<TABLE width=500>
' o. i5 x- f4 d<TBODY>
- \+ ^, Q0 B, G$ S6 a) f7 l9 }<TR># `! Z- _3 [7 [* ^
<TD><PRE>Method 01
$ A2 A5 h3 y2 q6 x4 k) L% A" n=========
/ L& O) k8 Q, y! T
/ g; i: N& h0 v0 m1 tThis method of detection of SoftICE (as well as the following one) is
$ E6 M- V4 O/ [2 f/ `used by the majority of packers/encryptors found on Internet.
. {$ [4 @$ ~& f- O2 t; ^" z! d8 UIt seeks the signature of BoundsChecker in SoftICE ?. b# S2 n$ B! p$ b4 }6 z
: c2 h4 x0 D- r( [ U
mov ebp, 04243484Bh ; 'BCHK'* t" J+ q2 F! m
mov ax, 04h H/ o& v3 u5 X6 @/ \
int 3
7 F5 k, s5 u0 Z. T& U4 M cmp al,4
" ~% M" k" a. K jnz SoftICE_Detected
. R L( p* j0 p5 D/ H/ D( p9 t+ Y$ q5 S% v( Z7 `! B7 x5 j
___________________________________________________________________________
/ Z! Q; j2 {7 x T& j
4 q9 [8 r- h. L/ O9 t1 x* A. f! CMethod 029 j1 l* V3 j f& z
=========
" h1 E" U2 T4 N; d
9 M* }7 U# @; j$ r1 aStill a method very much used (perhaps the most frequent one). It is used( R' _5 j* y. M
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ m/ i% S" C+ f6 Z, c5 L
or execute SoftICE commands...( R: B- L: J! z5 v& ~ { `
It is also used to crash SoftICE and to force it to execute any commands! \/ T* ?7 G2 ~' y& f% _
(HBOOT...) :-(( * {! M( e$ K: R: l. R
" d9 R e2 M: N9 i {
Here is a quick description:
) T' @% z" ]5 s2 \-AX = 0910h (Display string in SIce windows)6 U( G. R# m% P
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 i2 N# a4 e1 q/ A1 j6 |-AX = 0912h (Get breakpoint infos)
- J) C9 [# V" i! [" \. t% K-AX = 0913h (Set Sice breakpoints)9 s Y: @& g- G; r
-AX = 0914h (Remove SIce breakoints)
1 o4 h5 S6 J/ w" ^ c$ P' L6 ^6 n8 X; i1 P; ]/ Y
Each time you'll meet this trick, you'll see:: a- b! `5 F! X' r
-SI = 4647h+ N' i6 S4 K4 A7 y# ~; G% D
-DI = 4A4Dh
; x8 B$ Y3 Q1 R" }0 mWhich are the 'magic values' used by SoftIce.7 ^0 Q5 i5 @/ @) M. h
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 T& y( A; J7 a4 R
& ]) V; z1 j9 a: `5 t6 mHere is one example from the file "Haspinst.exe" which is the dongle HASP
% |" s% Y% d) e7 O% Y/ J) r: AEnvelope utility use to protect DOS applications:% D) z) Q/ t: ?* n9 p- m2 j
4 m5 j/ t6 V3 }
# |) I5 {7 d. G/ U, ?# i4C19:0095 MOV AX,0911 ; execute command.5 O8 n) [" K* B( w: i7 a* Z7 p1 z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( w1 V2 A6 {: x. r7 ^) _) U) U4C19:009A MOV SI,4647 ; 1st magic value.% _ F" h& k! t% y. c8 l" I0 L
4C19:009D MOV DI,4A4D ; 2nd magic value.
$ Q# Y# D# e& d4 Y3 H4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( P3 P2 m2 M5 _3 t! Z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 g6 D7 R0 w% s# F. C2 a/ N4C19:00A4 INC CX" ]% \" x3 I+ c" R. H( Q2 M/ X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! F4 j6 t1 j9 N4C19:00A8 JB 0095 ; 6 different commands.
