<TABLE width=500>
$ O; h& n% O7 W0 o<TBODY>. U; m' _7 G) T, H6 p* ^" W7 C
<TR>9 A( r1 m; S+ P" I
<TD><PRE>Method 01
* v& ?- R3 }9 Y0 s& X$ {8 r+ a* G=========
. z' E" o; r2 y* e2 |4 I+ n1 L& f* F8 h3 E9 u
This method of detection of SoftICE (as well as the following one) is
( g( Z3 C0 w5 H) h6 nused by the majority of packers/encryptors found on Internet.
, \# _+ R, A% q6 q# LIt seeks the signature of BoundsChecker in SoftICE
6 C' A% Z/ m9 j9 P
7 R/ r% O8 P" e b mov ebp, 04243484Bh ; 'BCHK'
3 N0 V6 Q' G T [* V% p mov ax, 04h) ~) g% Y- V/ ]) f2 y( M! J
int 3
3 ?" [- ]$ u0 e D( \ cmp al,4
& H& @& i5 G% \( A jnz SoftICE_Detected4 b+ g, D$ {% d7 ]
( I5 {; k' j; n+ `; Z. ~
___________________________________________________________________________- U, \! I/ e4 U$ h6 y
1 H: ~. z8 [5 c9 k+ H* XMethod 02
" ?9 P% K, Q6 M, H8 Y=========' B5 E- O5 r8 W9 A3 }$ `/ N
3 J7 ?5 s4 d3 c" H$ |2 r
Still a method very much used (perhaps the most frequent one). It is used
# q2 C, s i# K- T# ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# b" X- S0 K; {4 Oor execute SoftICE commands.../ k6 ]/ \% @8 |
It is also used to crash SoftICE and to force it to execute any commands9 ^# s2 e: d# I* l+ A
(HBOOT...) :-(( & w( I2 R- C# O$ y# ]+ g) L
6 {- Y% [( x' Y. W bHere is a quick description:
5 S' ]3 o) q9 T% b% a5 n/ g-AX = 0910h (Display string in SIce windows)7 U" L0 x3 f, r( {+ x6 J2 ^; m' Y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 j( w! n% Z: i4 w" F' x- \/ x-AX = 0912h (Get breakpoint infos)
+ F8 p8 {/ K" T( ?4 o4 l! K7 K-AX = 0913h (Set Sice breakpoints) J: A. U1 R M' H" A3 `) L4 i
-AX = 0914h (Remove SIce breakoints)# u2 M0 h! F; K
& j! `$ X( t9 H( Z: T5 o
Each time you'll meet this trick, you'll see:7 \2 G: \0 G- l) D9 b0 ?" R
-SI = 4647h! n& R) z2 t/ K; ~' ]
-DI = 4A4Dh' h2 @/ v6 N3 ~
Which are the 'magic values' used by SoftIce.7 X; x1 h0 X; n
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; K5 Q+ f' u* U2 h! M% ~
5 D8 g1 W e) h4 m, a YHere is one example from the file "Haspinst.exe" which is the dongle HASP8 u) f2 B6 ~6 ^$ I6 ~
Envelope utility use to protect DOS applications:! g& x* P9 s+ N6 h: q3 ^0 Z
~ D/ V' Y. f6 Q7 `0 k; p7 F$ B
5 N* i& K3 V+ l' {. t! j! t4C19:0095 MOV AX,0911 ; execute command.
( U" I3 z% @6 B& q) J5 K4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 H+ A# l( R" Z
4C19:009A MOV SI,4647 ; 1st magic value.
/ t8 `+ p6 `+ J" f( {( [1 ?4 p4C19:009D MOV DI,4A4D ; 2nd magic value.7 k7 m; h7 Q5 l3 A! P" w! k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 K9 K6 i% b2 |* r/ Z1 T# G/ o
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 A4 T- m3 g6 K( Y
4C19:00A4 INC CX& U! [; [* F) ^$ a& @) L/ Q' B ?! P g
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* L3 v8 C" d. L0 |/ O4 o0 B5 B
4C19:00A8 JB 0095 ; 6 different commands.
