<TABLE width=500>: B% f% \- R7 u
<TBODY>
$ ^! u( j6 q/ C4 ~- |! y" J }<TR>6 d/ o' T* n" [
<TD><PRE>Method 01 * r9 [, N. ^- L4 L+ O
=========
# r5 q9 d9 o% U4 P! B2 L6 _2 F5 Y" `( B/ U, V, ]7 ]* C
This method of detection of SoftICE (as well as the following one) is+ Y+ {) V$ `, ^
used by the majority of packers/encryptors found on Internet.- `8 r/ R$ o, l& `6 u6 ?
It seeks the signature of BoundsChecker in SoftICE
8 J, }- v$ N$ F, q& X2 z) ?: @( P9 B' \" w1 Y, m( J. O2 u( l
mov ebp, 04243484Bh ; 'BCHK'
_8 ]% M0 y* l( z+ ~ mov ax, 04h& v. L9 r/ x% Z) D- _* D
int 3 $ X/ b7 g4 P) T2 Y5 y2 m! n
cmp al,4
X. _8 [1 a, N8 @8 ?0 G jnz SoftICE_Detected7 e. j. u- A& ?+ j9 m2 h7 p
8 a" I& s! @5 q% b: Y6 k: H0 K
___________________________________________________________________________4 f) J; z" g% d2 J( Y% L+ p0 u1 }' e
9 w/ n$ l8 b- AMethod 024 i! g3 `) ]: E8 j W2 Q0 i( Q
=========/ }! G3 D* |8 ?2 p
1 U- S4 i, @$ [. f/ R4 B
Still a method very much used (perhaps the most frequent one). It is used1 E$ Y D5 |& z: c, v: o; K2 w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# J/ C; P' Y! A$ t6 c
or execute SoftICE commands...
) q- y5 `% O( n$ f: UIt is also used to crash SoftICE and to force it to execute any commands
. Z9 g; K, q8 E, ?; J6 a: T+ h' y(HBOOT...) :-(( * C4 q) ~. l, P
X( Y$ D- `# |3 o) r$ _0 sHere is a quick description:8 J) L- Y- f p/ R3 S0 \, x
-AX = 0910h (Display string in SIce windows)
( {% s0 b" d* _. H6 @-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 O+ X, }7 c2 d7 V-AX = 0912h (Get breakpoint infos)
Q6 H' F( Q3 Z% w% x' F-AX = 0913h (Set Sice breakpoints)
. S, v1 P4 S% f7 ~3 I* H" k-AX = 0914h (Remove SIce breakoints)
% v/ c% x3 q) |1 H1 S/ c. W/ g1 d1 W
Each time you'll meet this trick, you'll see:
% @' i0 A! u3 |1 q8 r$ a' x-SI = 4647h' `' l. N2 S' M- q8 E5 E
-DI = 4A4Dh+ w! E! a) S8 r \/ f
Which are the 'magic values' used by SoftIce.7 ] Y: b' i2 p3 ^+ e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' ~! Z' `1 _( o
3 a& V% E0 B# T; qHere is one example from the file "Haspinst.exe" which is the dongle HASP8 D3 K( t+ G9 A' @% X
Envelope utility use to protect DOS applications:9 C6 p! h% h& J' f
) U1 y! Y- V) K _" V
1 w/ @! u6 Z1 S
4C19:0095 MOV AX,0911 ; execute command.! f, \) [; g/ F& v9 o# Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). y3 o7 r2 c% w0 [: N# U! P- b5 w: y# o
4C19:009A MOV SI,4647 ; 1st magic value.
; L+ S* ^% e( S+ G/ l4C19:009D MOV DI,4A4D ; 2nd magic value.
+ h9 i1 f; N3 \+ n2 Q9 F4 [0 P4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ d3 {" m$ F5 m0 k2 L
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! e4 e( [5 F" c0 u, v+ r4C19:00A4 INC CX
1 i; X8 ?5 e6 Z7 A5 Y1 a. I4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) E) `! |2 w4 ~( H) w" O4C19:00A8 JB 0095 ; 6 different commands.
