<TABLE width=500>
" q9 V4 L# A6 G0 p4 k$ U0 Q<TBODY>
3 x) O' @$ H* a) x<TR>
; d* d4 i: ]$ W1 ~( m; o( r9 ?* ^<TD><PRE>Method 01 $ Z) x0 Z5 ^% f. U3 j, K
=========
! L1 o: v9 C3 g$ }% t7 l
% h( h1 v7 {' B% kThis method of detection of SoftICE (as well as the following one) is
% N/ z# m5 f5 r6 ^used by the majority of packers/encryptors found on Internet.
& D4 t8 G% a9 `# R8 ~It seeks the signature of BoundsChecker in SoftICE+ _) W5 D2 P* u: R
$ n0 _6 h0 l# k! w
mov ebp, 04243484Bh ; 'BCHK'% j1 u" X( M: F
mov ax, 04h. i0 ]5 O( ^6 s* A5 g
int 3 ' j2 S U9 Q4 H# k) `: J d
cmp al,43 e3 e1 Z! x) t5 s# i
jnz SoftICE_Detected
& q9 T9 K% O; U
7 y. c( g1 q1 `! s; u; }/ E( j___________________________________________________________________________
4 H9 B; |/ V v% L' z3 v! T4 g* U @& A. ^* P& {8 a$ V+ U- Q7 k# }
Method 022 c7 n& o2 n6 a1 w
=========, `" a& i" r O0 `0 _! B
; j% v4 M4 z' ^6 g) SStill a method very much used (perhaps the most frequent one). It is used
+ g4 Y4 ^4 o1 }( L% Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints," l- M7 l+ v U
or execute SoftICE commands...1 `) Z! e9 J5 F2 V* j
It is also used to crash SoftICE and to force it to execute any commands6 b) I/ g" C( w" i$ m
(HBOOT...) :-((
0 P" `( z+ D# f* L* T5 t. U1 M! q: O. J# n
Here is a quick description:
! z$ y4 A/ P3 {& r; E% s-AX = 0910h (Display string in SIce windows)) f% ^* C+ G4 d* o8 p: z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). m) w0 W D2 z+ Q. {
-AX = 0912h (Get breakpoint infos)
$ O( }' a) P* \1 R; O% x-AX = 0913h (Set Sice breakpoints)
4 @8 B* X F! |-AX = 0914h (Remove SIce breakoints)& g, I$ k3 d% q+ k2 c9 o
% `6 u( F6 Z# Y8 x4 u/ c# J
Each time you'll meet this trick, you'll see:% [9 C# B) h% P! O4 z. v
-SI = 4647h
9 R- u p; M# K% d# U-DI = 4A4Dh
; V! i: N- {& B3 O K2 IWhich are the 'magic values' used by SoftIce.! K# j, c. X; E/ q# r- [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ X: h) y$ t. y! T# e! }: W- p) k9 e2 N
5 J$ F/ ]5 c1 z' NHere is one example from the file "Haspinst.exe" which is the dongle HASP
2 F7 a) P3 F' A- mEnvelope utility use to protect DOS applications:8 s7 `4 R! W& B+ t
0 x9 k+ P8 A6 V; X# p/ ~( J" K) |% Q" T. p4 p7 _9 {! N
4C19:0095 MOV AX,0911 ; execute command.
. X7 O Z. g2 W; K& K3 o4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ L3 k8 \. ^, O/ R/ ~" W3 _* T4C19:009A MOV SI,4647 ; 1st magic value./ O# J7 Z, R0 m: h6 o# \6 O7 _ Y% e
4C19:009D MOV DI,4A4D ; 2nd magic value.9 B- e r9 n7 k- V) J7 `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ D6 m$ q* C5 Y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 E2 N/ D# W5 S7 ^. o/ h( ]1 D4C19:00A4 INC CX& A5 u4 `6 J& P& A* }
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
H4 g& r* ^1 r g- x9 x4C19:00A8 JB 0095 ; 6 different commands.
