% O2 i/ B/ S& N' Y* m3 C
/ Z1 [5 b/ H' Q! j! e9 g7 T* v_________________________________________________________________________
9 m! h# n& g+ a2 f
: b. N: k! d; n. ]1 c4 uMethod 07
' k! Z3 _6 ?3 l, _6 A=========
8 v# P1 a: {- I1 C) S
- y* t( k8 B. ~% S' O9 eMethod of detection of the WinICE handler in the int68h (V86): |6 p( \6 f: M4 i2 d) j
. D4 W2 m, z; }" y" \
mov ah,43h( X7 ]2 d. ~9 E0 C# A: R
int 68h) {+ N* [! D* W# {; ^% |
cmp ax,0F386h
1 l4 s+ j1 h) P2 q jz SoftICE_Detected7 G0 N, X, y0 s- J
* r/ {" _" o3 v* C
0 R9 q4 S9 d, B" s& ^6 t
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ m9 t( T; G/ t! z1 k' t* d' J! w
app like this:2 v/ U% }9 H. q( o' i+ l
0 ~6 L' N& O# _ BPX exec_int if ax==686 C& Y: L2 X; v q( K% Z/ A; a
(function called is located at byte ptr [ebp+1Dh] and client eip is
, C8 O$ @( }- O1 a located at [ebp+48h] for 32Bit apps)
) @0 [( J/ t& W6 ?- ]) ~# g__________________________________________________________________________
5 _6 F) M& {0 B+ N( W& E3 L1 ~, c2 d* c
- {8 H$ ]& P1 s6 B' d, o0 O1 m# ZMethod 080 \6 G5 F6 b$ @ u# ^
=========" @% M% d/ F, W6 ]; z
: x( p8 B* t, f$ i) z" b N) e
It is not a method of detection of SoftICE but a possibility to crash the
4 e$ W0 ?# a# K3 Csystem by intercepting int 01h and int 03h and redirecting them to another; {5 P/ f, J7 f- |: d! @0 W, U
routine.) Y* c V- @" g4 v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; a3 K8 j$ G5 T! @1 y9 ^" x9 _to the new routine to execute (hangs computer...)
$ V& u9 w: l" f
6 X# d/ @/ h$ E# l mov ah, 25h
2 T! r0 [& R! e8 l6 ] mov al, Int_Number (01h or 03h); P, k7 c. {+ P8 E/ o2 R
mov dx, offset New_Int_Routine; O" ]2 I: a9 @: C1 m) {$ h5 c0 |
int 21h
* z; I# b3 i2 P1 w3 @$ k6 d& L0 g5 m, o% d3 G
__________________________________________________________________________
; W- }& D5 f7 q/ ?/ c* k) _
' E4 w/ t- @2 [' d3 B. r3 UMethod 093 Q1 L3 Q/ f- e, x7 T( g9 M
=========. J& ]0 I" K/ }! H/ ^7 h/ [
& ]9 c. z5 ~5 ~5 I0 z: AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( y" A0 ^7 D" W4 q+ G" G4 d
performed in ring0 (VxD or a ring3 app using the VxdCall).* v0 M" a8 Z; S' s
The Get_DDB service is used to determine whether or not a VxD is installed/ V; C/ F V# u" i0 A& C
for the specified device and returns a Device Description Block (in ecx) for
0 A% G4 Y1 d( ]4 n5 Othat device if it is installed.
; p5 q2 a1 J7 q. i# H! u9 s. Q9 d- C) I: Q* q. j2 `
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ T4 U7 L3 n c2 Y! q! B mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) h$ `0 n \0 L1 K: d9 m' L5 M
VMMCall Get_DDB9 ~4 o: A% C' w t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 z3 R/ s$ e% x& q
4 U, a2 Z- M- ]& X6 P
Note as well that you can easily detect this method with SoftICE: |3 k9 v; n% C9 z3 r5 @' }- G
bpx Get_DDB if ax==0202 || ax==7a5fh
( H2 S+ G/ x/ [& ]) q- K) Z5 V) H i; P5 O
__________________________________________________________________________9 J1 a9 Q2 k& g
8 z x3 t3 j% R y$ }
Method 10
2 w v% ?7 z, _9 a) b1 f/ A=========# M3 X s, V4 n
* C# c h' Z# k2 U6 \2 P$ N$ e2 f3 c
=>Disable or clear breakpoints before using this feature. DO NOT trace with! G ~. D0 D" Z/ u6 M7 _
SoftICE while the option is enable!!
