<TABLE width=500>
- B& e' b) L0 C3 R# s! R) X<TBODY> H- r- L. y5 T" ~
<TR>& e7 g( a/ ^: s5 \! @
<TD><PRE>Method 01 6 q$ ~- t1 P$ n% @5 C% U2 m
=========
1 J! t5 k) f( }3 H* U Q) ? V
$ e% N9 b. P1 o2 dThis method of detection of SoftICE (as well as the following one) is
# }" i7 [8 k) s; E$ m9 a8 ~+ f' aused by the majority of packers/encryptors found on Internet.( m6 P1 d) p' N. H9 a
It seeks the signature of BoundsChecker in SoftICE W6 L& l$ Z# L. V
) L8 j/ W: s- W) J' {( O$ l. ~0 b mov ebp, 04243484Bh ; 'BCHK'8 ~3 k( F) k( l7 |! C
mov ax, 04h
, g, T0 C; P! j1 R! o int 3
. F3 I0 O1 K5 |4 X* S" F cmp al,4+ b2 L3 ]9 D( F2 L T: X) d
jnz SoftICE_Detected1 u2 y8 g$ g g% j: j" j
( J* `4 O# Y: v4 R# @; \
___________________________________________________________________________
9 M- y- C0 D5 E3 b) L, O! R: B i/ y4 B) ?
Method 02
1 L8 T+ e& ~! U' K' \=========; W9 e3 s7 c4 r$ n! |/ E8 S9 `
/ S& d/ ^; W" v5 n6 }' S$ y
Still a method very much used (perhaps the most frequent one). It is used0 s; Z a$ @9 n# d' Q, N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 t2 M( b2 r: X: O$ sor execute SoftICE commands...
; j: v+ l j- T' {% Q) p$ sIt is also used to crash SoftICE and to force it to execute any commands; y; R# U3 ]; ~4 D% z
(HBOOT...) :-(( - X7 b1 M8 H# C/ ^( a r
+ `# w# H I$ ~# H1 I V/ O* S
Here is a quick description:
- J4 Q$ j+ B! {+ `' ^-AX = 0910h (Display string in SIce windows). s' P4 p, S) j! s# D1 B
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' Q9 i$ h3 w0 v, N
-AX = 0912h (Get breakpoint infos)
4 p6 V$ v" L3 \5 P- E1 \3 W-AX = 0913h (Set Sice breakpoints)
- n* g" i- d: l2 t4 S' o9 S5 K: C-AX = 0914h (Remove SIce breakoints)( W# W: @' T/ R
- j) n4 G/ J% {% q5 s) r/ n- uEach time you'll meet this trick, you'll see:
% V! N9 a* W: K8 e6 t( m+ ]# Y-SI = 4647h
6 s3 o( `. u* \- U a-DI = 4A4Dh( V) F, _8 U# [+ \1 I
Which are the 'magic values' used by SoftIce.
' \+ x, J* V# ?' M K5 m4 L7 t1 D5 x- PFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 l& P4 i8 C3 ~
- `$ m. m. @2 i+ ]1 m3 ]
Here is one example from the file "Haspinst.exe" which is the dongle HASP- x/ _' i" G' Y# v. c) ?# t# k( ^, {
Envelope utility use to protect DOS applications:- e& w5 d4 N' E
- v9 I# ?4 [ c1 I/ E
4 x7 I/ u4 N% Z4C19:0095 MOV AX,0911 ; execute command.
' j* P I: O/ Q/ T4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) Z2 m: x% @2 b& [. ^0 S
4C19:009A MOV SI,4647 ; 1st magic value.
" U* W3 \, D! w1 W0 i) c; _4C19:009D MOV DI,4A4D ; 2nd magic value. c/ b$ B7 y0 H9 l/ u* R& Z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! N+ |# z1 f3 r7 ?
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- D; h. B! ^% Z( |0 Y* S! }# d' `& c4C19:00A4 INC CX* `9 ~0 q: B# H+ s3 k0 D
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' Q4 J/ h) t& D
4C19:00A8 JB 0095 ; 6 different commands.
0 U5 t- m0 V5 s+ L$ y& E V4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) n* T9 B- B4 p' D; k" H$ }% M4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& J: v- }0 N2 C, C+ o& ?$ x5 g/ L0 [( u
' g7 Z. e8 s0 j% z4 m. uThe program will execute 6 different SIce commands located at ds:dx, which7 {5 v3 b' {+ a( s2 H6 H7 `
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. R: I4 M: x! ]; j. e$ B& x0 J, [& Q/ c
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 w" Q$ X2 h* p! K8 H$ _
___________________________________________________________________________. J [/ d V+ g5 V) A/ @2 t
) I- s6 s0 W: n
9 o: ?7 F; X& U
Method 03
{2 S1 S4 ~8 \) B5 U6 s$ ~3 e( O& |' ?=========' \* X; a" b6 r
, S4 j; k, @. fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ e& `+ f5 S! x q(API Get entry point)+ ?1 W6 w g! a- h4 A6 B
) n: t* ^6 n. a5 S- ], J4 z3 x" A3 l4 q
& v! r& D% k; Q; ~
xor di,di6 B4 [4 _1 b6 V8 B- i @
mov es,di
& t$ {* S& ~7 W3 g. l mov ax, 1684h
8 y$ i- |2 D O% Y! ^ mov bx, 0202h ; VxD ID of winice& c6 h: k' K. u" m/ k1 t
int 2Fh
$ W$ F7 n* V! |% `5 \# I. X3 \ mov ax, es ; ES:DI -> VxD API entry point
1 c2 E0 F0 D6 {7 ~( F0 p1 C add ax, di/ \+ l) X. r7 h2 r9 W
test ax,ax# O) x5 a, |$ e+ ?) N" N( ]
jnz SoftICE_Detected
( e. n$ q* X s8 e Q; q7 v W; _$ E" h# w; k
___________________________________________________________________________. V5 |# A- H) r% [ f1 |: L
: Y) f1 |7 q" D2 M* E/ ^Method 04: v" v$ w6 U/ e+ {( K
=========
+ U' p6 V) S1 [; u8 b! p
' E# X3 Z2 V" p5 o+ j# gMethod identical to the preceding one except that it seeks the ID of SoftICE
/ K! b; Q; H7 mGFX VxD.