2 f/ w) Z! G! D6 q+ A: V2 K7 X5 D4C19:00AA JMP 0002 ; Bad_Guy jmp back./ N1 A, f) o. J8 G* h4 |
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: N4 k/ ?) k. b* G* Z. `5 A& D7 _. ?
The program will execute 6 different SIce commands located at ds:dx, which
5 b; K" i1 b* a$ ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ ^1 ~; X8 P b. E( y8 @- G
6 N2 V2 M' _5 c! j1 e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" _) _ D6 o9 l/ x5 R+ Z. i___________________________________________________________________________
2 x0 s. I f' J% }+ x4 J% ?8 q$ @$ a
' u* c7 P- p& f: l9 A8 G5 [
Method 030 ?1 T. V e8 d1 A6 k
=========
) t0 W* j& h& v# t6 t% a9 a& ^# L2 G; }3 M
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 w* N9 H( o: p9 n
(API Get entry point)
* { [5 C! g, v( O0 ]# S
1 V2 t4 E) A/ v& T1 Z
" Z ]/ j! @3 m! ` B xor di,di" {* h% q+ ?6 S, \. e0 s1 p
mov es,di
2 F) g3 `9 J3 _- T mov ax, 1684h 8 y- I3 X% D2 R
mov bx, 0202h ; VxD ID of winice
, J' B+ E% C& v: _, q8 I, c% K' J int 2Fh5 |6 n5 i/ Y6 K! k; ]0 M- k
mov ax, es ; ES:DI -> VxD API entry point
/ H+ P$ w# @9 _( Z, `6 J6 ~ add ax, di$ @+ E5 S- k. E" I( M! l
test ax,ax8 Q3 P; w% e8 v
jnz SoftICE_Detected
8 X4 H# b' T. J- {$ p; x' _& F) I
% k- l; H/ p/ `2 c___________________________________________________________________________
4 T7 o. A, E% U* D5 ^; ?0 @" p
7 z/ v( Y: F bMethod 04
8 q6 i b$ m* N# q+ U5 d' _% B=========
" ]- X+ ~' ?5 k0 L5 S2 y" W9 q. s. [ L& |7 X9 O
Method identical to the preceding one except that it seeks the ID of SoftICE
0 w( x. `5 @( f9 i' vGFX VxD.
+ ]; H$ c- y" c+ H! m' n8 g S, f: y
xor di,di
7 N' l! i4 Y+ `8 `3 ] mov es,di
: y# `* I# A9 d7 q9 { V6 X* t mov ax, 1684h
- ]* k- x& {: A6 p mov bx, 7a5Fh ; VxD ID of SIWVID
, B+ Q" X! Y, k int 2fh- ]( f6 J% ~/ R, y" Y7 G% w
mov ax, es ; ES:DI -> VxD API entry point! E; S. X. g$ b
add ax, di
/ A0 c* a4 V7 K' P7 z: X test ax,ax: \. L) ~ i; k$ k
jnz SoftICE_Detected0 v5 h& v' Z) j; ]5 H
/ h$ Y/ b" F5 n3 ___________________________________________________________________________3 _5 V& A" `- @+ t: s
$ P( e! i% j3 t: V( D
7 \5 U2 E4 }$ J: s; _6 \8 W
Method 05
4 N6 \" l1 k8 n- u=========
4 x/ x& U: j$ ~$ t( p
* X* {" M( f# g3 fMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 K# w2 m+ |+ I* @: l3 |6 C( ]( Xdebugger. It calls the int 41h, function 4Fh.' \0 d0 Q$ z: n# c/ Y# Q
There are several alternatives.
