<TABLE width=500>: v4 a# u1 q k% d( ]
<TBODY>
) b3 d. F0 l9 C: x c/ d<TR>
, {4 W, R% j, i, |6 H# V<TD><PRE>Method 01 - D& G% U" k: R
=========
. l5 N3 X* }) \2 T
/ U- R& u8 ]% U N- U5 O8 y- ?* ^This method of detection of SoftICE (as well as the following one) is# e; \% u6 W1 a* F( {. P
used by the majority of packers/encryptors found on Internet., ?6 Y" d9 v: I" U' B
It seeks the signature of BoundsChecker in SoftICE; | E5 k; I9 f2 |
4 v$ p6 f4 p2 ~& ~ mov ebp, 04243484Bh ; 'BCHK'
3 Z1 O0 _# r# N5 Z/ P mov ax, 04h
; h& u0 V# Q; T( [- S$ ` int 3 * R* A- [4 Z8 ^1 [/ J
cmp al,4
( ]6 f( N4 m& g- I1 U jnz SoftICE_Detected) d0 j1 A3 W( ]- s
) r' z/ _, z0 G
___________________________________________________________________________9 f( ~: q: x ^
8 I% Q3 ]& e( ~2 S) K3 ]6 cMethod 02
+ p8 V* e. e) K$ Y2 N3 _=========2 n+ I. [3 g: w, V7 ^ r( t
& o' _* I% e0 C$ _% bStill a method very much used (perhaps the most frequent one). It is used
5 N X# N' `4 G' o4 o: kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
K: y- ~1 B% m( Hor execute SoftICE commands...' s: f4 @6 i5 M5 h: B6 o: Y
It is also used to crash SoftICE and to force it to execute any commands2 c# B7 t5 V1 i4 }* i; ]
(HBOOT...) :-(( % V& ?# x8 }6 A( @. ^$ n! Q
/ P$ S0 ~- c0 r
Here is a quick description:
9 K" I8 H9 D. Q" e-AX = 0910h (Display string in SIce windows)) {5 Q6 D9 v. h$ B
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ T `% b& Z/ b E0 m ~
-AX = 0912h (Get breakpoint infos)2 d" f6 r$ ^7 l' e/ _/ o& a
-AX = 0913h (Set Sice breakpoints)5 G& M( U( C- F- x( ?- i
-AX = 0914h (Remove SIce breakoints)
! n4 j* @1 `) w8 r3 b W$ q& N3 j; Z) j+ Q$ d9 E8 V& r' [
Each time you'll meet this trick, you'll see:
7 Y0 n+ }# M T/ E$ {-SI = 4647h3 d& a+ ]8 m. f/ X$ K: r; B
-DI = 4A4Dh& V9 e; Z# w7 G8 q. z* w
Which are the 'magic values' used by SoftIce.4 D. x' P0 {/ L! Q& x' r f. G2 T
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 k- `/ S w) W& k* N6 o H
{( {, _; K5 s" w, ^9 |1 \Here is one example from the file "Haspinst.exe" which is the dongle HASP6 _+ I" C+ T% O' X, I: P# M( s
Envelope utility use to protect DOS applications:, s( U! _" p8 q
8 \8 y# v" C- n! Z3 U
' U0 b E' |3 w! @2 m& c9 Q- v4C19:0095 MOV AX,0911 ; execute command.
+ \$ y0 D$ T h. p( G8 U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 v, D; N/ j3 d1 U& m
4C19:009A MOV SI,4647 ; 1st magic value.+ X9 X% m1 q% C2 y P* B
4C19:009D MOV DI,4A4D ; 2nd magic value.
! S* J& l8 U/ r' y; M4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! [" A i: H8 X/ Z2 j
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
e/ i O8 D9 h1 Q4C19:00A4 INC CX
7 Z+ l7 P# @$ i: Z/ c+ E4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: ^3 M$ w6 J. K z% x6 \1 o4C19:00A8 JB 0095 ; 6 different commands.