7 _3 P: A3 [. S, b0 K* b! ^; Z4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# H3 \% J' |6 o; r# t0 d+ U4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: x+ R' b8 w, ?7 K& Y% O: `" A
2 I# N$ [$ N% q. @The program will execute 6 different SIce commands located at ds:dx, which
) a, m! R9 q( O! b; e& f qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 _6 W- m1 Y9 s H( l7 I2 G' P, `0 `: ^( [( Y' h3 E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 ~& m( [2 c$ a" e! U& W, a/ P
___________________________________________________________________________9 q9 B( T2 C: K
9 K* q; S# r8 t# S
0 L9 c% H3 ~) @
Method 03
- U3 b4 z) f9 Q( Q* _=========
* q0 N1 [8 g* h, A* Y/ a( L3 t1 I' y% o& U4 y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% P0 _2 k# E$ o5 y(API Get entry point)! ^- { h* C6 n+ z0 Y' L( M
3 N% Q7 l4 z* d" K% L8 v( {! \3 P
B7 k$ a+ A- |; s xor di,di
& ?6 H! O; t0 ^) a8 T/ s c" d% [ mov es,di
2 {* F- M! l3 `6 f5 {5 a: Q mov ax, 1684h , c1 S: c1 ]# ^8 F0 ?0 }6 |
mov bx, 0202h ; VxD ID of winice
$ n% v8 `$ A! w int 2Fh
& r) O3 d% J6 b7 U+ s- m0 ?7 M mov ax, es ; ES:DI -> VxD API entry point
8 R& X& _" R; o# [! v: | add ax, di
7 p0 X& b2 B& d3 X- e4 g test ax,ax
) Y5 ?3 {: i! k' I7 [ jnz SoftICE_Detected
4 ]4 N( }& p, r$ R& z7 L' ^
1 q% I4 j+ S1 s/ t. F! F___________________________________________________________________________
% z6 T8 _# ~! |) F; j5 r- ]1 Y9 I( Y0 m% h( N. `: w
Method 04
2 f O) L2 S9 l) p' S6 N% C+ E3 ]=========( ~) K% o$ M6 v0 {7 W1 w& R
3 d' E8 r- m; S( oMethod identical to the preceding one except that it seeks the ID of SoftICE; P- Y: L! @8 k! E3 {
GFX VxD.
6 F6 \$ W% x' f( M, J3 b! f
2 P5 m* t& _& W/ e, S xor di,di* q2 ~# c5 c% h; w( D
mov es,di
/ ?, D, \' C0 G L; x& } mov ax, 1684h 3 T2 F; [7 |% D3 r# x4 U* J& [6 ]) Y7 Q
mov bx, 7a5Fh ; VxD ID of SIWVID
9 L: M. j+ f3 K. B% L8 ^; Q1 p int 2fh
; c; b5 _: V! \, e mov ax, es ; ES:DI -> VxD API entry point/ I( ?1 }0 u& Z D6 M
add ax, di w! W. B% V8 [ t6 \6 L0 ^5 Z
test ax,ax4 h( g4 A1 r% F& Z3 K, J. |
jnz SoftICE_Detected
' z4 m" N; T1 s$ _. S% A& n
$ j& r5 G. q1 }7 D3 M/ D6 I- f__________________________________________________________________________
- j5 C2 h- k# I+ W, @& P. A
( }6 W% k4 n- Q) q9 x5 h3 h0 |. K* ?% p
Method 052 p1 K& \2 R% O
=========
2 l) G6 y1 j& I! B
, L1 U* N& {! m$ M! I0 s6 v9 V' ^Method seeking the 'magic number' 0F386h returned (in ax) by all system5 ? C: Y+ K8 Z# {9 Z/ W( O$ m
debugger. It calls the int 41h, function 4Fh.