/ X: j6 c" v9 z! e, \; O, }3 f* y+ N8 M2 h9 q; o" D; k0 p
The following one is the simplest:
b0 c S* z! u2 z ~$ L1 k1 D- N1 O2 |* s! T( W& F% Z
mov ax,4fh
9 f- d8 Z, }# e q2 x6 `9 l int 41h; |7 z1 t) {( |
cmp ax, 0F386
9 b! ]. O0 G9 H+ r: a5 |: j jz SoftICE_detected5 X$ q. y6 z. `
2 a2 b' h* R4 X9 I
# {# _2 H: z+ M/ d, e5 INext method as well as the following one are 2 examples from Stone's & x0 C. I3 o+ e7 S' K) R1 `* x
"stn-wid.zip" (www.cracking.net):. j2 V; k; {$ g. r7 W( P/ [. E8 K( O
' _) }5 Q7 e7 f9 p8 j2 D
mov bx, cs
1 L& \) \% ~ N1 [& J9 ]/ G; o lea dx, int41handler29 j7 \9 ~5 V1 J P
xchg dx, es:[41h*4]
0 L+ B, G& C Z xchg bx, es:[41h*4+2]
) z. V4 d- w* j5 x; y mov ax,4fh" h9 ?- y# S( X9 j
int 41h
; p2 g1 h6 [% V+ m4 q4 I3 P xchg dx, es:[41h*4]) b( P* H( k, V' |9 `- b/ @1 ^
xchg bx, es:[41h*4+2]
8 ?$ h% s, N4 p1 S cmp ax, 0f386h
+ `2 P& P. @9 R0 u9 T: J9 d) {( G0 [ jz SoftICE_detected
; ]+ p+ \" Q2 U" i, W- C. Y* `/ u9 ^
int41handler2 PROC0 Q5 `( I2 V6 X/ i+ {9 G
iret4 g) L8 c- i$ L
int41handler2 ENDP5 S/ b9 p0 A; D& {
1 x- L/ c+ c d8 ?9 g3 c3 l
6 P, G2 c2 }7 z/ D' _
_________________________________________________________________________2 H! y1 b' y0 R, D) D2 H6 g
/ k: g$ `- p# {0 a/ c# k
* y4 w+ D3 Q$ ~2 ?: k; oMethod 06' m) k+ `+ J% Q: g* f3 ~
=========
+ F- w5 g; g/ |6 |$ T; v' V7 Y6 C0 A( R' `
; v5 q. y$ w, U1 u$ \
2nd method similar to the preceding one but more difficult to detect:9 c: {5 s9 r: c! P; x% S, \; z% M' p
! X# s2 @' f7 g! m" y' g
8 k' ]% E0 F" Z+ j- P2 D
int41handler PROC5 x5 E1 w- N0 J/ R8 Z
mov cl,al
* {. f) U! o" `* L% b iret. |$ Z- I* Z0 e. [- P, L
int41handler ENDP5 m" @! e+ S8 n3 i
, ?$ _5 z# j G3 h8 K7 o
$ z- u& Z- e" l9 C xor ax,ax- t8 L- v$ X- n
mov es,ax
: ?, E* y. U% H+ L mov bx, cs% \9 W6 Z U& O
lea dx, int41handler
& ?* [' g, F- p' b% j9 @ xchg dx, es:[41h*4]
$ g$ [, y1 U! d xchg bx, es:[41h*4+2]
6 \8 c. ?0 K6 V% G, p" W in al, 40h
# e* n0 D; F2 t xor cx,cx
- u7 J& y# s" T/ T/ P int 41h
" I! v. u C) W xchg dx, es:[41h*4]
) S+ K; x0 m% s* p* @, K7 \9 i xchg bx, es:[41h*4+2]
: c5 h( W, O: |9 I) r$ A$ K! ~ cmp cl,al( V2 n8 @9 |# @
jnz SoftICE_detected& C& r& _3 g* b1 K" _
* E' [3 m A: ]/ l7 m0 \) ^0 ^
_________________________________________________________________________. `1 i! a U- \) \0 |6 y
$ n5 m$ ^ s* F# `- zMethod 07
. K" A/ K* f* Y" \7 k6 W=========
% ]" s* d; N! G, @- p- H) N' X) Q" z7 J) k+ d/ ]4 `1 a D
Method of detection of the WinICE handler in the int68h (V86)3 h2 N" ^5 L, h0 G* z9 j6 ]1 z0 o
7 k: v6 d" I4 Q: i
mov ah,43h
# i. D; c2 |; O( I2 o, m* V int 68h
1 G: v7 ]2 s; J K; O5 x0 \# l cmp ax,0F386h
& I: k- h% p7 N/ D$ y& L jz SoftICE_Detected1 V" _) @0 }& ~9 ^8 C; W
8 N% [5 r9 @5 t9 g! g