8 e8 B |0 C+ a' [9 G4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: [9 Q: h1 }; a* r/ ^+ z, U3 [ w2 V4C19:00AD MOV BX,SP ; Good_Guy go ahead :) p' V6 |; n6 j3 X" ]
3 E M# m/ P6 t
The program will execute 6 different SIce commands located at ds:dx, which; H: T: ?% I; ^' D M/ p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# U% z- E) E( F& N7 h+ t2 x' J( X. P8 _" {! Q9 p2 v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 h9 e) ]" q, k; c___________________________________________________________________________* y! A+ k% H2 u) V: t. T- Y) E
1 }$ {& a3 e; c: ]. \0 g( ?1 b
0 x$ Z, E* L- Y& D7 P
Method 03
0 B# \; X1 P/ {$ V6 m% \" O- _=========
2 {; r! O* Y0 x4 O2 _1 U/ U2 m
0 S# G2 c: w; h9 f1 z( ]Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 y) i7 |( L( B$ K% U$ }1 Y4 f
(API Get entry point)7 K0 ^: ]& s1 G# z/ X
$ |: V6 E) M! p9 x
[" N6 d% z% K7 B0 h9 V xor di,di% o0 {; M. }$ f+ p% F
mov es,di+ w8 B0 {! Z) A) y0 {7 j$ ?
mov ax, 1684h 3 N& U( X5 B0 D+ u) ?; `
mov bx, 0202h ; VxD ID of winice
7 K4 Q+ g7 r# G" x$ [ int 2Fh( m2 Z8 m2 J7 T
mov ax, es ; ES:DI -> VxD API entry point. N+ L: F9 C9 Z
add ax, di
7 y [$ Y/ b( B test ax,ax
( t! C/ V; y2 \ jnz SoftICE_Detected
: a6 _; O4 l* U- \) F& d, G
: T' r$ v Y8 h" R% z" p___________________________________________________________________________, Q% \, ^0 v' y- y
3 [1 s# a8 [/ f' f) s6 C
Method 04
`2 n' B. c5 c0 T' w=========$ h8 ?. e. `' T- }
# s7 W; B- [3 I& l* F& }Method identical to the preceding one except that it seeks the ID of SoftICE- N) A- R6 Q0 x6 N
GFX VxD.& T! M1 o" f. U* V7 h6 E$ I! T# {4 e/ O* b
! i/ ]2 V2 e5 o5 G xor di,di
9 O$ u0 ]6 g e+ e mov es,di$ w% N! V6 _9 R$ d! N
mov ax, 1684h
+ k3 h8 E8 T- }8 i9 F. f$ X/ B) V- ` mov bx, 7a5Fh ; VxD ID of SIWVID( }3 o! G7 S7 g- [0 t
int 2fh, X% x8 p% R# A* z, v% V
mov ax, es ; ES:DI -> VxD API entry point' k/ t) g0 w) u1 \" O, W4 M
add ax, di
7 |) T& R l. o& w test ax,ax3 a8 {4 f0 S" }+ _3 }
jnz SoftICE_Detected" o: C8 I1 N* B8 P
* k! k/ n# r% f
__________________________________________________________________________
5 F2 f6 {! p4 w0 B/ i3 x/ I; A8 Y
. e" A4 c/ p! K9 b! t1 ^* |
) m) B, @0 y" S9 d& L' GMethod 05# j, D2 Y! T- _# h) z' t7 v2 g
=========' m& G" N- o' m1 E5 l+ b1 u
4 {! c5 l Y# q# F: K: J6 \Method seeking the 'magic number' 0F386h returned (in ax) by all system. L+ f3 B8 a* h. Q
debugger. It calls the int 41h, function 4Fh.
) L+ D$ h# K* {1 M+ e+ X3 r1 VThere are several alternatives.