* |4 _' y* t2 A9 U/ H& fThere are several alternatives. 3 s1 t* O9 B! C( c
% B$ I2 @& X% B8 c8 `0 N8 i- P4 JThe following one is the simplest:
. Z! S2 u5 b5 x/ ?+ i% k3 p2 a* q% x5 r' o# w* M* p
mov ax,4fh r% m/ M) ?2 C
int 41h
+ l* z% t5 c w8 p: C- a/ p cmp ax, 0F386
9 y+ _" z: `9 d% k5 a jz SoftICE_detected
7 v0 H: {; ^0 ~6 h8 A1 A; t- P/ K2 p( {8 m- ~% d
# m0 p5 g" {6 a' K9 s5 K w U5 d
Next method as well as the following one are 2 examples from Stone's 8 M$ P8 N$ H$ X$ R% \0 A; M0 h, H
"stn-wid.zip" (www.cracking.net):! l7 E2 Q% c) y/ f/ K4 ~! y P
5 k D+ j2 `, }" H- P4 R
mov bx, cs) E1 _% c* E9 R; Q8 G1 B9 J" m( q
lea dx, int41handler2) z; w4 k% |; Z6 a; g$ N# _
xchg dx, es:[41h*4]
9 ^# o6 p$ g. z5 A+ T1 i9 T xchg bx, es:[41h*4+2]
" `2 g8 e, q8 V9 J4 L mov ax,4fh" W7 m8 T$ z/ e& c
int 41h: H/ @/ I7 f1 C# p0 n$ e
xchg dx, es:[41h*4]
' ?' y( p2 o; T1 @' o- I0 ~, W xchg bx, es:[41h*4+2]
6 S9 T q) b2 l0 H, B9 E' Z cmp ax, 0f386h# _2 M1 a, d. d% M$ g! D2 I
jz SoftICE_detected1 l" l( e e S7 O
7 n7 @7 Q: N; @9 m
int41handler2 PROC6 [! S8 q& N/ r7 f! f+ {% H$ m
iret7 m7 G2 g0 B( x( w% H) n, V
int41handler2 ENDP
8 g/ O& N2 q( W( Z5 u
! ^3 f6 e2 D4 R$ `# z
, v& K! H* a+ ?4 P: R& B8 i$ Q' U& i. t_________________________________________________________________________
n* c, e8 a, }9 a: H5 X5 N( _5 g) T8 X2 o) D. d8 \! k9 ]) R+ n
+ r3 u" Y6 n2 w* O- qMethod 06
+ c3 q+ L/ X; S+ D" O: ^6 r=========
* \5 [3 O: L- C/ H+ p
- X& E- ?! D. m5 p L6 o* I' A
; {- S) e2 f" z! W- V1 b+ X- |4 b2nd method similar to the preceding one but more difficult to detect:
' W( Q! @; W0 }6 u
0 R/ y7 @! U' ^* b% V
: K* ~7 e4 d' H1 t" Cint41handler PROC
9 R& `+ |6 ^$ ]2 j1 j mov cl,al- I! @6 j) {' ]
iret1 I5 l0 O8 r Z) R
int41handler ENDP1 q+ Q# ?" m, x7 W I
- q K7 l. ~8 E+ u& D
: R' r, P' j) g3 k; ] xor ax,ax8 H: b5 t: ?- |7 ^/ Z6 E
mov es,ax
$ ^2 u& R( I$ j) |2 I) N mov bx, cs2 f2 P2 B2 k2 c
lea dx, int41handler+ d5 J2 |1 K; i: G9 j9 z
xchg dx, es:[41h*4]
+ {* [$ w/ R, v, X xchg bx, es:[41h*4+2]
: @2 ]! s) k, z* _4 s8 K1 m in al, 40h
5 I$ @3 \# P) W* H xor cx,cx
. M! H. V/ V1 U" e/ F9 j int 41h
! o5 L E/ [( L8 h- U6 J$ [ c) a xchg dx, es:[41h*4]
. [- x/ H4 V2 e/ k- ^# D xchg bx, es:[41h*4+2]
; w+ l$ q+ @1 F, z- S cmp cl,al4 X% h2 g& X) R' H- \( |
jnz SoftICE_detected1 I9 [6 K1 T5 j W, s
* q# w; I- b |/ x
_________________________________________________________________________9 ^3 F4 ~' N* D( e5 G
1 I( P" w9 q7 l+ Q2 g |. PMethod 07
9 z$ c# V! K/ Y0 O! ~! M8 W$ l=========
. x5 ^4 D) m2 t$ d5 y& L& l
2 K1 l$ g" N5 r. mMethod of detection of the WinICE handler in the int68h (V86)
+ o5 w, k, H- i" h3 J; i6 q8 C4 x$ J8 { Y. w
mov ah,43h
& y! n& `: P5 h int 68h7 ]' A8 Q7 j% M5 ]4 O; C/ m8 x" w
cmp ax,0F386h
9 Y# P4 [7 n5 D) s4 @ jz SoftICE_Detected
