<TABLE width=500>+ T% |; A- r1 F" Y/ P! D
<TBODY>
# Q" { w" T# S L& i* D6 D3 U<TR>
8 |- m5 `# s T1 i6 O, a5 v; F2 v<TD><PRE>Method 01 ' m' o, q. k$ M1 l* I" x- L: W
=========- s# h" }- L) r% D
8 M7 w% [0 c. R+ E* [
This method of detection of SoftICE (as well as the following one) is
) G4 b. @- g, ]: y" ] S" Uused by the majority of packers/encryptors found on Internet.. n8 i3 Y. l1 A/ s2 t6 Y) I3 z
It seeks the signature of BoundsChecker in SoftICE
- F5 X6 i* [4 C2 V$ c- h5 x0 L
7 K7 q( V# k1 z* I mov ebp, 04243484Bh ; 'BCHK'
# L* Z% q; b) d* }( { J0 A mov ax, 04h! ?. r2 q, y$ v, l" E1 T
int 3 / ]. P1 n* e1 Q; k( ]8 w% t! F
cmp al,48 h! Z- D+ D/ y& C
jnz SoftICE_Detected
, w/ i: r7 `4 C) e1 E9 A
8 L: }$ X' ~: @4 H___________________________________________________________________________
9 l; ?; O; ?* {+ m/ N# [3 W8 [& X. G0 }
Method 02 g' `4 d5 q' P, J7 I
=========2 P3 s0 ]5 n, w( Q3 Q
- Y. o% u& K) n/ aStill a method very much used (perhaps the most frequent one). It is used
$ [* j) O9 s7 b& cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 w) r7 l, @8 y; D0 _ Q
or execute SoftICE commands...3 N4 l/ }4 F5 Z0 n. w
It is also used to crash SoftICE and to force it to execute any commands
+ y8 W4 [ h h* Q(HBOOT...) :-(( 3 }" M/ c2 u, _- b0 X
. ^$ e; ]- \+ o M
Here is a quick description:
' T% G4 {; h7 b g. i* T-AX = 0910h (Display string in SIce windows)
# Q# q5 @/ Y! W4 g: S J& q4 U$ c3 }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 C- }! t, S0 q# I4 I N) `-AX = 0912h (Get breakpoint infos)
( h5 s7 `# ^( n4 n8 @9 o* C-AX = 0913h (Set Sice breakpoints)' t C( [: F, U$ M& M0 A
-AX = 0914h (Remove SIce breakoints)
& r3 X$ m; m* @' z8 V
( C, U( j9 s2 S) z6 @$ gEach time you'll meet this trick, you'll see:9 W2 x. ?! g, ?# y3 R7 C7 r8 v* |
-SI = 4647h9 g' k2 c2 }2 c E, f2 Q
-DI = 4A4Dh
, c* x" c: X" H! H* ]4 i* IWhich are the 'magic values' used by SoftIce.