2 e& ]0 W M/ E4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, b) t' c) @! V# K4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 X" P1 I" p& v. M/ U# G" y Q
+ c9 E8 b' X/ d P' s- V( @The program will execute 6 different SIce commands located at ds:dx, which
$ A8 ~# @: }) j8 G: [& s5 \. I' jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( P+ L4 I7 ^. m# V" M+ n3 d Q& F5 r6 H* o( h8 I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* I6 ~4 z# R2 C0 c8 K) \
___________________________________________________________________________: p3 e" v1 Z+ @
* ?7 x; p0 W* |1 ^* X2 G. V4 g
4 F) \( W! Q) S5 J1 v2 O) C4 \$ AMethod 03
0 J$ ~0 |# {# A/ K8 Q1 O; T3 S=========
# h, T5 H' [8 j8 V( Z5 G' I1 |: J* V" @
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 y. K/ N, z* }/ y4 D4 \
(API Get entry point) i0 V/ |% g% h9 _% b( m& ~ q& t4 O
5 W0 u! u" x" ?7 M7 }+ X8 x
( I- R0 n: J/ C0 j+ n5 n
xor di,di
# f! t. `7 f- G/ _8 w" F( \1 o& B mov es,di& j7 I1 H+ J" o$ E0 E k
mov ax, 1684h ?2 A p6 C. {$ j
mov bx, 0202h ; VxD ID of winice) B- v7 D2 d, o$ Q
int 2Fh
# _ G) @" G9 X4 }6 \. ^ mov ax, es ; ES:DI -> VxD API entry point: k/ k' x2 r* n
add ax, di' |3 U3 I' v B. ]
test ax,ax. r! _. G2 A+ l' b
jnz SoftICE_Detected4 o. L. M7 X, H. p. W* r2 t# c( d
* _: h* H( J$ t L: @4 C: i___________________________________________________________________________
7 c2 k N- F, o5 x0 C# C7 j3 a
% v2 M3 S7 q5 CMethod 04
& l; U2 ?0 @. A7 D- V& z& [=========
0 R+ B: Y2 G3 T; ]% L) ~* V" R5 w$ ~. @2 a/ _# H/ ]. Y2 N
Method identical to the preceding one except that it seeks the ID of SoftICE2 d1 @/ Y: Q1 h; k
GFX VxD.
, M- F c" C% K& Y1 ~2 Z- D$ j9 o( X1 t0 a
xor di,di
; K3 X, B$ m& F+ y6 A* c mov es,di3 D4 \3 U/ g, t' E2 h' Z* b' ^
mov ax, 1684h 2 u8 W: O7 t7 A1 [
mov bx, 7a5Fh ; VxD ID of SIWVID
: ]: u" v+ {1 q* n, U* ?! } int 2fh+ O' R g' W8 U9 e, W
mov ax, es ; ES:DI -> VxD API entry point
( f0 s3 Y) y1 Q+ V; a add ax, di* M! [7 g9 W) m$ w: ]
test ax,ax3 E# Z3 N4 ^% e! E
jnz SoftICE_Detected
2 n' U5 k; Q/ @. L0 [2 R# A4 p9 O% j$ a, S1 e
__________________________________________________________________________# M9 [. P& U# V, t
! v* y0 w1 K: @2 u
8 x8 p, A i) o5 A
Method 05
" p# g( F& R0 i2 Q. ~0 X8 [, b========= [. R/ f) M, f
6 ]. N$ _9 L9 c. z
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' |* y, S- M- _+ m. D8 fdebugger. It calls the int 41h, function 4Fh.