% W+ q) E* N4 q5 k0 u0 v" r4 h* x% S+ F5 {! Z) A
! ~7 F4 E3 a/ A. b0 z4 }
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 b% q5 g& W/ Q; y app like this:+ N5 }+ O5 Q; O
8 [5 Q9 H( P6 s; ?, ?4 { BPX exec_int if ax==68
: m+ H" T. ~2 j9 T3 e (function called is located at byte ptr [ebp+1Dh] and client eip is/ k7 }2 V, Q" X& e4 \) U1 h
located at [ebp+48h] for 32Bit apps)2 R) m; R, f$ T0 u. R; i
__________________________________________________________________________# c7 @* G$ [3 o* G. q# F
) ]& E" T* p3 j \. e+ j, F h8 B
( w, N4 @" ?7 m" L- v% sMethod 08
6 b! v" C" K( s' e- L=========1 B% s ?: n3 p' W5 H
# v+ O' Q8 P: A* r! z8 ~' ~. n
It is not a method of detection of SoftICE but a possibility to crash the& X. g9 y6 `3 R! W
system by intercepting int 01h and int 03h and redirecting them to another. v K- u5 H) k( `# _
routine.
4 {* @: H# k2 |2 N- e! x" X, UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 `- U. @/ a3 U8 w1 K; D j
to the new routine to execute (hangs computer...)
+ j$ F! \0 w/ Z3 x' ~+ O
% i2 h3 m3 ]: J' a* p% @6 O mov ah, 25h8 d9 k/ d% ], G, i8 j# n7 e
mov al, Int_Number (01h or 03h)# o$ y! r2 ?) h L) L
mov dx, offset New_Int_Routine
) c# p0 u6 N& X& b& Q4 f int 21h
" d; h1 m/ b% K) H' T& A% `7 X4 k' x# b/ K( `
__________________________________________________________________________
. |4 ?" E) t1 I; S% `5 k0 N3 V$ E0 [" D5 c
Method 09
8 `6 H% ]3 B! c- Q=========, E- o8 A* L* b' g8 a; }1 g' G
. b2 @% d4 N6 Z! Z1 W, c( c4 h- Q* KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ V, J A8 r. f* v1 V
performed in ring0 (VxD or a ring3 app using the VxdCall).) {" T% F* {: c' w5 H, W
The Get_DDB service is used to determine whether or not a VxD is installed3 e' s7 K5 C7 }: [# `- M- M) H
for the specified device and returns a Device Description Block (in ecx) for5 {2 Z+ W# m1 S$ a' H% h) {9 _
that device if it is installed.
1 @2 ]: ~) A4 y- t( C- v: H
0 ]" z* p9 | n: [. W0 t mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 H2 l& z4 @2 p. U: ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ B" J4 w4 K" @5 K4 G1 i
VMMCall Get_DDB, N3 F* n" @7 m( J) m3 }! K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! r& z) ~4 d: J& c7 O: Z2 T2 l1 A2 [9 g! T8 |
Note as well that you can easily detect this method with SoftICE:+ B2 v0 j. D$ j% Z" \0 k1 ^
bpx Get_DDB if ax==0202 || ax==7a5fh+ m( C7 I7 s N% N! M j" y
( ?5 \' j* y7 T, w' V. L/ J4 A__________________________________________________________________________
9 Z; d$ z+ K( [/ M' x
# U& W5 n5 e# e2 f" T8 `6 F/ [Method 101 s j% k0 t* E8 B7 @8 r3 U0 _
=========
. {+ P$ H7 n, v* D6 P, O n/ R5 D# J4 t6 u, E# f
=>Disable or clear breakpoints before using this feature. DO NOT trace with
]) s% W+ | ]0 w$ }% h3 u& N( d$ O SoftICE while the option is enable!!