+ R9 `: B* J8 ~! g( DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 l) `7 \2 d3 t2 b7 u1 s' b
+ L, Y" c* ?; E9 G2 p8 t
Here is one example from the file "Haspinst.exe" which is the dongle HASP% w2 A. ?1 |! N6 ^ k+ p
Envelope utility use to protect DOS applications:
, U2 K: A) _! p" B4 K: g! a1 x1 Z% K
; ^8 g# Y+ B/ S
4C19:0095 MOV AX,0911 ; execute command.& d9 h) T# b- p
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) Y" U5 l+ P6 G& Y7 b
4C19:009A MOV SI,4647 ; 1st magic value./ {5 R8 |/ P7 K! @
4C19:009D MOV DI,4A4D ; 2nd magic value.% f# ]: |" r7 W7 w9 R, j6 K
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ o) n3 [+ ^2 N6 Z) n k& n# c4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 d) B- b9 `$ q- a4 M
4C19:00A4 INC CX% @* U9 H3 |- N3 L9 q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 _8 B) e- M; M# o1 h4C19:00A8 JB 0095 ; 6 different commands.$ i% Y% U% b" R- k$ X6 T8 m
4C19:00AA JMP 0002 ; Bad_Guy jmp back., R9 r9 ~+ v, N7 i1 [
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) ?# q5 G: S2 P# d/ P/ @% b
# ^, P8 @* [/ g! E, ~# W& N2 ~The program will execute 6 different SIce commands located at ds:dx, which
9 b, Y- B9 V! j7 \0 Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& C" a! d& |1 c& c2 l) y! _& k
1 b( F- H/ {0 e& [/ ?* l L$ Y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 ?" f4 o9 |2 e) f9 O* F___________________________________________________________________________
S. ~' X" [% m$ X5 f
$ D: p) z* I8 n4 N* E
" q, y6 Q$ b% mMethod 039 {; k, H+ Y9 M5 S1 t
=========: e! ~' f; D3 y1 Q: \' e* n
; A5 n0 q, d! s2 N" g
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! S2 ?5 n8 a! N d$ h3 c2 o( Q
(API Get entry point)
) R9 D3 V6 J7 c7 U- P c
0 a+ |0 g0 g/ q2 P& q6 T/ U6 ^* s1 `. @ N5 a% ?$ L" p
xor di,di2 M! O4 R' B2 T
mov es,di3 q# b& M9 n+ h3 G
mov ax, 1684h
' f- v" h! e9 r0 | mov bx, 0202h ; VxD ID of winice
3 [$ q$ d+ @$ j$ P int 2Fh
) B7 w: w+ X5 U/ f! V* Z mov ax, es ; ES:DI -> VxD API entry point
( o' i- s! p8 U, f add ax, di: G+ N" ]* v; V" D3 T1 s: B \0 w
test ax,ax4 E" b% w' q- Q& n* f" b
jnz SoftICE_Detected
: p' m0 k! J7 X% _" n* O% z* N
___________________________________________________________________________3 A9 x& Y2 h$ F6 C* w4 l2 W
* E. x1 {" P/ w4 G
Method 04) {) l. M2 \6 d/ X* [! [
=========0 m9 _) e& F/ D, p6 ?
6 H- L- |- r; V, _
Method identical to the preceding one except that it seeks the ID of SoftICE7 Z2 x+ C c+ t2 M7 x1 Q! S
GFX VxD.
7 T3 Z! }5 g) p( @( a4 d
% t* s T9 `" U: Y- k xor di,di% b2 f: G6 p/ Q3 V3 r) D' s, ]" O
mov es,di
, V$ f7 w7 E7 _* n0 X* ` mov ax, 1684h 0 ]. h" Q) `% x3 ?# n* H6 ^ J* }
mov bx, 7a5Fh ; VxD ID of SIWVID
# W u: N$ `+ W int 2fh
6 Z2 c2 X, ~5 Z# g mov ax, es ; ES:DI -> VxD API entry point
' ]0 |( W1 @- c5 D4 w add ax, di
/ t' \* R& r3 F4 U test ax,ax
( m4 |/ K. h" ? D- t; P! Y* A jnz SoftICE_Detected
, ~( D4 l# T' @# ?1 D& p/ J+ E2 P0 z8 `! w! y7 C
__________________________________________________________________________
9 _9 a" @8 k& \, _6 m9 U* {+ A3 a9 n( b9 h6 p
* ]' @) ]2 X, O: z) {1 F$ F* S3 P
Method 05
8 i! r1 p. R+ Y0 p7 l* y=========
7 `+ G8 e4 [. z V* I' ?
9 l. y8 r" Z* q; e, lMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 O7 d# t$ V8 @( t0 V$ S7 s. g2 gdebugger. It calls the int 41h, function 4Fh.- G" B0 u6 ]# ?. E, ? L
There are several alternatives.