1 P8 }3 F5 ?* Y* l& v2 rThere are several alternatives.
' l1 S. V d$ ~9 @+ t/ s# q R( h' ]: y
The following one is the simplest:
4 P5 r9 b& f6 l0 z4 e* U" @2 x1 H; `9 O& Z' u5 [: z/ V5 p
mov ax,4fh9 P9 _1 [9 P @9 R4 S0 m
int 41h
2 ^6 g2 D6 O$ s( C$ i cmp ax, 0F386
F h% V+ [. }; { jz SoftICE_detected0 ^( e# _ N7 I, c7 o" d7 B# W
; M1 g+ D3 ]* I+ R H; {7 m9 w
0 Q; x P4 e( ]# D* [Next method as well as the following one are 2 examples from Stone's 0 n0 d" e3 O% V$ A. Z: h
"stn-wid.zip" (www.cracking.net):0 Z1 }" }" i+ P* |
- V! O/ r1 l" u, r$ c- L
mov bx, cs2 ^7 X, F! D9 B: \, N( c0 Y) S- R
lea dx, int41handler2; i/ W' j( [ X& S$ Q0 K5 r; q# c
xchg dx, es:[41h*4]
8 f8 M2 Z& ~* @- m" X xchg bx, es:[41h*4+2]5 q% ] c. r- P+ w9 @
mov ax,4fh
4 X, E; i0 C9 t7 i1 Z! E int 41h
% M9 ]1 x: c, h/ h8 g [& X xchg dx, es:[41h*4]) Z+ {% N' O# w& h, K
xchg bx, es:[41h*4+2]2 ~- g6 Z$ m4 q# Z
cmp ax, 0f386h2 u, Q! \0 {( z5 G' o+ }
jz SoftICE_detected+ q+ k, I5 Q- b# s4 F2 w
1 d1 G$ b7 r5 Y3 g0 n! G: Vint41handler2 PROC
& B! x) H6 H2 I) n- t iret
: f% m( G- b$ Z3 m9 D" `- K, I J. Cint41handler2 ENDP
9 q8 u' [; a' e) I2 l$ |( R7 x& R# ~1 J/ @# C
* r+ h2 Y( K2 z: {% ], H8 H& O/ C
_________________________________________________________________________+ T# X' c t0 P! @2 K
* E6 _! D$ N ^
# H2 a" {4 ^/ q+ L2 Q4 L$ C- m
Method 06
4 z- T$ v+ I0 Y" F8 e=========6 y, v. }7 ~( y% E* B" D1 X
% l! n- Q8 H. a; b8 G) h. r
4 `6 s# Z, f( x- c1 U/ i: j7 u
2nd method similar to the preceding one but more difficult to detect:6 \ ~* m# k K+ _3 w$ F
/ L7 h$ O: L3 X7 J
% ]1 q y) e; j1 b
int41handler PROC: F! l4 L* K- G3 l
mov cl,al" q( c8 Y9 d1 w( [# M5 a- g) V
iret1 R; |# e! W8 y0 C+ I2 i
int41handler ENDP1 G( T/ a3 ?6 D" S8 x$ W; C
; m( D2 |2 X ?( o# h* r$ X& {1 y& a; Y3 t |( B$ i6 }$ m. r
xor ax,ax
1 u+ X- E$ @, o7 n/ T mov es,ax
2 X4 G4 |5 V0 h2 I0 p4 f mov bx, cs
; O' J- f$ Z5 x& T9 P7 \. H q lea dx, int41handler8 k; R! M2 c4 l9 ~
xchg dx, es:[41h*4]
+ A* {1 ~6 e" V& } xchg bx, es:[41h*4+2]0 j7 h- O" T3 V+ Z( d- _
in al, 40h
$ L: s6 f+ N( M. M/ e _4 Z xor cx,cx
1 w a7 }9 z2 W: ~/ @2 e @ int 41h+ T& i# C3 \! a4 ^ @4 x
xchg dx, es:[41h*4]
* e+ [7 v1 Y7 B$ | xchg bx, es:[41h*4+2]
1 P9 k, K! g7 @* W. t5 i1 c cmp cl,al
* h- Y& m# ?& ]+ v6 }* B! u0 U jnz SoftICE_detected
' R, M7 q1 ]# }0 R1 X