/ w T' a. d7 \* N. y0 H) r# R* z# V0 a. E) O1 h8 I( N$ D! x
This trick is very efficient:
- n/ k5 W. s# I, l& W0 B0 kby checking the Debug Registers, you can detect if SoftICE is loaded
/ z1 k2 w( y) w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, h' M2 g2 K3 ^/ ^& d }there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 y, T3 P8 l' C9 Y. g/ Evalue (in ring0 only). Values can be manipulated and or changed as well( T7 L% X5 e6 X2 w x+ v) A
(clearing BPMs for instance)
^/ L& e, U6 [6 I' V O
$ F' L! r* l& {; Q& [2 b__________________________________________________________________________' K& ] _" }7 {' ]
2 |- }1 W* W. x& _6 a- C
Method 11
7 B! T" o1 z, m5 j=========
, x+ B: S6 e2 `! V+ a; p4 T, ^4 w0 J% W, t) c7 ^! s
This method is most known as 'MeltICE' because it has been freely distributed; w, {% n7 R" n0 R; C) U
via www.winfiles.com. However it was first used by NuMega people to allow0 P8 Z( w8 F" x3 U; Q
Symbol Loader to check if SoftICE was active or not (the code is located
% v9 Z1 u# {: Zinside nmtrans.dll)." R' _% h0 O( C" \: H7 \; V
: L E5 |" I( A1 G; V3 D6 M1 zThe way it works is very simple:
" d% G6 d1 u0 [/ d/ \4 H- NIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 U. p( @! n9 P( k! O. t
WinNT) with the CreateFileA API.5 k% u! T- K& d/ A7 }5 O% w
- w `- P( a: G# R q4 [Here is a sample (checking for 'SICE'):
2 T7 @5 f0 Z' ^! F- _& [$ c3 K
4 J0 J8 T* U/ K9 i g5 mBOOL IsSoftIce95Loaded()
+ G7 M& Z: V5 z5 _4 J) K& c$ N{
6 ]0 I2 {1 M# h: ~' w1 Y& S HANDLE hFile;
& w. W# e* X4 o hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: P! \) s I$ j# ]' b3 h; A6 V FILE_SHARE_READ | FILE_SHARE_WRITE,
6 R1 t# L9 J! R* P! T$ W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% a |' b, C' R5 p1 P7 O/ \. B
if( hFile != INVALID_HANDLE_VALUE )
: u/ j$ H0 e. }" {9 u- Z# V/ A6 ] {4 {7 O8 J: S; n2 O/ S, d5 X5 e
CloseHandle(hFile);9 f# n! S; }: F m5 D
return TRUE;
' z2 W4 \, q9 O1 O1 l+ A }+ M; }% ?6 r& X; y' y0 z3 _
return FALSE;
* u% r% p. _4 R1 m0 c% Q}
% z0 F' [3 P+ E4 e9 f' U& `( P9 r! o @( T' J; x
Although this trick calls the CreateFileA function, don't even expect to be
; d3 [3 _; \1 k5 v& yable to intercept it by installing a IFS hook: it will not work, no way!