+ h$ b5 C' u. Z( G. t- `, o9 Q1 X1 W
The following one is the simplest:$ {7 \3 I1 x8 j6 e
6 K% U" r! [" c, T- K# M mov ax,4fh
: P2 H `' \0 n5 o& |, r* X int 41h
& a1 {) _. n ~7 o$ Q1 l cmp ax, 0F386
1 _, ^6 ^/ X/ m( Y6 t# c jz SoftICE_detected5 X4 I3 Q2 x4 G1 |! t
( D4 X+ @+ {) i0 i. {7 p8 E# ~
( f: g! N) z: H5 @6 E
Next method as well as the following one are 2 examples from Stone's
o: H2 A# H0 }& }- a2 L' h"stn-wid.zip" (www.cracking.net):+ Y2 f% j, Q- u) D H
& t) e2 Y C1 ~7 J' l! V0 S mov bx, cs
* a- y& z: v3 {: Y: T$ A6 w6 Q" d lea dx, int41handler2
( C* z' B3 ^9 i. f T" |# w7 K9 T- I xchg dx, es:[41h*4] V8 y7 _- [% ]$ |" ?5 ^
xchg bx, es:[41h*4+2]* H6 o+ B) t8 X
mov ax,4fh
; A; c; X0 l' O4 @$ J( g9 b; O- Q int 41h
0 f( V. C: u% w1 T4 ]+ v xchg dx, es:[41h*4]7 u" R4 z# \- G& a
xchg bx, es:[41h*4+2]
5 j7 `6 C1 Z# Y" P1 B | cmp ax, 0f386h; W( r4 F3 J7 k) S( i
jz SoftICE_detected
; w \1 [: ~, }+ @* p
4 r& t0 a B$ _7 O: I+ R1 {& Zint41handler2 PROC! d1 t! `) J! g# z3 ^
iret
: r: j' l) j: |, U `8 t1 Fint41handler2 ENDP5 s7 K; g8 n* Z. b
1 Q4 I& V% |2 u" r
5 V# m. B- u) t8 V# N2 P- {7 M; f) \_________________________________________________________________________
8 D4 g0 ?; E) n$ S
@* r7 @2 J7 ]. v" V# g7 h3 e- M0 H8 {1 L9 a0 S9 I+ a3 I
Method 061 U$ |# t" F& c A# h/ Q1 X2 w; f9 W
=========+ }. ~. m+ e4 X( J- D9 V' f6 A9 o
! c. M$ Q# v; X# z
+ s9 X. U% p- r3 Z4 h2nd method similar to the preceding one but more difficult to detect:+ m8 y& s2 T, d+ K* f
3 e% ]1 E8 }# x
# ?+ @7 V. c* k# }& m% F& s" wint41handler PROC- p9 r E3 i3 I
mov cl,al
3 @ s; L* E3 g( A9 @3 K$ h iret
1 g/ I! o$ C3 `# \* J" m0 Fint41handler ENDP
* O" Z* K: C0 f! n! q: n. {. b+ x% M1 |/ ?+ Z) w
: l5 O" z. H! O6 p. s3 ` xor ax,ax2 v" d b) o- @. L! h& e
mov es,ax1 ?, G6 @7 |+ s, R3 x+ Q. ~
mov bx, cs2 V( [0 e: l4 X( z" I
lea dx, int41handler% O* g4 G5 P" ]* g E3 E/ e
xchg dx, es:[41h*4]% [ \& b7 i! N$ I- C# v
xchg bx, es:[41h*4+2]
7 ~$ a% e. x" [ in al, 40h. d$ _* ~8 X) f4 H+ \5 o7 X- `
xor cx,cx8 B5 V; r: S0 z
int 41h
! {- t! o6 x, _# U( Y xchg dx, es:[41h*4]
: t, e: T$ D* x2 y4 j xchg bx, es:[41h*4+2]
& O. }7 f5 Q3 Z& w' A cmp cl,al6 m& G+ B; u- a9 P) T6 p