( j$ V* }9 C& g9 [2 I_________________________________________________________________________- Z& `+ F; Z* D# z R* ^! k
0 [/ G9 ?# H* R/ X. TMethod 07
1 |2 s6 |: g6 ~* h9 n- k/ F9 K! }, \6 i=========
; M# {! K! g+ C* b
4 i$ C0 u0 G A! X, {8 wMethod of detection of the WinICE handler in the int68h (V86)
: y& c- [! [& i; V0 W7 `* f( X7 [* {( L i, E% p A
mov ah,43h
/ y$ f' d4 c; S. ~, y int 68h# Z' J! U# I0 }4 N! {3 D( U3 }5 D
cmp ax,0F386h6 {. b8 |/ h1 {: p+ E+ Z/ X
jz SoftICE_Detected
- R, ?" e( _8 z2 V' u: w5 p' C4 b2 Q) W8 A- P& G+ j3 g, i
8 k L. \5 P0 k. z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& d3 t2 Q6 K9 ]0 l
app like this:
* a- z6 x! U; X& P- o; ^2 Q1 I1 d+ F/ Q( @9 {3 n8 j i: L9 t9 b
BPX exec_int if ax==685 p( L k- c* T7 W0 r! R1 r
(function called is located at byte ptr [ebp+1Dh] and client eip is
( z0 o& p: F: x( V; y9 U located at [ebp+48h] for 32Bit apps)$ o9 c- {% |/ j5 B+ R$ H+ _" i
__________________________________________________________________________; w* h, j% E4 `4 k, [
. h! K6 T1 ` b) p. ?. _* G/ V! b/ {; @# N
Method 08
9 d* G: q4 o5 M=========5 l/ Z1 s; H% Z7 o3 S7 S
/ i' y% T5 t! e3 q2 _8 Y$ z0 ]
It is not a method of detection of SoftICE but a possibility to crash the
" I$ x+ C7 o- d \3 _% C6 x/ Wsystem by intercepting int 01h and int 03h and redirecting them to another
+ R3 ~% _, x) \. _; Vroutine.) C8 }. x2 c4 a1 [' m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' J. Z1 f. Z" p& ?" Y
to the new routine to execute (hangs computer...)& d3 _, p3 H2 c: \4 U
4 S, l" j. ? s8 K0 t3 h, Q
mov ah, 25h
# y0 c, U2 N* l) ~7 X mov al, Int_Number (01h or 03h)
) Q# K" Z" a5 _; G6 H; I5 o mov dx, offset New_Int_Routine: w6 o2 q9 Y7 Q( T F% k
int 21h
1 T' h2 }' t: O) L1 X: x' P% R: Q4 g, J3 r
__________________________________________________________________________6 j( l8 T1 O9 l; F' D( U; N2 h
& W. R, I8 c% ?2 e% NMethod 09
K3 N) v6 k" E* |=========
- x( @7 G6 R' B2 `, y) [9 n3 m4 R0 x3 ^: C8 A& D+ e$ w8 C
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ U+ u3 O6 J" Y. ^0 H6 m* V6 vperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 r' h/ \7 t+ Y Z: M4 q* m' F! |. RThe Get_DDB service is used to determine whether or not a VxD is installed
' r! e; A- M& y% j. hfor the specified device and returns a Device Description Block (in ecx) for
0 \+ F4 `$ Y. {2 o# Tthat device if it is installed.