5 u* H3 _. r+ k! A5 _4 x4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 G9 c, d* _" x
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! o, K5 P& K( ^1 F: I# z
" {$ r- m) S+ S9 |2 h+ k4 [The program will execute 6 different SIce commands located at ds:dx, which
. @( j" T; L9 Z2 q/ P, v, hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT. s4 D5 R- x; X6 k* x8 o2 t
& }6 R' _4 c$ r" k2 M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 t2 P9 e% [9 Z___________________________________________________________________________8 }" S8 ^( G% P4 }% N
0 c* x3 Q( _6 L! [2 U: @( }
0 W) M. `$ W' DMethod 03
2 v1 b5 ]8 b7 `1 d=========
+ S# H: F9 ^* @$ a" @: v8 L( x- ] e7 M
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) Z$ I2 t k% `! e6 ?
(API Get entry point)& z- I/ D: L/ s0 n
$ H7 D) L7 [% O, z3 {, ?2 p" M* T5 y/ G9 V% r/ l
xor di,di
: L" H% a6 K% M. B8 g( P mov es,di
+ Y1 j! E5 \+ O; c mov ax, 1684h & D; d% {! X+ j( y/ ^
mov bx, 0202h ; VxD ID of winice
8 b1 R O3 |8 b: a% }- w$ z int 2Fh
5 R5 n6 ?! Y: L4 g3 p mov ax, es ; ES:DI -> VxD API entry point& |) r* a5 E* C" d# t [
add ax, di' W! m) L1 m. o9 Q& L0 D
test ax,ax
1 `+ X$ K0 Q" k* f jnz SoftICE_Detected
# @9 f8 V5 h+ o! v4 T0 J: c, Q! h2 D# ?8 \
___________________________________________________________________________
9 W9 _4 e( {3 [8 u1 T2 J {) G, w6 o) K [) @- H
Method 04
% b: b3 w* q1 Z* N! S=========
& B% j; x: d3 _3 T
# [6 X: [8 Z7 j- K/ U# H6 ]Method identical to the preceding one except that it seeks the ID of SoftICE
5 Q; K4 }$ E. m2 gGFX VxD.3 h( V: L0 y/ }( w( Q
5 n( \ D1 K0 n# l& H! }: b! O2 m
xor di,di: F# S1 y- q/ y) ~7 L2 L5 Z- i& Y
mov es,di6 D. ?( O- D/ V( s( g5 q
mov ax, 1684h
9 ]' z' |5 L+ l: A8 \8 M1 y5 C! U mov bx, 7a5Fh ; VxD ID of SIWVID* I* s. i6 D/ [1 o4 D' X' K! K
int 2fh
, I. x1 J9 [! H2 a# a \. `1 d mov ax, es ; ES:DI -> VxD API entry point: I/ {+ L( I/ M1 D8 H( v' S+ O
add ax, di3 Y- w( i( [5 ^& Y5 t( t, O: b$ r
test ax,ax7 _% k) M7 U( n9 B9 L) f6 p
jnz SoftICE_Detected6 d" u* `4 Y3 ~/ H
$ A# d4 Q/ m% H7 `__________________________________________________________________________4 y; Y! h. K n6 H
/ k: T1 M' g1 W
# b* L) t$ [7 F4 f0 g% P$ j/ ]Method 051 t7 h) g9 y5 s0 ?8 s' v; r
=========
1 X8 x# h9 N( v& l ?- V0 x1 }$ v" r; [ d7 k* K9 _* w
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 y* l% D) o4 V$ i' Cdebugger. It calls the int 41h, function 4Fh.: \9 B7 w2 V) ~% t, F7 S/ o
There are several alternatives.