jnz SoftICE_detected% _& p1 z7 s, S0 c. P u# D' j' Y
3 `; b$ k0 J8 j5 @, K/ Z% m_________________________________________________________________________
% N) Y9 F3 E' ^2 H
0 c9 }" J' H$ O: g7 \Method 078 p, \ G7 _: R! A
=========# Y( \9 ^+ F) G3 f3 z& j4 x0 J
# @9 W5 A* X" C: A# R; ZMethod of detection of the WinICE handler in the int68h (V86)
% Q; I. e; L5 a0 K8 {9 G1 r" ]& ]4 c# Y9 `4 c
mov ah,43h6 M" s2 s+ m; j1 E
int 68h
' V6 z( B" c: _7 a9 w. T. m cmp ax,0F386h
- P; l! T/ V7 x+ q+ g$ h6 h) i jz SoftICE_Detected
5 w' [1 B, k n3 d* [4 c
; T/ A2 F1 A( U. ~" F0 h- Q7 o' f b& k3 N( S- X& y6 o9 m4 s8 k$ S* W
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; O- y4 v9 H0 _9 ] app like this:
7 C8 E q. V- u& S0 q8 k0 \ R& n5 p2 y' p: P: I3 e) y
BPX exec_int if ax==68
3 x _! ^6 [5 Q9 B/ b' I# r5 Z (function called is located at byte ptr [ebp+1Dh] and client eip is' p, X1 k- n$ P" Y+ J/ R4 C
located at [ebp+48h] for 32Bit apps)3 ^; R; }# e8 r. L9 ^
__________________________________________________________________________. k1 j0 n' |! q) ]& ]; B3 t4 l8 x
i7 ?3 A" ]0 W6 t/ I. F: p; Q! _. L9 z! X1 c) Y# A
Method 08
+ u8 N# `0 C# S3 u) m=========
t- {( n& ?/ c6 P0 _5 S" v6 j6 @0 d3 C) p
It is not a method of detection of SoftICE but a possibility to crash the
& R0 Q; h% ~. i; Asystem by intercepting int 01h and int 03h and redirecting them to another
7 O5 \# h f/ K& A, s: O- nroutine. h: Z! _2 b4 z0 C1 z1 l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 r$ F% }& I( A& p5 n; k
to the new routine to execute (hangs computer...)
4 A! P* l4 W( r4 r$ g% W" z2 b- s2 M5 t4 @0 C7 z5 T
mov ah, 25h
" F1 \- P3 v+ g5 X$ \ mov al, Int_Number (01h or 03h)
% Y$ F2 m4 u6 B* y mov dx, offset New_Int_Routine
4 U8 c" W$ s0 \4 S: P$ i int 21h
9 ]+ `9 f) X. }8 I) N8 V# h# O; K. j; y4 x- o5 g) P
__________________________________________________________________________( x5 z1 f$ T) U. |
6 t) u$ p( y4 w1 B T4 s( X8 _Method 097 k( |* i9 U' }# Z
=========
& b) X8 j0 k5 m; W4 f M
" ~4 f: R0 m5 h- R- b0 S6 N9 ]1 x# qThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. @. A8 F) I) M0 m0 J! ^performed in ring0 (VxD or a ring3 app using the VxdCall).