4 |* }0 A9 Z# h" H3 _) {9 y4 G+ k- Z3 I2 Y; i7 u. p
This trick is very efficient:9 `, [, y4 g) j. I, u0 P x# s( ^5 x- z
by checking the Debug Registers, you can detect if SoftICE is loaded
& f8 I" L& D0 P+ W( t y+ U(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% k$ E* H' Y9 k e2 p" }there are some memory breakpoints set (dr0 to dr3) simply by reading their( {% o! w& T/ V/ T c
value (in ring0 only). Values can be manipulated and or changed as well4 {3 J( m- P5 j+ j3 w. W* \
(clearing BPMs for instance)
4 F/ O% }* a8 `3 f1 b+ _; h' M" S. [
__________________________________________________________________________
$ p0 h* g5 Z4 U
1 l) W, b8 h9 }4 hMethod 11
, q7 L* N2 u, j* J=========/ u" B9 @7 o7 a" ` ^; ?
. r% [$ U$ N9 ~7 m: i( a0 kThis method is most known as 'MeltICE' because it has been freely distributed' f+ Z; x# C( u
via www.winfiles.com. However it was first used by NuMega people to allow* k% @0 f% |( O& q& k8 Z
Symbol Loader to check if SoftICE was active or not (the code is located. D* q( w% N) N% P9 w9 A" X6 r
inside nmtrans.dll).
, F& B. q& O' H5 F$ q4 ?+ h0 V- ?# @7 Y, T' ]
The way it works is very simple:4 ^. N2 u( \9 f5 K- K8 F, A9 R" Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 l; f4 `/ j. b0 o; b
WinNT) with the CreateFileA API.) q5 v! @3 l6 A; {
4 A$ r* d8 X+ c) n( J0 M+ |$ sHere is a sample (checking for 'SICE'):
8 ]6 w8 f0 {. `" K' f0 K! C$ d7 z" \- t& {
BOOL IsSoftIce95Loaded()
- N& o1 _9 `7 @2 X{9 G; x1 e: _6 B
HANDLE hFile; 2 e: ?# o+ m9 C, p) ]
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- S" z+ P$ n& c% P/ q) u+ U$ S, i
FILE_SHARE_READ | FILE_SHARE_WRITE,4 \$ @# n# k9 H. O7 ^. G- ^# {9 ~
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 S4 r. ^: y& D5 [0 _4 t
if( hFile != INVALID_HANDLE_VALUE )
2 X( r, M9 q ]; d: ~- n9 M9 {. `( x. w {2 b/ y+ ?! Q# v
CloseHandle(hFile);
( y# U f4 w' F( } return TRUE;
1 g! `# |$ j8 P1 M7 i* d& O }
; ?7 |1 Q3 b1 X7 @; t( e return FALSE;
. g8 U }2 G6 b, E6 D0 q}
0 O w; Y- B8 `" G a }* K, p* M0 F. Y% u& x# Y F7 Q$ H7 i, H
Although this trick calls the CreateFileA function, don't even expect to be
5 L ?( o4 W3 E& Z( @% v6 ]able to intercept it by installing a IFS hook: it will not work, no way!
$ X) E, e* i) v) JIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' O% R8 e7 D$ t/ h- c7 `3 Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* n7 y3 m5 C4 [" land then browse the DDB list until it find the VxD and its DDB_Control_Proc+ d* t h5 ]5 u7 ^, l0 o6 d7 O
field.% }; s% }4 g7 ^+ y
In fact, its purpose is not to load/unload VxDs but only to send a : S& w$ H# r2 O8 y b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 X7 L" c( \0 ^/ Sto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ \9 k* b- ]9 z+ c1 Y' xto load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 Z+ b3 a2 `7 Y4 IIf the VxD is loaded, it will always clear eax and the Carry flag to allow+ r0 U, P# B9 b, R1 `, i8 C
its handle to be opened and then, will be detected.