6 g) x' A% t. z7 x/ U! ^1 B# i
# h+ r( @3 ^4 W" a- CThe following one is the simplest:
: }& P' f0 ^. G' H4 C' J( U0 y5 _* T; C D' c' c [3 q
mov ax,4fh+ x( e6 j, H7 o( U% F# F
int 41h& F2 o$ a) b- ?" b
cmp ax, 0F386
z# G( X5 A* O4 }2 T, ?. o) { jz SoftICE_detected! m" n) P+ v3 `+ ~! X
. ]1 z/ U/ J, x9 r2 u0 e+ Y
* `$ n% X# j8 I5 ]Next method as well as the following one are 2 examples from Stone's / Y: V2 G# {' _6 X2 Q0 I# D4 e
"stn-wid.zip" (www.cracking.net):
. ~( x/ u( G$ A6 q4 X* @6 y+ h' Q6 o# ~$ l9 I5 ^! Q3 Y5 E
mov bx, cs3 W7 d8 h7 @: [$ [ _$ b
lea dx, int41handler20 T! X- l G7 K( a* A0 V8 [0 G
xchg dx, es:[41h*4], D4 A1 w( v2 x
xchg bx, es:[41h*4+2]
! M: e1 c) M2 n5 s mov ax,4fh
; f: C8 g' _& Q: a E, m' U7 B5 Y2 O int 41h0 L2 ]; H4 h8 k6 C/ N# z: x
xchg dx, es:[41h*4]* g7 {" M% H; @# e. F& o
xchg bx, es:[41h*4+2]
2 y9 ^ Z( ^5 w( h9 Y) c; ?4 x# m cmp ax, 0f386h
1 J7 A/ D6 Q1 b3 p+ K: p jz SoftICE_detected, T3 G) n& U9 b. o9 P
; R% ~% d/ w, o; c1 u- j) \int41handler2 PROC
! B8 b& H8 p1 u9 k: t+ p! g$ T iret' i; X* ^# P1 e- ~7 D
int41handler2 ENDP
* ], N5 h% f! [9 g
! V5 b+ c! a0 }
) a3 s) U; ]3 T1 w: x& _ {+ J_________________________________________________________________________
& E3 R5 q- ~1 [9 p. t3 |
. D, P* |; _ x8 i: r6 q
7 u9 E7 Z6 |! C7 E5 I3 jMethod 06
' ]0 }, G% W( y3 k: T W8 ~5 ^========= d0 L0 k# G- M4 g) {5 B0 Y
( y/ o8 _5 t5 k* _
2 s D* |# @% \ Z; k; I9 @2nd method similar to the preceding one but more difficult to detect:
6 e+ e6 A3 B) j) W$ Q
% R7 T5 O* Q6 O/ ~* o7 z. q2 Y, g* f7 t( P0 Q g" \9 ]
int41handler PROC" X5 S+ B+ @6 ?" ^
mov cl,al
7 F+ r- s' u! a L3 q iret
8 j V- \) t) V6 x5 n. P; E: Z' hint41handler ENDP
; Y0 N, k$ z2 y& K" K" j
4 V6 D' [/ c4 W9 _% s0 z( u8 R A* j. ]* [) m. O8 Q9 n3 ?& b
xor ax,ax
6 t. v$ g% `: [7 N+ S+ _3 B mov es,ax
2 R# n; R, O( J1 H$ _& b! A. m/ u8 z! q mov bx, cs
( J; I( R" Y$ t. ]* l3 G) V lea dx, int41handler
9 @! X! m9 i, |# P7 o/ s. U' x xchg dx, es:[41h*4]% M3 n4 r5 ~8 X6 `1 K+ c
xchg bx, es:[41h*4+2]6 g6 N$ f# @. m# J3 x0 O
in al, 40h
4 H* R1 C' I l# A' p, z xor cx,cx8 U5 ^ E; @3 @/ U% q& c: x
int 41h
9 o# e" V5 ^3 H$ e# U xchg dx, es:[41h*4]
/ h4 D; s9 j1 m8 p5 S xchg bx, es:[41h*4+2]% B# [6 J# G0 I& U0 ^, U
cmp cl,al# T/ {* c9 o, d# T: K" b o
jnz SoftICE_detected
, y: T9 V/ g/ W2 a h* d- ^/ k! c+ V) Z+ X* N
_________________________________________________________________________
2 W' e7 d2 W& T9 e2 J! e" U! @
3 ~) Q) `; B5 z, a! w6 B: ^ oMethod 07
! G! e3 ~2 w4 l=========( \0 X' v5 n* Q+ K( |! B/ K0 C, A, ?2 p1 e
- }, _) p; B$ s, f
Method of detection of the WinICE handler in the int68h (V86) h0 A( g5 c( E0 O
7 g: g' L" u [( Z4 X* m7 {( q
mov ah,43h
, R& r, \2 b/ y( n! J- F$ R int 68h
6 c) c5 [2 Y* G cmp ax,0F386h
/ k: P, ~5 `3 `. s jz SoftICE_Detected! ~# y9 M7 _% J( ?5 E