. [% P! K" U$ \) \8 K
9 b1 v; c( ^7 T+ p! T mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 h7 R+ W, K! R1 L8 v4 `# p# B# t mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ g7 m- u1 k- Y$ B7 p& |
VMMCall Get_DDB
( u; L0 g6 I/ ~$ y1 u' p2 G" d mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# B' `* l& q; ?+ y0 n5 O
3 C' `# d4 t, g* o6 h% TNote as well that you can easily detect this method with SoftICE:
$ v8 K: f3 \8 L: w* j5 @ bpx Get_DDB if ax==0202 || ax==7a5fh( _% A* `8 L$ |: j9 Z
( T+ N1 M$ H# F6 u6 q( k8 w
__________________________________________________________________________; m) N% W: w6 f$ Z3 z
. W6 d6 U- w6 U
Method 103 O# h3 P( @. I& E/ l
=========
% W: x& a7 J" z# m6 F. `8 ^. W
3 Q. O9 Y6 q, T2 \$ U=>Disable or clear breakpoints before using this feature. DO NOT trace with
- G. R: a' u' m1 g) v P% [( R SoftICE while the option is enable!!. F2 z$ M( ?7 I7 A4 d
8 x, W7 E, L4 r' L3 t
This trick is very efficient:4 W* z# U- v0 t; Z0 x- D
by checking the Debug Registers, you can detect if SoftICE is loaded
0 P& L/ v0 U5 B6 q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 K( g' b' `' D5 f3 L# p6 A
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 N3 `) ~- @9 X% V6 c" |% Cvalue (in ring0 only). Values can be manipulated and or changed as well
% G( T% k% D& R0 {1 h! s(clearing BPMs for instance)! r. }* O! n& L0 p9 n$ s. f' S
! t7 ?/ Y. E" g8 Y l$ V__________________________________________________________________________( |, D- t# F3 V. o7 }, \3 ?
4 t1 R/ V9 E9 D2 `: P. [
Method 11
' k. v3 h% v) s" k. ]=========* B9 F5 m; i$ v
) ~" l5 t8 f8 q8 |0 _4 C
This method is most known as 'MeltICE' because it has been freely distributed
- N y8 ^7 z+ F* k, v) q7 Avia www.winfiles.com. However it was first used by NuMega people to allow
6 Q7 z {2 ?1 g( O0 X. bSymbol Loader to check if SoftICE was active or not (the code is located
4 g) E* k* k9 p5 t* U" s# einside nmtrans.dll).+ Q( L2 }& O2 g- X1 r; }
0 e( f& m; A8 m Y: ]: A( pThe way it works is very simple:
( u c V/ J, k) [: _, n4 Q4 bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for o% R' W! N/ V& k! f
WinNT) with the CreateFileA API.) U4 b8 p/ {8 |2 I
. _5 V4 ?7 k' s1 u( b3 [
Here is a sample (checking for 'SICE'):+ O! b; H2 G! S' B+ H
% |) B4 i$ ?* ^' @9 L% n
BOOL IsSoftIce95Loaded()
c" Y/ a6 T) d; u9 Z' S, R/ N{: k5 u1 |# n$ @! w0 z9 \2 _5 H
HANDLE hFile; ) w' Z: J0 G9 ~/ M, t) H. ], [1 d4 R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 T* j# H. P; B9 p Q! K" R
FILE_SHARE_READ | FILE_SHARE_WRITE,
8 q( W; V1 N7 {( S. y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# m: F- b N$ E( q
if( hFile != INVALID_HANDLE_VALUE )
+ v/ ^4 {+ c' [* y# K) X {
# B" v) p7 i% ^2 v5 H CloseHandle(hFile);! r4 L0 z& |3 W. S o, s" ~
return TRUE;0 g/ j+ d/ m' l- \: F
}
1 Z2 j: ]- ^1 \% S* h6 C. O return FALSE;7 a! i$ C/ C* U9 O$ W0 X0 U. R
}1 m& y: t- T* @* v2 W
5 D& g4 i+ L* I! t: @% G# G8 U
Although this trick calls the CreateFileA function, don't even expect to be: _! G3 ~ i% z! H$ V: `0 Z
able to intercept it by installing a IFS hook: it will not work, no way!% R3 p& p* ]3 U+ B# @+ G* P) C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; t7 G: |, Z9 Gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); A6 P* S" m; O; J
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ C1 s3 n$ V. ], \* j& z8 ?" wfield.
# @1 Z$ E/ @% [$ U; G |& R, gIn fact, its purpose is not to load/unload VxDs but only to send a
2 h8 F. I3 x* u- ^+ IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 R( U7 `) [! z. r4 Q2 f+ K$ {) Hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
; v' ~1 `# P: |& u3 Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).