2 O3 w3 _# C) p1 \ R7 Z8 x# _4 _' I1 B
The following one is the simplest:
" j; e4 v/ X0 N/ L2 y) F! f" v0 D; S- D& }7 S0 o
mov ax,4fh* Q w( r d0 A5 @% K* Y% L( V
int 41h
! R& z) {7 I1 d0 B" x cmp ax, 0F386
A% C# P6 U4 K- y3 h7 L6 Q6 i jz SoftICE_detected) u# D! _, P. I$ v& V: g5 D
- ?& L) Q" T; _$ @6 J0 _4 V
. P9 Y6 u* A) Y1 I
Next method as well as the following one are 2 examples from Stone's
$ Q# {) Q0 O+ f& W"stn-wid.zip" (www.cracking.net):
! N' U( V9 R8 ~4 w* P+ W4 Y g- B a$ B: {% w
mov bx, cs: d' g( h5 X. a% N$ F' @9 B- J
lea dx, int41handler2: |# ~9 I' X( y' e
xchg dx, es:[41h*4] ?- v' J$ R' K1 x' y. M2 F
xchg bx, es:[41h*4+2]- i; {# i/ u8 l/ f& e6 C
mov ax,4fh
( F9 p* i0 Y+ n2 Y* y/ l int 41h& p$ o' c6 C: M0 Q2 ^$ c
xchg dx, es:[41h*4]$ V: P' R6 \! s) Z6 [
xchg bx, es:[41h*4+2]' s/ Q! ^9 q$ _* n: [3 W8 D
cmp ax, 0f386h& l( @0 O; y! f: \
jz SoftICE_detected
! S2 I8 _4 |5 l& \, B+ ?. Z% m9 E8 {! B+ z5 ^9 K; t; |. ~
int41handler2 PROC2 }! Q' H( O- y6 [9 j
iret
/ a7 H6 X+ A/ b7 F' E/ _( s# R- Xint41handler2 ENDP
+ M' L1 |: O+ d' Y
( y. i6 t }" e" Y$ ]2 h2 Z! k3 o5 p9 H- a3 ~" l- d& \( k4 s( j
_________________________________________________________________________
2 ]' d# Q* g+ |5 f& t8 i0 S
0 f2 A9 D8 U1 h3 X+ D1 g- f) w* U$ G% J9 R1 u+ I# R8 o; d2 B2 `
Method 06: Z' t$ B( H7 u7 }
=========
) A- d/ G$ v* y# i5 Q& l& b( O, J8 w [
$ K! z) B" [* G' l6 n
2nd method similar to the preceding one but more difficult to detect:
' n% X" `5 H& t+ r! o) h* D! j* U: g- t7 @7 v, S
( {5 h& O+ r" ]8 U1 Uint41handler PROC
' u+ o, T* s' f' }% K4 N3 t mov cl,al) J. F' \& h. j2 q
iret
- N$ p' o" D% k& o8 }- n( q/ U; s$ ~9 Fint41handler ENDP
: L# Y1 _, D; Q" k' s. ~6 W. Y# M+ `/ F9 d" X8 o
# V# p* v% s" w4 F
xor ax,ax
! X$ Y) r# U0 @% Y) h! l! v mov es,ax
& J0 z8 b8 C! B- M+ ?3 X; ? mov bx, cs$ d2 G" t# S }& s
lea dx, int41handler* Y: ?2 a% I* u9 K' _1 Q% {* [5 L
xchg dx, es:[41h*4]& U, R( a/ o1 p3 Y
xchg bx, es:[41h*4+2]
6 x+ o. q4 D' ~: Q8 V: f5 \9 [; o5 H in al, 40h
: U8 F1 Y6 N8 l xor cx,cx& }$ C8 ~/ a9 g: M( M' ~! R- z& ^5 q2 ?