! Q* Q8 c3 Q" g4 \) \You can check that simply by hooking Winice.exe control proc entry point
- q k2 d% ?- O: H: Qwhile running MeltICE.
3 c4 f0 c1 C# k: ]' [6 X, l5 q4 L
8 V% b* C8 @: [" ~" s/ T 00401067: push 00402025 ; \\.\SICE% k+ w- i: @) c
0040106C: call CreateFileA. s2 g$ y. x4 D m+ w- C
00401071: cmp eax,-001! F' o' q- j( Z) T% L1 s, w7 A) D' C
00401074: je 00401091
( k- X1 ?6 w/ u" @# j9 D- o8 ^& q) ~, q
( o1 z( @' ?) _) }- s, ^There could be hundreds of BPX you could use to detect this trick.
- h6 o/ X8 N1 d; \-The most classical one is:# a. y" F |( K/ `. x; \7 L
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ r/ C. q7 B$ R
*(esp->4+4)=='NTIC'
4 T% i) ~0 C% K& I4 j5 }! E+ ]7 P+ r1 a/ m6 Y
-The most exotic ones (could be very slooooow :-(
0 b: ]- `" C, ]; t9 x# B, ` BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& ?3 c4 s+ Y" [/ b6 u ;will break 3 times :-(
& ~! |! i& D) g
4 [4 e, T2 k) U! S& o& u- e-or (a bit) faster:
' j+ y; x! m+ U& V5 m; L BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! W/ f4 C( X' E. R7 D
9 Q; [ H( Q/ r d1 _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- D7 h1 i3 j4 j# R" ]; ~5 Z ;will break 3 times :-(2 b7 @+ h+ v) c" R
) O3 Z; {* F! b: d9 {-Much faster:! |+ M- l2 p/ Y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 J& { `) _( f U7 N
, Q' o7 E3 c5 \6 z1 J# \5 b/ eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
- Q7 I6 F' D( pfunction to do the same job:$ a0 H4 x+ O* {0 U' }; E
! J2 z; Q. o7 W$ ? push 00 ; OF_READ, K. i6 H- F/ n3 D- }! K- g
mov eax,[00656634] ; '\\.\SICE',0
/ Q, j+ f; T' R2 e& X push eax
; f _5 Z4 R# ?3 D! J# j. h9 v call KERNEL32!_lopen3 h% u$ I* l. ?3 E+ Q }! ~0 ^
inc eax: Z$ [3 x- e: c2 v8 I
jnz 00650589 ; detected
& x7 |$ g( x+ g' Y: y$ L push 00 ; OF_READ
) {$ y& @8 s8 J# K* @ N1 h mov eax,[00656638] ; '\\.\SICE'; h( Z0 r% j! f' V
push eax1 ~! m2 K/ K8 T
call KERNEL32!_lopen5 O# j& I7 M* S
inc eax/ o3 i1 u9 H4 |1 N6 ^- e
jz 006505ae ; not detected. b. H- Y. `# h a' e6 t
) b, x6 r: ?: [6 E/ ^ c
: b4 \% b" O4 D__________________________________________________________________________
5 c1 {) l& O1 u8 I! l' y/ y& ^% f C' S
Method 12% P! E5 K7 {/ [
=========5 t# e6 a' F! b; ]
0 r# y- H$ z, e+ \3 q3 WThis trick is similar to int41h/4fh Debugger installation check (code 053 \& }+ j1 F9 P5 v1 }
& 06) but very limited because it's only available for Win95/98 (not NT)/ D" |4 k; l7 k. F2 g( @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo." i7 C. C; D. }2 a9 X/ t
' `$ L3 E1 c6 u. T7 q# G
push 0000004fh ; function 4fh
* {* K5 \$ y9 A/ v% x5 \) h push 002a002ah ; high word specifies which VxD (VWIN32)