4 P! q) K* U3 `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. D: |6 l4 j! \& ` u1 R E. Y8 H4 F
app like this:: q7 r- B" `. ]* t/ c
5 ^; b+ t, O4 X! N BPX exec_int if ax==68: C' e/ w+ n5 y; f
(function called is located at byte ptr [ebp+1Dh] and client eip is9 W8 H$ e4 ^( Z' F6 s$ B
located at [ebp+48h] for 32Bit apps)% B. \% a- f. ~8 Y) R& D% k4 ^3 q! X
__________________________________________________________________________" f/ ~+ v/ h& h( ~" N+ e3 X
& A7 S8 Y# X# Y3 R* O5 e7 X. Z: D1 y, D* q* P& x4 V( [
Method 080 x# L0 k* |2 ?- \& m2 R" Q; _
=========
- D: w/ W: Q$ }5 n1 O( @2 k% e' E8 S2 W( E1 s
It is not a method of detection of SoftICE but a possibility to crash the
* _# P' S! Y% r8 @ e+ osystem by intercepting int 01h and int 03h and redirecting them to another0 j% [8 g) w1 r2 I4 j
routine.+ ^, x5 M# t/ V% D
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 X& A6 V) W9 m! p4 l3 Dto the new routine to execute (hangs computer...)
0 J. |: o0 @) h- U
4 ]7 _- ^% m5 |, b! e$ g mov ah, 25h
/ K# L4 Q7 I7 l. W6 G0 i# }0 S mov al, Int_Number (01h or 03h)
& c; p2 q2 L0 P! S) k5 { mov dx, offset New_Int_Routine2 U# M5 _ N x: g& O8 v
int 21h1 @7 ~% ]% l" q$ x' h5 Z* K
( f! }, c, {4 [+ J8 q__________________________________________________________________________
+ f4 D; Y5 r) S. a5 t; X+ K) `
4 G4 M% ^/ I# S/ pMethod 098 U* |, u4 m/ a# s; R+ v
=========
7 P+ l# J2 E# J/ O6 J$ V5 O( w
& j! h6 O6 r4 v# n/ R4 EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. j5 i, H! `( ]' c5 o
performed in ring0 (VxD or a ring3 app using the VxdCall).3 W ]/ \% E& Z; T
The Get_DDB service is used to determine whether or not a VxD is installed* N! \+ i0 H3 Y9 C8 [ p* l% f
for the specified device and returns a Device Description Block (in ecx) for% D) ]0 r6 ?4 M
that device if it is installed.- i% u& ^8 E9 x" K6 i, c7 p; d
. [# L, j5 k9 m/ Q# a; N% H, [ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# Z# [9 ?: t- A: O/ ]! U* _2 E$ X( n mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ V: I, [( n' S
VMMCall Get_DDB3 Q" G$ X& r: J) }% M9 ^: K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! R* U! c& z3 b8 I8 I
8 l5 t8 l0 |9 L9 P
Note as well that you can easily detect this method with SoftICE:7 p: N0 Y4 q0 y1 s
bpx Get_DDB if ax==0202 || ax==7a5fh
6 w8 w; b% ?5 ` ^ H; o) W0 P4 m6 Z1 A, z! T1 K* N5 [
__________________________________________________________________________
( H9 w3 _0 `1 c
$ B) F, m* Z9 r* l8 e6 c7 tMethod 10
% C0 X2 [+ Y1 r1 q+ _=========/ p; c8 D9 c2 _! f* k
9 X9 ]9 X* @. L6 x/ V% ] U R=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 q* j, \( S4 W1 Q5 D7 |7 s: i SoftICE while the option is enable!!