int 41h/ i5 z# M* D+ L# M. Y' W
xchg dx, es:[41h*4]
: k9 c- t, b) D$ O: p; J xchg bx, es:[41h*4+2]
- X' V4 w# o/ ^ cmp cl,al
1 O: m9 t, I% m: x jnz SoftICE_detected4 n+ N2 g" ]% x, S" C- X( a) ~
# Z6 W5 B& }9 L9 h& q/ W! i v% }_________________________________________________________________________
0 C$ C. n, N: T/ j/ d$ u1 ~8 k3 s8 ^ U
Method 07% @% j1 u0 w# ~
=========
/ e. H, r) b- k( K) G% n
& @" s0 i: m1 XMethod of detection of the WinICE handler in the int68h (V86)
5 z2 L6 X( I* f4 e2 a# B' H1 b0 E1 O! l$ ]$ x
mov ah,43h
: ]6 _4 F8 r$ c' ]! o int 68h
) K% G' z! Z! G- i5 b4 B! ]& s cmp ax,0F386h
% m" @4 F* |$ E) i3 H! `) C jz SoftICE_Detected
, ^4 E, o( J3 U% f" j4 D% V0 x5 L! w8 j8 d2 `3 x# J
9 o* L1 J6 e2 }' [3 w3 J! K: v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 l5 z9 P+ h6 i5 N- } `# |9 r: H app like this:6 I: v8 `" B- Y. A
4 g( U4 ]& i/ D, J& @ BPX exec_int if ax==68
3 u! c# J* i! e; @+ y- G (function called is located at byte ptr [ebp+1Dh] and client eip is8 S) \# v0 q6 V- s" M% c2 Z4 B
located at [ebp+48h] for 32Bit apps)2 u2 ~, u; X7 e2 a$ {2 s% d6 t' T3 R
__________________________________________________________________________
9 l! T5 n8 }* j% N4 }9 g: a/ e# o
4 X: w* U, f$ F3 i- a& B A' d; n
Method 08$ C$ S/ E, q% U5 W9 F! p
=========
( ?, F: x! q& o) o% L
9 r* z/ u8 \8 p) G' ^' V+ aIt is not a method of detection of SoftICE but a possibility to crash the% z2 x7 C, L% N
system by intercepting int 01h and int 03h and redirecting them to another2 b0 ]( \$ \4 G% E
routine.; B9 @3 D* W" }$ B$ B5 f" Y/ v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points Y6 A) F. e* @; m3 ^5 R/ w/ m
to the new routine to execute (hangs computer...)2 ?! s6 T8 n9 c+ z9 ^- i
/ u# F0 R& v9 E4 U! c. P8 w$ e mov ah, 25h
% L Y3 U# I' C+ h3 M' ^7 j$ W& r mov al, Int_Number (01h or 03h)
" U8 b" T9 Z, P8 P mov dx, offset New_Int_Routine
\3 z' p" ]2 [5 d0 s int 21h
, p3 E* r3 Z8 G8 E6 D# x5 V6 I" J7 [, n
__________________________________________________________________________. |( N- h4 e) ]2 I4 H- e* z
' k9 A g6 {0 s+ [
Method 09
: `4 B, ^ i# Y& g: ~# A( A=========1 g/ p' ?$ B+ o* F
9 \9 [* M2 a, L l$ ~( D8 e% XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- h! U4 j' e6 \; g0 Q& q! _performed in ring0 (VxD or a ring3 app using the VxdCall).
- R& a' z. N8 j" U+ WThe Get_DDB service is used to determine whether or not a VxD is installed( ` }+ o0 p2 { r& j
for the specified device and returns a Device Description Block (in ecx) for. K. J! u7 F' z, d
that device if it is installed.! W9 H o, d8 a: b4 w8 X* |
) ~, u, u; L8 x) I* t+ f6 `& Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 E" i* c" }2 U1 a! h1 `: W$ [* s) C
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 Z- s6 N3 ^- W$ S VMMCall Get_DDB
W! {6 j8 N8 |8 [6 K+ Q; C mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; o0 {, Q* ?9 ^# G, |2 X
- ~& g0 J, s/ O XNote as well that you can easily detect this method with SoftICE:
* J' {9 R3 S/ o8 Y9 v* Y+ Y bpx Get_DDB if ax==0202 || ax==7a5fh
' u/ P2 J9 K9 K3 C/ G. q N: E; O+ M1 L/ D
__________________________________________________________________________, S# s( v9 L/ ^4 [. Y7 N, Q
8 L3 s: z7 R. t6 ~% C5 B2 x, b
Method 102 [; J3 [/ P7 e- x Q
=========
+ F, a' Z+ Z' G( e, P) v; _% u3 L* q
# a. Q, K" C# K* D! ]' |! H) D1 s- y=>Disable or clear breakpoints before using this feature. DO NOT trace with& N+ n- s. N( U7 H9 ?