/ l$ t- \$ t4 \; o* a2 [, x ; low word specifies which service6 b; `, M1 d- }9 v( u# j
(VWIN32_Int41Dispatch)0 r8 O4 X" d, K; t7 a, u
call Kernel32!ORD_001 ; VxdCall
% t8 `( R5 ]* ]& ]8 p cmp ax, 0f386h ; magic number returned by system debuggers4 ~4 Y5 u% C' N# M
jz SoftICE_detected4 {7 N* m( k- h/ i( Z- h
9 ^/ {+ d2 o, [. [: J
Here again, several ways to detect it:3 [' `3 x, \/ ^: B
3 I4 U% Z' P1 @; {, K! G0 ?1 k- m! [
BPINT 41 if ax==4f
9 y/ L6 r3 v0 j* I+ s) [" |1 `% S- N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ ~; M B$ {! R3 G# ^
; b" r, N* a7 o; s BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 E! s7 t0 {+ V# I( r! [
# A$ R( r* h) D3 c5 g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- Z7 Q& v. V2 P7 i' K# |/ Z7 r8 ^" p6 h7 S# Q3 \
__________________________________________________________________________
% D/ I w! I9 e3 y+ G7 w% ~8 L9 o& l e$ Q
Method 137 C P% A/ H& ^% D0 j" G; B, H
=========1 `2 d7 a& P% w
! o7 t. a# x% w, O0 `Not a real method of detection, but a good way to know if SoftICE is
& Z# c W/ N9 P; {6 _% Cinstalled on a computer and to locate its installation directory.
6 k; _+ q/ x% Q1 F" y ]7 AIt is used by few softs which access the following registry keys (usually #2) :
/ N. [% s/ \2 J5 k& J
' ]$ I; c/ ]& s-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* L9 K1 x' L) z0 p- C1 _\Uninstall\SoftICE
7 j! A9 \& o% f- T-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" ^" K( A5 }2 M* a7 w; L ~+ ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) Q; S7 @. H0 J) K% e% D6 d
\App Paths\Loader32.Exe2 }/ e' S4 B d/ ~; `4 B4 x; d, E
' E6 }% u/ `- o8 A. P8 j4 ~
n% U; P& ~4 `0 A: XNote that some nasty apps could then erase all files from SoftICE directory
0 S: X7 M) K$ {: {7 l) H. J$ r8 M(I faced that once :-(; C' Y$ x- R6 M2 T5 ~# l
" k+ p! c/ O' a/ c0 [! G0 bUseful breakpoint to detect it:
2 A; b/ `5 f- H/ `! k7 m* j! |7 p5 V" P/ A8 x. l, C
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. y( O2 j0 X5 z q% Y5 `+ \: M
3 I1 a3 b/ r7 v T% `9 S4 Z__________________________________________________________________________' x f: c! B5 Z& T" E
! x' _* x/ X k
. {. u6 H$ o* k( X5 ?
Method 14 $ p; F0 c% `! J0 ]2 W1 y
=========
' m0 q$ J& H2 S. |2 @! t5 e; K1 @& b/ ]$ u- |8 |" f6 z0 s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 Z# E& o' ~" n2 g5 j5 {
is to determines whether a debugger is running on your system (ring0 only).1 j1 m; N0 d7 J5 u: F: o5 W
' ^2 p; W8 R. H9 F A+ b9 @
VMMCall Test_Debug_Installed0 o: z# y0 g+ G4 _
je not_installed& ~- i# w* S4 a4 ]8 A
5 v4 K: x* J2 F" f. U, h
This service just checks a flag.
% s* ~; `. j* o</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