e1 g" a5 K' S- }4 B; |# J4 q3 X) P/ \' J" X
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; ]- G* X: G: {2 m5 }+ o
app like this:3 W: o" p% k7 f, b( E; g+ H6 ^
+ K) V) X Z6 i% T0 g- [! f
BPX exec_int if ax==68
5 `9 a/ A" a- \- |0 s( ~ (function called is located at byte ptr [ebp+1Dh] and client eip is
" \6 N1 J* R, P5 _9 U located at [ebp+48h] for 32Bit apps)0 T! C3 V2 d; f! a f. \
__________________________________________________________________________
+ F& V* N3 P n3 w* P# {9 s0 X) ~. Z/ I4 |! {' H& }
! J/ Y% d+ c X' R y' |4 u& IMethod 08
9 }! |+ @3 l- F& @! [1 d k=========
$ T) U, f6 Q) P# h
% C$ N; g, J0 E: s! kIt is not a method of detection of SoftICE but a possibility to crash the
4 ~4 b0 t* J# g& _- d+ X' xsystem by intercepting int 01h and int 03h and redirecting them to another
: o4 N! ~. D' A2 p) u( q N3 ^8 oroutine.
4 I$ _5 N6 C# pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; _+ W' J4 x9 E) G$ j
to the new routine to execute (hangs computer...): z& c( x8 F2 f3 G9 V) o
" L) ]! I; `4 g) m1 V ]7 [ mov ah, 25h
6 ]- x/ d7 B4 a+ C g mov al, Int_Number (01h or 03h)* n2 ^) W! k/ w' \9 A% B
mov dx, offset New_Int_Routine
) F [; g3 t+ Z4 V$ G( W7 M int 21h
2 z: n9 e' Z& u# f4 l, S& v! @) ^4 c- [) w' a- ^% _$ P
__________________________________________________________________________
# W9 h1 m$ E6 x
6 |% D; G) Z1 ?1 \Method 09
9 y5 V% {6 W( q9 ~=========% J; `' S- m+ Y0 I5 p4 }" R" }
6 j8 p( H: L5 z; l
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* ?/ x' H+ k6 N- s: J6 ~7 |
performed in ring0 (VxD or a ring3 app using the VxdCall).) w. o l: I8 b' D! D' ?& V& ^
The Get_DDB service is used to determine whether or not a VxD is installed. }) i, T2 c+ c# t
for the specified device and returns a Device Description Block (in ecx) for6 I, n% l( }; K- p* G( I5 P- N
that device if it is installed.) a |9 I* U* a; `; A; U0 L
# E2 E _0 |! S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 k1 H( j% G O7 i! z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% s. f9 Y; M' }9 p8 n) h8 b0 j
VMMCall Get_DDB2 M8 \; Z) P8 D) y3 W8 j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* {' h+ r0 N- y0 d1 p% P y& r/ r8 M- b
! @) @/ T7 P ?5 sNote as well that you can easily detect this method with SoftICE:
9 @0 E9 Z$ `+ w bpx Get_DDB if ax==0202 || ax==7a5fh
2 h, R/ h U. l* Y }4 i/ t3 [6 U0 E/ u8 e$ v/ v& w1 O* O
__________________________________________________________________________- q6 e( p+ |/ R, n8 U
+ x4 `4 D2 F* o9 s3 o3 y0 P7 S6 G" ]Method 10
' i% ]3 b! C: W6 _. U6 N$ R=========
' A: T+ Z9 a; G8 L" N
& j# }, J2 a8 e/ n o- `/ I% c7 I=>Disable or clear breakpoints before using this feature. DO NOT trace with
( L6 ]: j+ s) W. x' W; c' b SoftICE while the option is enable!!