SoftICE while the option is enable!!
+ M: j1 w6 t8 A% t; l, ]
7 W _9 t/ W* |+ [This trick is very efficient:% Y$ }5 A7 }. z7 b0 j
by checking the Debug Registers, you can detect if SoftICE is loaded c3 M) G" c3 Q' w8 m( @1 A: Y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: Q1 y1 s. W8 v- qthere are some memory breakpoints set (dr0 to dr3) simply by reading their0 L8 O" H4 }3 h
value (in ring0 only). Values can be manipulated and or changed as well8 g6 d& @0 z1 L- X+ w+ c+ w
(clearing BPMs for instance)1 Q7 R( I/ L4 r! C$ ]" Q. _1 Q
# c: Y( V6 S/ s* u9 v7 L! O8 Q__________________________________________________________________________/ M7 {2 `6 A1 V7 e/ I
+ E/ M# G8 [: G6 v& a- pMethod 11) z7 N; L3 r; c% s
=========
8 c7 k, K3 @2 I* G5 |: w8 k* w$ d7 [
# f# i$ _% J" ~ j- D, |3 nThis method is most known as 'MeltICE' because it has been freely distributed- |* F+ E' `. }! A6 w' l
via www.winfiles.com. However it was first used by NuMega people to allow
) A* v j2 X$ USymbol Loader to check if SoftICE was active or not (the code is located
S' N# f- ]% _2 Ninside nmtrans.dll).3 g! }+ i6 U+ K, n; F& V9 t
2 i$ N, h3 }! Z! {# A4 e! o3 v# m4 x
The way it works is very simple:
$ v: K: r4 E% X/ L9 V' J& C% g" ^4 `It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 b& ]1 |3 L0 S, d" hWinNT) with the CreateFileA API.
8 J3 l# b3 b6 d A1 X: u$ i5 c3 H8 s. H% q ?7 X& P9 f5 P
Here is a sample (checking for 'SICE'):
3 F& f1 b# U0 ?/ e- {6 ~- s1 r$ A3 k. s& h8 M2 i6 f, G: a/ r
BOOL IsSoftIce95Loaded()8 ?6 v- O, R \2 G
{
( I5 J1 ~7 M7 v9 d HANDLE hFile; 1 r. R/ d7 x7 I# F. P+ A
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 \0 @/ q5 `) \0 X* S$ t4 ]$ n- U FILE_SHARE_READ | FILE_SHARE_WRITE,
# y$ R0 G/ O2 H2 C5 i; Z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; R; \$ M- ~2 S) ]' J3 w4 @+ N
if( hFile != INVALID_HANDLE_VALUE )
; I1 o5 x4 n8 Y2 V/ q" ~ {
8 z8 M) i% T! E, j CloseHandle(hFile);
$ k0 Y4 m" l3 n: I* B; ]; @ return TRUE;# G! Y8 }8 T* [# H' x. r* `6 c" U
} r' s* {, u- g2 N; b# A: @1 \
return FALSE;4 z/ c. {4 @" k! x* W; F9 Y5 @
}" w: x, \* _/ d3 w9 F y0 v
7 N. l% ]' i0 M7 a9 ?' kAlthough this trick calls the CreateFileA function, don't even expect to be
& \; o! I$ z1 D+ H0 E+ e2 }0 Aable to intercept it by installing a IFS hook: it will not work, no way!) L) P+ W9 J& Y. h! S, P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ v/ v* c" Y2 `' Y2 `% @- xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" [! Y) w6 k1 z6 N( w8 }and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 `1 Z! r. k }( M/ R; bfield.