! U% {( m+ J" p H
/ ~5 @! i( H, Q. }4 OThis trick is very efficient:
# U3 W2 u/ ^3 D3 Z4 j! Yby checking the Debug Registers, you can detect if SoftICE is loaded
. J ~' U! X& q& f7 i8 H: u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 A ~ V0 s) a! K0 V7 { G$ vthere are some memory breakpoints set (dr0 to dr3) simply by reading their8 x+ d. C5 R: v( |% Q5 I% Y7 b
value (in ring0 only). Values can be manipulated and or changed as well' \: W9 @; ^3 j1 C
(clearing BPMs for instance) {- T2 J# F( W y; K* i; J+ U
7 W+ k8 u) g7 i0 U# a# e__________________________________________________________________________
V9 c ]% V- ?) a: K5 Y6 q" C$ h- D4 D0 h" ~; r
Method 11
+ H7 `1 v# Q# H% K5 h=========: T/ U8 {) W7 \+ v+ C: b
" ?- N3 @$ H+ f) Q/ ]2 ]This method is most known as 'MeltICE' because it has been freely distributed$ ?3 ?4 u% m. l& e8 |7 R! }" Z1 O r
via www.winfiles.com. However it was first used by NuMega people to allow! D4 K" T( y3 |
Symbol Loader to check if SoftICE was active or not (the code is located
6 R! B4 W/ ~: ginside nmtrans.dll).
2 D6 Q D3 X$ ~% W& E$ [+ ]% C2 E, V8 i g; e* S5 p m
The way it works is very simple:
+ |2 B& W6 D8 D8 l" g* ]5 nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 D; ~' Z7 S! y' U7 n( ~
WinNT) with the CreateFileA API.
( D. T# I' p& }1 c2 Z p: m0 B* x2 @* x
Here is a sample (checking for 'SICE'):
( s) D, F$ M7 ?, ~5 `- v) m
4 R- ^8 W7 m: I! U6 MBOOL IsSoftIce95Loaded()" k* X4 C' D# i! W1 ~: S" n) k
{2 ~0 o, K6 J& g: d+ }/ M+ c/ S! s
HANDLE hFile; 6 P, ~9 N: c$ a) Y* U( J' t6 ]5 U9 h
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- Y$ c3 p7 A1 f( ?& G; l FILE_SHARE_READ | FILE_SHARE_WRITE,% o- y5 g( q4 u
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, e+ \/ |5 h4 W5 l if( hFile != INVALID_HANDLE_VALUE )
# k6 Y$ S* b2 x {4 `& c7 v3 ]6 k) T6 J4 |) v0 s
CloseHandle(hFile);
. E; u5 ^0 x8 f8 T2 |& t2 r return TRUE;, L4 ~9 T# E; H9 Y1 ^
}$ Z( z. t2 }3 X0 ~5 V/ i9 x
return FALSE;1 F- d( O: a- I$ P' y! X
}$ n5 U5 p2 W) C6 j$ q9 z3 e/ M8 l
9 @ j- ]6 A( s5 d" [+ wAlthough this trick calls the CreateFileA function, don't even expect to be
% b' u: K* I7 A! t7 fable to intercept it by installing a IFS hook: it will not work, no way!
/ W! A3 g D$ E1 u. eIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; O+ `" M+ D* O3 X u; D" z# ~7 ?9 {" Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): e9 |' M _- r1 k$ I
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 Z$ Q" P0 G) e P+ }- sfield.5 ^6 L! L5 E2 d4 E1 Z3 Y
In fact, its purpose is not to load/unload VxDs but only to send a ' F3 g7 l4 o4 B/ u* D9 d$ U
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 S. A5 ^, C! x) Z8 y& mto the VxD Control_Dispatch proc (how the hell a shareware soft could try7 H8 C; n, a* w6 K& v, O& R, {
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 k" @2 R2 e5 `1 b$ t, i2 IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, \. Z6 v5 @; M, |2 Y* _/ mits handle to be opened and then, will be detected.