0 c$ t1 L# [" x/ s, G4 T
8 k6 ~3 G5 w7 W5 H4 O/ \This trick is very efficient:( n; r+ x: a. z5 L
by checking the Debug Registers, you can detect if SoftICE is loaded
+ w2 f) g2 N G e" E# `! o* [4 i(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ n- H9 W4 }; U( b* } \7 B
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 Q' G7 @1 r+ P* f
value (in ring0 only). Values can be manipulated and or changed as well0 J' p# Z9 y0 ?9 ~' N+ t
(clearing BPMs for instance)
# u: E' N: E9 [, i% O1 I2 ]3 v( N- ^) ^# z4 O& J
__________________________________________________________________________
7 F$ |, e* e( P: \1 i7 K
5 h' x: \" e p/ {Method 11
! x) p3 J; h- D* N2 j=========, T6 a; _8 e0 V, M
6 J+ [9 J0 T8 a4 zThis method is most known as 'MeltICE' because it has been freely distributed
# a9 l5 l8 `2 Q3 B$ s5 H" bvia www.winfiles.com. However it was first used by NuMega people to allow/ V& Q+ z, Y! C8 X: {
Symbol Loader to check if SoftICE was active or not (the code is located
i: c& Z7 `3 g. x. o8 p: _1 Yinside nmtrans.dll).
6 b5 x6 ?5 C ~$ L4 {0 b1 k" Y( H+ P J0 T: @/ N" o4 n
The way it works is very simple:
: I9 B) ]; M& |" ~2 LIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 ^8 [7 z$ S! L( z$ V
WinNT) with the CreateFileA API.' Z p+ n$ N2 Y7 {1 ?% F
* G* o8 M+ Z5 I: ^, w( I/ T) MHere is a sample (checking for 'SICE'):9 M9 y- T& |# ?; i2 E$ P1 n% c
! z( q4 _3 E5 ]# ~4 ]& \- RBOOL IsSoftIce95Loaded(). Z4 L7 `; ]( e& N0 c3 f0 E6 N
{7 A- E2 u4 t5 C0 p. {2 ~+ R: @
HANDLE hFile;
4 g0 R" S1 n4 l! z% e) s { hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 `+ P+ V9 R! P4 Y5 k6 U/ C/ d
FILE_SHARE_READ | FILE_SHARE_WRITE,/ y* U0 j L k. F
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ @: U8 r/ |, P2 K. b, Z
if( hFile != INVALID_HANDLE_VALUE ) N1 M+ n& T/ t' V/ E. x
{
" F% |/ a/ s" `! \ CloseHandle(hFile);8 \5 }, u* {: ^) e' }1 S
return TRUE;
) @& m) w' ]& E8 m5 V- } }* {; K; g, P4 F+ R9 D5 `2 f
return FALSE;$ p9 `& g) n' J0 a, O- b
}
# n/ L0 E4 j$ e' V
# B8 b5 z5 ?0 ~* r0 {' a# YAlthough this trick calls the CreateFileA function, don't even expect to be
5 }7 \4 O5 O" ?$ b+ d# yable to intercept it by installing a IFS hook: it will not work, no way!