! H y8 D4 }9 d* [In fact, its purpose is not to load/unload VxDs but only to send a - b- z Q0 K( B2 f. ?8 ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ p& J" A: f6 ?! B
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 |0 H& R: x Q) |to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 U( ^% c' l0 {If the VxD is loaded, it will always clear eax and the Carry flag to allow
" q) E+ d8 b8 ]0 zits handle to be opened and then, will be detected.
' k7 @( c; c$ ? C8 B# DYou can check that simply by hooking Winice.exe control proc entry point1 m/ p2 a5 a, ?; @( x
while running MeltICE.
! H' J8 J% ?6 H$ F3 u+ t* [9 \
. i0 r# @7 Z4 h8 ?0 |
9 ]- ^# |$ Q* g) t7 y 00401067: push 00402025 ; \\.\SICE- ~# J$ w- _+ B% s: o
0040106C: call CreateFileA
$ y" ^: C2 u7 _; x 00401071: cmp eax,-001
8 t+ I" u% I" w2 E3 F 00401074: je 00401091
( P* Y2 J2 _9 t4 i7 W- b1 Q' s3 j0 u* v3 t
3 P3 }8 S; o" ~- P3 `There could be hundreds of BPX you could use to detect this trick.
% {5 ]& z# H# z" F9 s0 t6 q8 ]' u-The most classical one is:
% ^" w# V1 n# L( x2 n BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) @5 X6 }' q- B6 M0 d, n *(esp->4+4)=='NTIC'. q6 _7 [3 a/ ~' F6 X0 E
/ H5 [2 x0 O! F, {6 j- P1 a* O-The most exotic ones (could be very slooooow :-(
. O& E0 D0 c4 O+ M0 z% ^( K) l6 K BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / A; I! y4 y. h3 z
;will break 3 times :-(
" k' F8 O: F+ F3 m! }' M0 M: H L
4 V5 L: w" \0 i1 ]: @5 ?; f: _6 u-or (a bit) faster:
: s7 s- ^) [2 @9 \% a: ?+ g. h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 }# u% H% D$ b+ Z- A# J$ o3 L9 X( ?) h9 u( [, d
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( D" { o: d) R2 D4 l7 q ;will break 3 times :-(
# b5 ^5 j3 |9 V6 G4 ~
1 D. W3 B' b- l+ W8 \-Much faster:6 c2 R+ R' u' e i# J
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% r& o1 k( ?+ f G6 R, g
3 [4 Y- V7 K; k# F( _3 ]Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! b& }# r" q7 `7 qfunction to do the same job:
, L; b5 _) J5 T
7 T. _9 Q2 q- v1 N V push 00 ; OF_READ1 f4 V5 W1 Z2 R c4 x
mov eax,[00656634] ; '\\.\SICE',08 V: |& j, w# g# `6 G
push eax" a' @1 y- t$ N! s4 [. j
call KERNEL32!_lopen
; S \" y- b' V- E+ q* V/ M5 d inc eax
* j7 {) e( Y: i4 B0 O jnz 00650589 ; detected3 @# t7 B+ K/ V! ]
push 00 ; OF_READ P% V/ g# |6 `4 A. K: R* D
mov eax,[00656638] ; '\\.\SICE'
5 O8 ^* ^% I8 d. h& E1 f push eax
; M# O% E5 P, h' v call KERNEL32!_lopen( N7 l+ b/ j2 w) V
inc eax' K7 }* w" a" @+ @9 ]8 _& v" ?! E% Y
jz 006505ae ; not detected& P8 d/ \# R3 x8 ^& L# X1 x
3 V& Q3 E R8 R* z% M9 f1 \: K! a( l3 @. ~3 c4 R% O
__________________________________________________________________________
' g1 T! i9 P* P6 R, B# {! u! C- e
Method 12
% ~, a9 x/ T" H# k% ?=========
; Z7 S# n$ r/ G( e0 h4 w. m0 w" O. q) a& d% \+ l) b- }" c
This trick is similar to int41h/4fh Debugger installation check (code 05
/ J' k% @4 X, Z: i) S& 06) but very limited because it's only available for Win95/98 (not NT)