9 F1 }+ L+ _9 P1 G; \In fact, after the call to CreateFileA it will get through VWIN32 0x001F" C3 Z* g. I1 \# N. O( g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 `) @3 M% j4 {2 g2 i- Dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ [$ k8 ?% q5 N1 l. T1 G }field.& S) z$ m5 d3 b8 M; p# H i
In fact, its purpose is not to load/unload VxDs but only to send a . V& B. A8 p, W' h' T' o8 Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 r2 z$ j; [- T8 t/ w- s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try; _& G2 {! D/ D$ i, n4 h* F+ b% k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" f9 L7 u1 W( C1 [% Q2 zIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 M; x( d; N- C+ \5 O/ @7 l
its handle to be opened and then, will be detected.
7 `) d, s4 f2 T! t8 _You can check that simply by hooking Winice.exe control proc entry point
9 ~4 I; u- Q: g3 o6 Vwhile running MeltICE.
" s( V8 l' P0 T, B7 }
8 g: @: S$ X- ?4 a l0 [# _
* t* k5 g+ G* x+ Y 00401067: push 00402025 ; \\.\SICE
9 ^9 u- ~" n9 r 0040106C: call CreateFileA
" f! Q! u p/ T& Z 00401071: cmp eax,-001- L5 S6 l# G1 k$ h) E) k, Y% ?
00401074: je 00401091
+ ~4 P6 |1 X v/ q8 G9 O
. I; L) z6 P, Y! A c% S2 k# G- s- K+ ? ~
There could be hundreds of BPX you could use to detect this trick.
$ t) g7 q7 @8 }) V" w7 @-The most classical one is:1 _0 o* E2 G# T( k
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || c9 q B& k# H7 M* G
*(esp->4+4)=='NTIC'% @# y4 G4 S$ J! \
; N# K9 Y, _( C8 ^6 P& I D
-The most exotic ones (could be very slooooow :-(
0 A+ J/ H+ B$ V7 R) m" _$ p6 ` BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( F/ {. T. s4 J) M ;will break 3 times :-(2 d: y& L1 u( V0 @8 V7 f1 U
; Y/ T7 |, s6 T' r* D: f
-or (a bit) faster:
% T$ ^1 V5 X+ w- \! X BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. \1 E$ `" @& }* l8 p; N1 p
# o6 X @- @" q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . w5 s" w3 H7 C% x$ m* r+ X
;will break 3 times :-(
$ b0 @, {; d: {6 P2 ~% Y- e z
: ]( A( b u7 M, l-Much faster:8 I4 Z% F( w M8 D9 n9 i- Q8 J
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! ^4 n( ?; j. N# X
8 A4 z" I- ]& N/ p8 Z5 f+ y: P& I, m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* n: P1 a8 l( U
function to do the same job:
- V E7 d$ B! G( {1 @2 s
1 c7 {- |1 [- y push 00 ; OF_READ
7 P, i# G1 P$ o; n& C( h mov eax,[00656634] ; '\\.\SICE',05 @, h7 m' F% N3 o& P" c" w
push eax
+ F; k3 y4 s3 n6 e9 [# l/ d call KERNEL32!_lopen* Z! F" P9 `+ A4 v: G5 ?# R8 ~ ^% f
inc eax& }4 T6 e& m9 ]# }9 @
jnz 00650589 ; detected
5 J9 @, i1 g3 C5 E' @ push 00 ; OF_READ2 e3 h5 \7 S) z2 \1 g1 @/ {
mov eax,[00656638] ; '\\.\SICE'; P) [+ E2 L* g
push eax8 z) s# v8 ? P# X$ M" e
call KERNEL32!_lopen- R8 A2 l: W( J- A
inc eax
' B4 j, v8 [, m. j) p jz 006505ae ; not detected
3 g z( D1 R+ {) X2 S. L$ D/ o
( i- b) H( `2 X+ p8 i, g) ], ?__________________________________________________________________________
- O9 A" u" n- o; b6 }
7 x( v4 V6 D8 t9 n* gMethod 120 h) [) r2 x& ^' w, k8 N1 v b J. E
=========( d4 o) U% M% K- V3 X0 N
" |5 t) U: E( I; p; RThis trick is similar to int41h/4fh Debugger installation check (code 05
' _# o! b8 B7 p; i+ D$ N& 06) but very limited because it's only available for Win95/98 (not NT)! Q" L6 C5 D% G7 l9 _( l: r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. F& z4 `6 d2 C1 F' R0 t2 I9 f0 l! g- l2 {' u% m, H" [
push 0000004fh ; function 4fh! z+ ]& g! i: {2 |9 X% p ?