1 g- @$ m* Z. z2 UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) I' h4 k" z# L% `
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! ?, z1 T' s: ?: Y1 v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) H! j3 t" M8 N% S6 G xfield.' n- V" N! y9 [% G
In fact, its purpose is not to load/unload VxDs but only to send a 2 g. [9 V$ r0 t5 H$ c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) j8 [7 I, g N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 z7 e: s8 P9 ]3 c& oto load/unload a non-dynamically loadable driver such as SoftICE ;-).% a$ {, a# ~9 ^8 f$ A2 D# o
If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 E3 c' u3 W6 q: u- i$ M9 ]7 Iits handle to be opened and then, will be detected.
& }& E. i/ T% kYou can check that simply by hooking Winice.exe control proc entry point
) u" |( C( L1 q7 o' e! Twhile running MeltICE.
3 |. T: j% s" G' B
$ P0 Z$ M! A( C8 b7 P* c+ u
/ N5 g( x9 m9 @8 O7 S3 c8 Y/ |6 I 00401067: push 00402025 ; \\.\SICE
* E3 K1 C6 h" Y4 b- _7 ? 0040106C: call CreateFileA5 q2 _+ N" s8 H2 z8 Q3 g* R
00401071: cmp eax,-001
1 E6 L# C5 Q( ? O1 J 00401074: je 00401091
7 c1 f+ m! W# W: o6 [: m- a8 d" F8 F2 s0 j
9 V# J E, o- [7 E3 V) RThere could be hundreds of BPX you could use to detect this trick.5 ^* p1 [# U( P2 D% r' }
-The most classical one is:- x1 m& x% H& Z3 R" [
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 I% [9 w3 U' p) u7 L *(esp->4+4)=='NTIC'4 E' g6 K; R& ^0 R9 R
5 _" x7 V! @' J' G% u% O-The most exotic ones (could be very slooooow :-(5 [; a/ f& K7 s5 t- t( J) m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 V3 e" ~* T' v% I8 K/ z
;will break 3 times :-(
+ V# x& J0 y7 I: y
/ x' {5 e3 O( K+ h D-or (a bit) faster:
' V5 b0 @6 U; E- D; ~) s m2 I BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* O0 V6 T. F* s$ Y, p* ~. z& A4 Z& k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' r0 |8 K+ G, r x s& z- w6 J" }
;will break 3 times :-(
, d3 x, e6 Z( T) ^8 B9 Q% w- }1 [1 j5 `: D5 i9 L
-Much faster:
, r7 y1 |' N7 _ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 l+ H [, S% J# s! K
8 |) P0 N* x! |. c2 mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' S' g; P# v0 R/ h4 O
function to do the same job:) M9 o" c6 @" M$ v: H, Z
1 Y% U2 J/ ^( f% \$ ]# u8 k a3 o push 00 ; OF_READ2 N1 [, p$ q, u' V, [
mov eax,[00656634] ; '\\.\SICE',0
9 ^; V+ ~/ j! [* ]4 D+ ^8 ?! L push eax
, Z9 q8 r5 j6 K- \, S$ B' ^' L call KERNEL32!_lopen
9 ~- @, M4 T' _ inc eax# y5 N$ t' q+ U( l7 C& Y, X- |
jnz 00650589 ; detected
; a7 Q+ }- k6 S: D7 n push 00 ; OF_READ
/ ~3 V7 d0 [ i0 P* u5 j$ H mov eax,[00656638] ; '\\.\SICE'
( g! f' ~2 e& G( R+ F push eax
. a) i# ~& B% T call KERNEL32!_lopen
* S" H& ~& C& G7 y) i inc eax4 v1 w+ S" a+ v U+ n
jz 006505ae ; not detected
' y/ {3 ?0 Y3 |4 A% ~, p- \# i; i
% A& ]' W7 T6 M; C- |) Z* d5 R
__________________________________________________________________________ l% }4 y5 U# K# ^
* k" w) M+ X% x- }Method 12
. {: W5 J8 j# q" r1 N=========
; I, W8 x) W; u o
+ q5 g& K" }$ d7 E3 PThis trick is similar to int41h/4fh Debugger installation check (code 05% @- @6 _, [) N) p: M& j
& 06) but very limited because it's only available for Win95/98 (not NT)# e9 w. s2 e3 T# q2 W
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( V4 J3 r, a4 T7 V; t# ?