% R2 F: \- [; D2 Bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# W. N/ d3 s: A# |# c7 I! p
! K0 ]$ O9 m' ~" b5 v6 L push 0000004fh ; function 4fh2 ^/ M( n( P! Y) f* y
push 002a002ah ; high word specifies which VxD (VWIN32)& d, Z X+ d# K1 p
; low word specifies which service
/ ~1 B* e$ w6 k( m+ L" u* } (VWIN32_Int41Dispatch)( p2 K5 b m( v2 K7 {
call Kernel32!ORD_001 ; VxdCall3 X$ [' v! h' A" D9 p, b& _
cmp ax, 0f386h ; magic number returned by system debuggers
9 d t) S6 N( R) i- ` m3 e jz SoftICE_detected
* `8 {* M3 P" s) k! A1 }
, x6 R3 Y9 j* V- H* Q; x; h1 N MHere again, several ways to detect it:
& }# J8 _; ?+ B& N" F/ U
% D% }! e8 z9 w+ X5 Z BPINT 41 if ax==4f
: g4 @% \: N, Y# t: W) ?5 w& @- _5 ~# L0 A0 V. N0 n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 c3 d: M5 S0 S* r: w3 \
- x) l2 O% P5 o' w0 o BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 U7 q9 g) u, c2 ^ V" B8 t+ b" S3 n% v0 G" h9 m7 @2 O
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 L3 y, w- f' D& r5 t3 q. ^/ X# G% y1 ?
__________________________________________________________________________2 S6 I6 y5 s7 B( E1 ] F
8 j4 w- o5 c4 G* H- ?+ WMethod 13
: ]9 a7 \! n* N9 A0 h=========
" l! I/ y3 D& y3 A
0 o3 O( W$ L& d( n$ v) F# @& LNot a real method of detection, but a good way to know if SoftICE is
' U& b# b9 w, b- [4 q1 P" pinstalled on a computer and to locate its installation directory.' G3 ], }4 l# _$ N" @
It is used by few softs which access the following registry keys (usually #2) :7 @' S# C% L: R ~+ |0 M8 k# ?
5 q/ D- l" V( B. E" u* n/ M/ }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 U* B! w' ?. T R
\Uninstall\SoftICE
8 I3 ?' c; V# w2 B8 \7 ?-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
^8 W5 E0 U& D X-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: ]! ^! d. J5 p
\App Paths\Loader32.Exe2 R7 a C, l# H I: Z
. l0 g; u+ t+ q f" E9 Y5 Z: j# K0 R; {1 k+ q
Note that some nasty apps could then erase all files from SoftICE directory; S; q3 o7 \8 ^: | P, p
(I faced that once :-(
0 Z8 i0 D* }. O9 j+ o; Q& y ^7 s H7 q$ g) c
Useful breakpoint to detect it:
4 C: V8 }4 Q& [4 k+ F9 ^ u2 D7 O0 w+ v& {/ d0 s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 d" Z ~5 S( Q) \5 m; z3 N9 Q
4 ?! H' r: _7 H3 w1 Q. [' \
__________________________________________________________________________/ P" A; p5 s; t
3 i2 T. s( `+ j; h
: H. M- ^) \9 c! }( b) V: X2 o; RMethod 14 , J$ ?& O7 a& E
=========
$ X4 n# ~5 {6 J0 C' e3 N8 d# Z
7 v; o( C4 m# J$ A0 S7 b) pA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( T4 p P. P, P- C% A v l
is to determines whether a debugger is running on your system (ring0 only).
0 q C; S+ f# U4 k- N$ _/ J; Z0 Z" x$ Y2 B
VMMCall Test_Debug_Installed
7 t, M+ `4 {: {6 v5 z/ x9 x1 S2 d/ a je not_installed! ^8 k5 ^7 @9 [' ^9 s
. Z" k5 w9 P% q2 N
This service just checks a flag.
' |0 Y7 y1 j$ [' @! Z: T6 _</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