push 002a002ah ; high word specifies which VxD (VWIN32)
/ q. u* X m# t0 O8 H1 `) Y ; low word specifies which service
0 }% @- @% |& {* E (VWIN32_Int41Dispatch)& j, F0 ]% ?) i0 d/ ^5 h' P5 \
call Kernel32!ORD_001 ; VxdCall
' u2 ]* J! o- t1 {6 O9 h% ~8 } cmp ax, 0f386h ; magic number returned by system debuggers
3 q2 e! ` S" U+ E9 v jz SoftICE_detected
2 i* D2 r* T6 z" V: s: K9 b% {, F' a0 [' B+ n/ g
Here again, several ways to detect it:
* r6 Y ?% k, s( c# H6 Q" k/ h
+ f, j" Q* M; O' X I1 M, }+ r BPINT 41 if ax==4f
( S3 ^. v( J; O+ r" _& V
: O) R3 B0 \" ?7 I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ w% c3 P: O( W. P- ]2 `( q' K
! V3 v! V( X% K6 j% | BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, I5 F7 Z G. v1 z, ~5 c8 B0 S
# P& ?) \+ L. Y$ b( F! H* q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* B# o# ]* z; x' l2 ?
4 J! ?7 f* `, `" ~9 H& j__________________________________________________________________________
# E# F9 s4 P3 w; z, c& o8 z; Z
- a# z7 \ L1 T# u0 @Method 136 g4 N& U# z; t1 [: O6 ~' b
=========
* Q6 I' s8 `! G5 H0 @/ V4 `) y$ P" |+ R0 q- X" D7 o% b
Not a real method of detection, but a good way to know if SoftICE is
. d$ e7 J2 C% R5 L+ Z, F4 ]installed on a computer and to locate its installation directory.
% j8 ^$ X$ M8 h4 f! GIt is used by few softs which access the following registry keys (usually #2) :7 R' e- e' w% }* E
& }5 w; e T$ O5 i6 @% f% P( ~. _! V9 x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ H6 j2 o% C! Q% s3 S4 C\Uninstall\SoftICE! X8 ]" @2 J8 O
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) m6 S7 }) B) U: m: o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# b- X5 Y1 s- D
\App Paths\Loader32.Exe) a1 E1 o% \! N0 [+ a+ Y* M
" `+ e, c; D8 t' _3 l/ q
& d! K( D" a: z1 K/ QNote that some nasty apps could then erase all files from SoftICE directory
: B* T/ h; Q! [! C }& u/ l1 p8 ?(I faced that once :-(
: K6 l2 ?% y$ N$ H B( \8 |! k. c7 N
Useful breakpoint to detect it:
; j% `3 s+ r& D0 ?6 T$ f+ I+ B" l5 X4 @9 O! ?% f' j
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' _ y8 B# I- n9 ^
6 I, N9 V9 B' @5 l
__________________________________________________________________________
: `( R- @ I# r" Z; N" G5 x
9 W& u2 _, j% q: A1 R7 Q
, G* |0 ?3 d/ I. s3 y- fMethod 14
; l2 |- @& J+ M" s+ D$ q=========, r* C. u! R1 }( w# |' M% A
~1 P* F& ]% M8 vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 ?+ B, z' o6 lis to determines whether a debugger is running on your system (ring0 only).: O8 Q, K& @: y* p" a8 v ?% E( |, ^! \
* E7 r5 r! ^, K" W" a; ]9 x1 y VMMCall Test_Debug_Installed
. L6 W' F3 y6 H. h je not_installed8 o' q- W* D" p9 _) ^3 w# t
3 U! d' E$ I) y) I0 J2 PThis service just checks a flag.
- V* I) y5 [# } R</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