0 B9 Y/ W' G9 L8 c; I# ?( N- s M9 ] push 0000004fh ; function 4fh
) Q7 | U8 a% C& Y8 C6 E; x# X push 002a002ah ; high word specifies which VxD (VWIN32)! H# q3 x7 P: E+ F. E
; low word specifies which service
1 W5 U% @! d& D% Q3 p; u; v (VWIN32_Int41Dispatch)/ q A; |2 \( Q: E8 S$ ~
call Kernel32!ORD_001 ; VxdCall2 h9 O+ A. G1 o) e" m0 h
cmp ax, 0f386h ; magic number returned by system debuggers
; y4 A7 Y; ^4 Q" Y% _ jz SoftICE_detected
+ f& B' D4 i$ S* z) x2 l; n. X& k/ }# f K9 }( k5 w1 s1 Z5 _5 V
Here again, several ways to detect it:8 N8 X- t# v- Z9 i2 t Z
+ w/ p" h& Y( P1 k- e
BPINT 41 if ax==4f
) K6 R. T) B' S) N9 G! k4 b% W! C& j
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 o+ B: U4 J4 ]+ x
# L: m g1 U% I! W8 _1 q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# y4 Z! |0 n. B# M, {3 M. Y, w) g: X% u! c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 [) T+ [* e8 C
8 U5 C8 H$ R3 L# e- o3 m& o! f7 b__________________________________________________________________________
( G* F- Y _/ {! N6 g9 _) U1 Z/ s; ?* m5 ]
Method 13* \, I! g% ?2 ~) D
=========
B% }, o8 x3 _2 y4 @" n
1 U8 X! `5 m, K# X" g3 h3 ONot a real method of detection, but a good way to know if SoftICE is
0 N8 V$ b! |' }+ u- Xinstalled on a computer and to locate its installation directory.4 N9 _7 F/ y7 x0 j* n% |- |
It is used by few softs which access the following registry keys (usually #2) :
+ j z7 o* @9 W; Z) Z) { F1 S3 g; d9 U- x6 H- z7 U+ E0 Q. s
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- {8 h0 t/ I8 j
\Uninstall\SoftICE! P" k! G% K. q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ \. x0 l% d2 |/ U1 y/ s) X7 C6 u
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 s% Z/ B* d) c! w3 K2 t( i\App Paths\Loader32.Exe) q/ e) p. g" c% p3 a4 D
) x# V- R4 H' u: U A- h% X' C
0 ]+ ^& U7 j- c. K
Note that some nasty apps could then erase all files from SoftICE directory4 j& Q$ E3 Q9 g: M+ [
(I faced that once :-(
2 ~' Z8 R: m( n0 L z- R' E: Y- k( C2 _9 V7 F M3 U: Y; `
Useful breakpoint to detect it:
. V; i; S" K/ T# ~
2 S9 q9 p; \! ?, b8 ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) n) W) A y, m
, c! e/ i( G; Y2 u__________________________________________________________________________
; E a5 f' B: m0 B
5 t* C( ?$ N7 k4 P. _
' Q2 p4 n! C6 H3 ~) s aMethod 14 : s; r4 @0 J% C* z% R
=========
7 N. o" j: E# i' Y& c6 K5 D- `$ e# [" g! d, H: n$ K! h- n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 R& w3 Z+ G* Wis to determines whether a debugger is running on your system (ring0 only).
) F7 ^2 b. ]% E$ W4 D; ~# t2 y( |4 y4 ]3 R9 ?4 |- h, B9 M
VMMCall Test_Debug_Installed
1 h3 s* T( m# c1 F# O je not_installed; M1 q9 V8 K2 Z( g
! g+ R( M, p& T: jThis service just checks a flag.: F$ D- H, O1 N
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