8 D- O) p6 v) p1 sThe Get_DDB service is used to determine whether or not a VxD is installed
# w N8 a" s) `$ i" ofor the specified device and returns a Device Description Block (in ecx) for
( _6 P) P& H+ i) F% h+ s& `& xthat device if it is installed.% F: p( W* @- A' x
0 S- D5 z2 C4 W& ?, o, Z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! \: J6 w# C; q4 o; Y7 P l6 W
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# d. Y' z% N! ?% c* f
VMMCall Get_DDB
G! Q( `# H) {! [ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ ~3 m3 u4 K8 d, H$ k2 [' N% n+ v* `' Q" _) u0 g
Note as well that you can easily detect this method with SoftICE:
) [0 [* o* \# } `* r! E. @ bpx Get_DDB if ax==0202 || ax==7a5fh
7 ]8 O0 W6 n* q( P- O
5 g# N- d8 C6 t3 _, r__________________________________________________________________________1 ~+ S& z) ]6 Q2 y9 c" ?* H
# j# q+ Z/ |0 _) lMethod 10
4 h% j$ ^: @. p( d& b) L=========
" u- \" g, j* f8 g
' o# `' Z, a! m=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 V! g8 c/ M" |1 o. d; \8 d2 O5 p SoftICE while the option is enable!!- y$ ^8 r' x* ~, ~
7 @: `- M4 F# r6 A7 R$ JThis trick is very efficient:
* i! ]+ G6 ^4 s6 f e" }& ^' ?by checking the Debug Registers, you can detect if SoftICE is loaded
4 e" l! ~& k# N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 s) i, G' ~! g- `, L$ ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
! q2 O3 n; \5 T9 ]value (in ring0 only). Values can be manipulated and or changed as well
: _9 a" z: i& r; Z: D6 R4 Q(clearing BPMs for instance)" R$ N9 i& {% n8 `. k; R( Z
2 ]9 M) @0 L6 ~' A
__________________________________________________________________________
" u3 W; F+ [1 ?6 y' H# s
& @( R& T% p$ z7 k7 bMethod 112 {$ E7 S, V* ?6 a" j9 X: W
=========0 b) q- Y5 | H6 |
$ [, M+ L; h- t: w6 O6 o
This method is most known as 'MeltICE' because it has been freely distributed! f8 G* z/ T# {% y. C9 _
via www.winfiles.com. However it was first used by NuMega people to allow+ s! a3 f0 [" C5 C* A% ~% M* M5 L5 r
Symbol Loader to check if SoftICE was active or not (the code is located
# Z# a( X! L2 _2 ^3 {% s7 Y. Vinside nmtrans.dll)., z6 {- K8 A" y, _# U
0 h/ f. e5 g! t5 k e/ Y" oThe way it works is very simple:
, }) C! s1 F9 uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 n/ J! K2 r0 q8 Y# b+ N2 DWinNT) with the CreateFileA API." a u S$ M, y. G) U
$ |" Y2 d' \) L6 Y+ o( N7 U
Here is a sample (checking for 'SICE'):& }4 D; V1 s( L( q
) s6 q" L, ?1 s. n7 c7 j5 N! b6 QBOOL IsSoftIce95Loaded()
, [5 ?6 K& e- R$ ?7 H: ?{9 f) Z( b" {8 J6 [ _
HANDLE hFile;
5 B( h3 W) d& Q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 j2 k3 I& j1 R; u$ W, a
FILE_SHARE_READ | FILE_SHARE_WRITE,; K/ B. u; v6 S3 s5 X
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); v) |# p. H Z. ~/ [" A% {" C/ {# G
if( hFile != INVALID_HANDLE_VALUE )
3 e2 |5 H |2 [% N' U A* ` {8 k( k1 t* E% | w. C5 a9 f
CloseHandle(hFile);
) C! \$ }- j: q- d return TRUE;3 t5 `! H+ T( P# {( j
}
$ C7 `( [) g/ |7 r7 `+ K return FALSE;/ q- v ~& Y4 e; O* e; A9 ^
}5 c; [' u3 C, {; I" |9 w
; B! o* z3 e1 \& E1 _) D5 G/ ^8 I. u
Although this trick calls the CreateFileA function, don't even expect to be( `% Q( I$ W4 }* U3 Y& t
able to intercept it by installing a IFS hook: it will not work, no way!& a# a. q) c/ _ b9 ~1 r/ e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" b- d$ M/ s+ E4 ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% M, {+ Q6 v$ N, H0 f/ Oand then browse the DDB list until it find the VxD and its DDB_Control_Proc
; M; L$ I' a7 s1 ]8 q& afield.
" u* x7 V% y) g6 W/ o! @7 U( GIn fact, its purpose is not to load/unload VxDs but only to send a ' D4 r9 N' D5 Z0 M# \
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ E& A6 d# ~% X" h' \9 R/ dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 I8 ~* v5 ^! a6 L2 {* y* I' tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- @0 \% v" ~) _+ dIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 P7 `& I, R; E' z+ B4 D, Iits handle to be opened and then, will be detected.