% d! g- q( C9 Y* E- T& e S% t2 iYou can check that simply by hooking Winice.exe control proc entry point; r* B+ H7 h/ v: [/ z4 R
while running MeltICE.# B. E3 p9 y1 m W2 ?
6 X' J" k$ q& _5 M, B& a6 w7 B% u
, J1 R' G0 v% @* A o& m8 e 00401067: push 00402025 ; \\.\SICE) {/ l( a4 ?' Q* x
0040106C: call CreateFileA) p( K8 Q% H H4 l' ~2 Z
00401071: cmp eax,-0010 C% G- d7 y% t1 e! D
00401074: je 00401091
9 n8 S# h3 V8 E. d2 B9 z& M$ G3 y6 H
5 _& h9 y9 C" L3 {4 a0 U% J
There could be hundreds of BPX you could use to detect this trick." B' @& P+ Y' Z6 N: |
-The most classical one is:* \5 }1 L' b9 {& ]* z2 k
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- j* H) W. ~0 _& F4 z! X. O *(esp->4+4)=='NTIC'
9 I6 d3 ^' z/ }* d; ]' X5 E% R/ K7 h% s f$ B s4 b/ H8 @' r0 @+ d
-The most exotic ones (could be very slooooow :-(
0 [: p' c! i& t4 b8 |: T# i4 \ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. S& N0 G- y1 I; }; o ;will break 3 times :-(: w+ W# G( u6 P! O; t+ z
7 @2 H4 Z8 ?3 O' Z-or (a bit) faster: % J, G, Z8 t# p+ d6 q. B4 ]1 l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- T/ }5 y& _ _! x: |
0 H. ^8 K, n1 A5 U' s; O; \1 U) h BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 W: ], U# N0 r- s/ I/ s
;will break 3 times :-(
2 V9 h! C0 o& f5 n' w1 r* ^
) y+ Y1 B f$ v# e: b; m-Much faster:( l0 d5 Q$ v$ A: m0 ^& y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; I/ A" `5 v1 J1 C% k7 ?. q9 C4 [
$ @4 F$ v0 B( M$ t! l0 J, I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# p6 x8 P, w: V+ C3 Efunction to do the same job:
5 r1 t3 {8 G9 I6 n) g. s* X U: T+ I+ ]6 I
push 00 ; OF_READ
; Z" J3 u* w# R- ` mov eax,[00656634] ; '\\.\SICE',0
& m$ @. @0 @- X% A7 F push eax
4 T9 K0 F/ P0 L1 I q call KERNEL32!_lopen0 W( T& \ c, f. n9 _: ]
inc eax
* u+ R& n; r) @- U- y) |. x jnz 00650589 ; detected: c1 `5 K# B' U( A$ r* \
push 00 ; OF_READ+ S$ F5 F ]) H# v' z0 D
mov eax,[00656638] ; '\\.\SICE': J0 t o1 a2 a- ~3 j; ?6 `
push eax
t: m1 L' b# d7 F9 e/ n4 D) r9 n% ~ call KERNEL32!_lopen- z2 O7 T5 M3 S _
inc eax
0 q# ]4 V4 I; ?# i jz 006505ae ; not detected
( r2 N0 Z% [! |( R7 E3 J! q9 O9 C# W8 L: `# n1 S. S
C3 ~/ m" `: E* L& T1 `
__________________________________________________________________________
6 T: Z+ {: f7 o8 w% w6 u& V7 C- N- H: `( A- H6 V. C
Method 126 t% U. l) m* \8 l% j
=========% X" J* n! ]4 u1 E: N- m
/ K4 N$ ~' Z* pThis trick is similar to int41h/4fh Debugger installation check (code 05
( Y8 e7 W# f1 ^, K4 a* ^* J6 S4 P& 06) but very limited because it's only available for Win95/98 (not NT). T2 c* M0 q* b
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ F, y1 `1 S p y. L4 q( O1 g7 f$ W; G5 D4 Z1 x3 u- Y% s9 k
push 0000004fh ; function 4fh
: ?; N) s# F ]0 z# y+ ]! j7 M push 002a002ah ; high word specifies which VxD (VWIN32)