& m7 q, r1 D* \' EIf the VxD is loaded, it will always clear eax and the Carry flag to allow$ m) l2 u* [+ Y
its handle to be opened and then, will be detected.+ d2 H' S# S5 Q1 c' t- V6 S& P
You can check that simply by hooking Winice.exe control proc entry point
9 P& D+ c0 [. f4 {1 \# Rwhile running MeltICE.
1 q! j2 l( X4 c, |
7 h( l$ r3 C7 y1 p& j1 x, |8 R# Q) Z- b# p2 ~2 f1 Y) Y
00401067: push 00402025 ; \\.\SICE
! S/ E. h5 o8 ] 0040106C: call CreateFileA
1 s9 S3 C5 u8 O# k 00401071: cmp eax,-001
% Z8 H* x% W4 o8 V7 Q7 S9 E( E 00401074: je 00401091
. z$ E' h7 k" @6 R, i" d- j& J; R2 a$ V/ c4 J( k' Y" `. _
* h& R$ Q4 S( W: w# K
There could be hundreds of BPX you could use to detect this trick.: `+ p( ~8 g5 R) t7 e
-The most classical one is:
. ?% g- p# Q% n+ Z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) L* n% t# t- y& h7 ?
*(esp->4+4)=='NTIC'! M( E4 t0 u8 n/ P/ w
' y( F& G! l& }& e-The most exotic ones (could be very slooooow :-(
. p9 V7 w; ?" j% a; ~. V: H. C BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) G3 P j( c9 W, |
;will break 3 times :-(7 o" F0 I% Q% Z6 P$ \4 ]
# ^1 Z! V- [+ \ p* ?- P
-or (a bit) faster: * V' b% U+ K; J+ C
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 Z1 O8 I3 u$ W1 Z* z6 c; ?8 m
5 F+ f5 N- i& B. h BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " E: P( D& R( q0 h
;will break 3 times :-(
5 c1 K6 z! c% a1 L) L
$ \& Z0 G$ Z" u( g/ w-Much faster:
: Y u( n f4 K1 i BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' w, [7 k6 G' E$ u, }' V+ [
: ^. H* L! Q: M$ f' A' w' xNote also that some programs (like AZPR3.00) use de old 16-bit _lopen0 Z8 L. t- w+ n$ r1 I* I3 i+ Q7 \
function to do the same job:) h+ m; [) I2 |* R. q/ O7 B/ A6 @
1 X- @5 g+ m1 f$ F( T5 s
push 00 ; OF_READ
' Z- b6 I- I h* y% g3 @0 | mov eax,[00656634] ; '\\.\SICE',0% C, |; d2 a* q" N- G+ F$ H4 ^- x
push eax
, J3 q% j5 l3 q& }# A call KERNEL32!_lopen$ ]( V% G; c$ n" |% d
inc eax9 x9 Y4 I0 l. f+ G* W: y
jnz 00650589 ; detected
O8 X: \( k2 e$ [ K X6 l; u push 00 ; OF_READ' J( k! c1 L/ L
mov eax,[00656638] ; '\\.\SICE'
' a7 K$ X U1 b+ L push eax
- s+ J+ m$ O: v$ h6 ]: _ call KERNEL32!_lopen
- F0 m; T4 |+ T7 b2 e inc eax' D, A, P% }1 f6 J
jz 006505ae ; not detected
/ @2 F S% @, E* A$ R5 v; p$ t4 ~" I
# m! L4 n& Q2 o& l H
__________________________________________________________________________
$ g$ [5 b8 X4 C+ e) T! R: c
. @3 l. V: L, s6 |. [7 E2 t- xMethod 122 S: f) l3 @4 A1 m2 h0 I
=========
3 t& C( C6 s+ f2 f/ f& c, }( l1 r1 r2 V3 o. @/ r) ~
This trick is similar to int41h/4fh Debugger installation check (code 05
% s( Y! { ~- d* X7 R# B% \4 Q& 06) but very limited because it's only available for Win95/98 (not NT)
% b+ Y; Z5 Q' M" K6 cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 @; t' O+ n6 `0 S- E4 ?% P- o8 A9 }- }* p5 Q; v0 H# R% Y5 x