: I9 t/ f- F5 [) }You can check that simply by hooking Winice.exe control proc entry point
1 P1 u5 w3 \4 ?1 Zwhile running MeltICE.! F* z" J; v4 w! d+ ?
- F- W" ?" q% u, C4 p/ z
[# A7 \ d* P; h: _" x
00401067: push 00402025 ; \\.\SICE
D3 Q! F4 |. W8 }( U 0040106C: call CreateFileA& P5 p+ `' I7 J+ n% Y$ X
00401071: cmp eax,-001; i* a" \$ @% g3 U
00401074: je 00401091; \) d5 U$ d$ R5 [' f: T
- s: Y) X3 ]$ P, C* M
9 i& j$ n/ i6 T7 e/ T/ Q5 bThere could be hundreds of BPX you could use to detect this trick.8 K) ?$ l9 Z* I( I) j0 P
-The most classical one is:' l5 f% z. f6 c0 T, k3 `4 s+ h7 l& s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' ^1 R0 @3 ]% F' _0 I/ n- g6 W *(esp->4+4)=='NTIC'
& R5 r' Q( L3 _, [' G7 c: X8 d8 y z
7 r6 w4 e) D0 `- p$ R. J; f3 u-The most exotic ones (could be very slooooow :-(/ a% N3 A# j7 O4 N+ Z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; E; G G- B. j0 G6 H ;will break 3 times :-(
* C' K# V# r- i: g" X/ d0 M' G& u9 S& p9 `; E
-or (a bit) faster:
# H" v% Q+ T! m u5 R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 x* }2 I/ l' B4 w1 b( t! O9 T
5 R6 i! {( I3 j. g8 S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * Y6 Q" ~2 ?; T/ U& _
;will break 3 times :-(
& t) {/ Q9 `6 N7 e
( F3 i% R3 \4 e' D) O- a3 l- ^-Much faster:
7 X3 [; @) ?( p! b( D/ N4 z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 @% C# F* j$ b
$ a$ ]+ n3 g. q* L& yNote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 S( X+ Y; q4 A& _
function to do the same job:
( ?: }+ v/ n& r; A$ r' E. g0 N0 {$ D0 u9 g/ Z% m8 q
push 00 ; OF_READ
- Z+ y5 f* ^' @( x& K+ G mov eax,[00656634] ; '\\.\SICE',01 O J$ L# Y4 U7 I
push eax
& g, O+ O* G- R, c K# p# Z g* ^ call KERNEL32!_lopen) {6 Y4 u+ L1 h- K7 b
inc eax3 _* |: [. t, W4 P
jnz 00650589 ; detected7 H* j$ }' ~8 E" f- C) t/ c
push 00 ; OF_READ1 Z# {/ i# S5 N% b- F7 \
mov eax,[00656638] ; '\\.\SICE'
& }- r, c9 [1 W& y* V2 L push eax" t' U3 B+ u7 x" m" m1 m' y7 S
call KERNEL32!_lopen
, N& d% r+ c9 v# J/ ^+ D3 N inc eax. a: W1 y4 ?' l g, y; H
jz 006505ae ; not detected
1 C) F. U, E& w# b3 V* A) Q$ t1 n; O9 H$ E' K3 b, k0 ?7 m5 x0 I
* E7 @$ L9 w8 p__________________________________________________________________________
- E- w* x% r! ~/ L; g( ?8 g% l3 U7 d& b: f5 a
Method 12! P) R2 f+ f: q$ x
=========
; x. X7 |1 l, M% H! O% o0 d' l3 S4 C( D0 f7 ^* Y% P- g# U& s
This trick is similar to int41h/4fh Debugger installation check (code 05
& B) J1 a& `! X$ H8 }% |& 06) but very limited because it's only available for Win95/98 (not NT)
7 y; G' W. `, U0 E6 Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 O# Z0 j; A m C" U- a* T8 N! [# o9 e! E3 C* p
push 0000004fh ; function 4fh
' Z2 z5 d& P2 | push 002a002ah ; high word specifies which VxD (VWIN32)