3 a- e; k# R% h% z2 K ; low word specifies which service
( p, e5 `0 ]" m2 W3 Z (VWIN32_Int41Dispatch)! m n+ Y' D9 u: D$ a: u
call Kernel32!ORD_001 ; VxdCall0 v2 X, W% e, P
cmp ax, 0f386h ; magic number returned by system debuggers
9 s$ W% l4 I& M0 v7 Z: A+ s jz SoftICE_detected1 d& J3 x3 f6 U' t2 G
: m/ x* z. y) T# a7 x( N, B7 B! l
Here again, several ways to detect it:
1 l% d6 {( q/ x1 A) q
- P5 |" h' v% o8 V+ g9 H( R; j BPINT 41 if ax==4f' e0 m7 J) y. [
9 M# `, F( q# X' _) y& h2 R
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ A: i( T* i, |. Z: z# I- R/ P
- h" J# b7 i" v: ? BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 |5 R3 f% R/ u- I+ V4 j* d: ^) x5 h1 W; T( c$ k6 _% k0 y; J; ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 R$ e) G3 |! [7 r
5 Y G4 a+ H& t% j/ B
__________________________________________________________________________
" ?, I# o( n+ U9 I; V. F1 T- v. e( a1 N9 l) Y3 a
Method 13" q2 I) F. V. k8 v) h. W
=========! H p" u* C9 @) A! U5 H
6 ]4 x9 e$ h/ k
Not a real method of detection, but a good way to know if SoftICE is
! s, Z [4 c9 l/ W n; A% Einstalled on a computer and to locate its installation directory.
5 a' v" \0 D2 `" G# \. |/ {8 `8 tIt is used by few softs which access the following registry keys (usually #2) :4 c% b+ X K- S4 L& z1 k9 F
3 k: Y7 d+ }! n: P- F
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 s% |2 I" b" R- ?, G\Uninstall\SoftICE
9 Z& E8 r G4 A9 W8 b( g- p-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) _. j1 W* e4 W! T9 D- o6 j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" b2 v, c0 ?- Z. d8 F4 ~
\App Paths\Loader32.Exe3 ?' N6 C0 n; w: U7 H' X
, X# T: W1 p4 ?6 Q+ c
) g. J |2 t7 W, ], Z7 C) T9 [Note that some nasty apps could then erase all files from SoftICE directory6 Z, Z4 ^, r4 L' u. b) P( d& _% S
(I faced that once :-(
$ ?4 s) D7 \5 E e- K$ m/ t' }
3 C1 c0 u" K6 zUseful breakpoint to detect it:8 ^% z: h; h$ w7 {8 B4 b, C9 |
2 u2 A6 u1 l2 ~* V7 e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ H$ O4 f; g8 U. y- G7 f9 s @2 X. S3 `) X
__________________________________________________________________________# y9 k6 D: ]' z
: g7 `! u- X: L \$ f; @5 G: [, f( x' _, h% V7 `% Y' ~
Method 14
/ S6 o$ y2 s0 ~3 q4 Q* {4 D& y=========) u0 {* ]3 ^/ i1 c4 h( v) p& l$ `( Q; `
. S, K! X) O- d/ b
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* ]9 w0 X2 `% a$ xis to determines whether a debugger is running on your system (ring0 only).
: L$ v) V: @- @( W+ `* u& q8 E1 x! N# U; d4 x
VMMCall Test_Debug_Installed
$ n/ E7 U5 C& P% O! j; H0 s; v- { je not_installed4 w7 z+ H. L( Y/ H
( u. D8 d U e! Q. X# X+ z4 s
This service just checks a flag.. R; O' _4 V- A; Y: v$ t
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