push 0000004fh ; function 4fh; U8 s+ E& `7 u6 N0 ?2 [- F' G9 [
push 002a002ah ; high word specifies which VxD (VWIN32)
; i+ L+ Y( I8 x" Y) t' Y ; low word specifies which service
( j: V! H8 ~* k/ t8 _7 | (VWIN32_Int41Dispatch)
% T# n6 q8 Q/ _1 t2 i: d5 c. @5 g call Kernel32!ORD_001 ; VxdCall
) Q9 L8 x$ p [) p/ y; c7 ]0 Q9 x' ^ cmp ax, 0f386h ; magic number returned by system debuggers$ F& P% r- J' T
jz SoftICE_detected
) t+ b- M7 Q/ ], [+ T6 k& C) {6 J6 E0 V9 q
Here again, several ways to detect it:8 B2 t) ^5 B& X* ~$ u6 b& a
. C* B, N# J. J7 f: Q* r8 S4 f u
BPINT 41 if ax==4f5 C. [, z# X- m1 j8 \+ Z+ T
: I- K; m0 F! w& s6 }3 N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% E+ P. u3 i& Z) @8 m
: W* w2 b: P$ U1 T& K
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ O/ `) i. w& `3 S' t. X, L) V4 e8 \
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) Y$ U" B, p' P- U6 l Q, _( E/ q
2 X: m4 g O: a__________________________________________________________________________, L: x5 I4 _/ ~- j0 T
2 j+ e( E6 {0 E6 C6 [1 `2 V
Method 13
- C9 ?0 s% z1 H7 Y' R1 v; u========= m1 h$ L' t0 c6 q+ f
N0 y Q: ^5 I( T5 m- f7 z7 f6 J
Not a real method of detection, but a good way to know if SoftICE is
. `1 E- S/ p3 Z% J* v0 P- i, qinstalled on a computer and to locate its installation directory. K0 M" F$ N% k9 V( T5 z# |$ o
It is used by few softs which access the following registry keys (usually #2) :, S5 k& F1 }+ [. k
+ e- r% u* X8 H' e) G8 I0 M I6 r
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 O' i0 [# D. k0 T$ A' m; i\Uninstall\SoftICE# Z0 H5 t2 u/ U0 O
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& r+ H2 @3 ^4 m9 \8 p6 H-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 _! ^7 L C2 Z# W
\App Paths\Loader32.Exe
& F- i: r; m7 \8 t8 l6 O+ I, z* R Y- U0 y
- |" d, L+ S$ ?# J9 t" q% P1 H" k
Note that some nasty apps could then erase all files from SoftICE directory
8 F7 j2 x; L" Z# K9 R8 e(I faced that once :-(9 y, g9 w/ b7 U$ z9 W( O/ Z
6 ]( y3 t- `+ }% q W
Useful breakpoint to detect it:4 O" I9 H/ S) L T3 D
, \4 ^) D8 o9 c. q( \8 M( A BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- s" I" K) @8 U' x* a* Q" J) w4 V
__________________________________________________________________________
! G, I- A( A0 p- e7 {0 z. d
& f# F' |" {, h8 q5 Q; e/ J2 H/ o0 |
Method 14
: K; {9 k, C9 {* \=========) F. Y" C0 h; i3 ]% Y
' e, G% t3 t( W4 P8 |2 UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
Y8 `! `" _$ A5 ^5 X+ P. [* v gis to determines whether a debugger is running on your system (ring0 only).
+ G9 r& ]/ x& n$ j+ y7 H3 ]/ @* _' w2 m9 d5 D0 G5 P$ F
VMMCall Test_Debug_Installed% o% c3 D$ N9 y) U
je not_installed4 Y& |# q" O% d
3 t' O& o. V' L, ^0 z$ _7 uThis service just checks a flag.' f. p9 D/ k0 j# S X6 `. K
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