+ A ?& Y2 x3 S+ U3 G; a8 h ; low word specifies which service ^) d8 C j+ B; u6 s7 t
(VWIN32_Int41Dispatch)0 N' @- [$ r* A7 B0 g
call Kernel32!ORD_001 ; VxdCall, Z* m, y# q3 y) E
cmp ax, 0f386h ; magic number returned by system debuggers
4 }5 x ?8 ?9 X. L# t. F. d8 A/ ? jz SoftICE_detected1 j1 G$ L7 v: p) }4 M' x k$ e
+ V* Y4 t" C) R8 w7 H# }) r
Here again, several ways to detect it:2 L. U1 J5 K' {2 ~; e3 D
8 d' `) C# M5 P/ A BPINT 41 if ax==4f( \) @- V5 R y, {
8 b, k% a2 P. K, P5 `8 I! I
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# B5 \6 X9 E1 z% F1 o/ n% `
$ v+ t2 d9 I1 O- |, H/ N* v BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& \/ c+ V) i5 R/ A" W+ i2 H
$ w3 v) P C2 j& D2 ~8 e+ K/ n$ i BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 x/ O- a% r% `9 u& K" w
+ m$ v6 {# D1 c' \& D__________________________________________________________________________& d0 A0 E" U# s+ M7 c' x
4 S8 d/ @- b0 }( Y5 N9 ^( RMethod 13! k; ]6 ]% L" }- \* T2 U1 {
=========; v1 l% q4 @0 [' z( |
' Z9 o R# ^! V" D* j) x5 J1 T# R1 f
Not a real method of detection, but a good way to know if SoftICE is# G$ ?7 w, z' A7 s: N
installed on a computer and to locate its installation directory.3 L# U- d7 {9 y
It is used by few softs which access the following registry keys (usually #2) :0 R* K5 G* x, \' ]( k
# l( i5 b- _* k" r1 v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 O3 p G5 s; n9 [1 b( X
\Uninstall\SoftICE
& O" x. [: u- i( z' j; `' s. E2 M-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ L9 @* F: ^- x: A: Y- e- X-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) F8 R2 A& [( i, M8 E2 q0 q
\App Paths\Loader32.Exe b+ g9 l) H' W( ~) d% J* @
1 P& W2 J# s* K$ z9 x* C2 y2 |
+ \8 B* A& v! n7 R5 s K1 `, ENote that some nasty apps could then erase all files from SoftICE directory
0 N) P1 A2 H! F' n(I faced that once :-(( Z; S+ l, B, O! V5 `( S
. ^2 g3 V$ L5 J0 v0 Q
Useful breakpoint to detect it:$ J0 T3 E, e! p
. g* j; C1 k! ~/ k1 n5 C6 B
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ S) H2 v: @* J8 y% I# k
% b. D0 x$ z4 ^) q+ D' I__________________________________________________________________________
e2 b; c0 b" O' U
K5 v: U4 H; F3 A8 K9 d7 A& R; [0 r& U% T
Method 14
# s/ S$ n! o5 }6 p=========8 n9 f7 l& M3 z9 \# J4 q7 o% @
, b# u5 V8 G: J0 Q: ~( ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
?) v9 Q& T( Q' Q8 fis to determines whether a debugger is running on your system (ring0 only).
/ U$ l O# L' ]- n/ p' ~
, J1 D% m# S* B$ P7 v; q VMMCall Test_Debug_Installed
; J, L7 k$ V0 M+ b" T0 H! q je not_installed0 v% V5 w1 J6 D( `# l" F3 |
: Q3 G9 M5 r4 Y7 ?& g2 c3 h
This service just checks a flag.
% p# D( _. I, q+ |</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