% G! b+ W6 u) [6 l* V# `- d0 `5 P; D/ |+ T) D/ k
xor di,di
& j- ?8 d" p: X3 Y* S' l mov es,di+ ?. {" N5 \" O C
mov ax, 1684h ; Y9 j* @' J8 R5 p
mov bx, 7a5Fh ; VxD ID of SIWVID* g8 C8 O4 ]+ F j9 A! y7 S Z
int 2fh
P) Z( A# G" b mov ax, es ; ES:DI -> VxD API entry point
1 o% t$ O" u. _7 J5 }( F+ Q add ax, di) \ Y. A; n: [' [0 K' O8 `
test ax,ax
# |* i# v$ m! J4 \* I jnz SoftICE_Detected
6 D/ Q% G" Y4 B" U# d6 x# w7 L3 ]/ R
( Y7 [( t1 b5 U! l$ @9 r+ J__________________________________________________________________________* A8 ]( {7 j; z3 s2 V9 T# P
; ?- A# j$ \8 S: ]2 k( l0 m
7 q; ?+ y. K! C# j5 O; p
Method 051 r: O9 T# {+ f4 l5 i
=========8 F& h5 r1 o u: a# h0 k& W
1 T' U2 O* [, v1 G3 ^- }
Method seeking the 'magic number' 0F386h returned (in ax) by all system. M8 k* k4 _! O, m0 ~
debugger. It calls the int 41h, function 4Fh.
% B, Y+ o4 @" YThere are several alternatives.
6 q8 s" S* v$ O; f: t& Z$ \; J9 p( A2 b; ?
The following one is the simplest:0 G' G7 w" t9 g, o
5 m' `1 E7 N: k: V
mov ax,4fh: ^# {2 l6 V% |' j
int 41h" @1 I! }. z, ?
cmp ax, 0F386
# G: E+ }4 q( K, W1 N$ q jz SoftICE_detected
) D8 a$ }1 \9 h* `: i* u2 b0 U0 a1 ^1 A
8 _5 s2 a: m) X2 O- \
Next method as well as the following one are 2 examples from Stone's
9 d F9 X/ h1 ?: ]6 E/ J+ Q, i9 f"stn-wid.zip" (www.cracking.net):
& T! w( p/ q) _/ L6 ?! L% J* J# Y: W% F/ a
mov bx, cs1 @4 H+ r* v2 g2 I9 p- V
lea dx, int41handler2 u6 c4 E6 m, t$ M X% h) @4 u( i
xchg dx, es:[41h*4]
; o' m% t3 i$ H$ A0 p: x% A xchg bx, es:[41h*4+2]/ u7 N* l! O3 U6 b+ Q, p5 T T
mov ax,4fh
) V& E; o( D5 G9 s int 41h+ S; @' V1 A! ^! B6 Z+ T( D! q
xchg dx, es:[41h*4]
# R' j- d, ?5 D8 N4 ^; l. M xchg bx, es:[41h*4+2]6 |' [# z2 _% K/ _# [8 K4 k- W2 i5 ?
cmp ax, 0f386h5 ~: V# j2 z P, C/ X: C
jz SoftICE_detected: p3 {1 K, r$ C" L
9 o- |2 i, x( x4 Qint41handler2 PROC+ L E& x( D: J( f
iret
" v4 ]9 L& Q5 A! bint41handler2 ENDP2 c1 v: ]1 p3 l+ f0 P8 A P
8 O6 W9 Q" i, W( O: n h* d
0 \" p) g- I1 r( B$ {2 e_________________________________________________________________________
% k, a% r/ r& H! N' z! q0 n, h3 H" \' S/ D: b
7 [$ k7 n+ o5 w7 Q$ _
Method 06
9 B; B' r- H6 p=========# _8 g9 ?* o- h7 o7 f
8 c2 @3 q. \# X8 [5 T3 U
o" B! K0 N5 K5 m O2nd method similar to the preceding one but more difficult to detect:! ?2 w7 A( j" ^) A
* I; y: ?7 c' j
' h( v9 K4 J0 q( B, qint41handler PROC4 v7 e6 Y8 r& M$ V3 E. k
mov cl,al
( I; ^! S0 m' T8 l' O' M$ N iret0 G0 g7 @0 K, Z1 j" V
int41handler ENDP
* V0 @* V+ \' P0 V' V9 c
+ `' n' ~/ A, n% F' z2 c
, Q/ W' b$ E& U) S2 M! S2 g! Z7 h+ X xor ax,ax
7 A7 N5 q- c$ [) t$ F. X mov es,ax! V6 H, I% H% l3 K: v
mov bx, cs1 H; A8 j9 ^5 {8 l
lea dx, int41handler; W# Z- N% p) i6 c7 D
xchg dx, es:[41h*4]
/ w, ?8 d9 w6 m' w+ }6 C% q/ j/ ?7 F xchg bx, es:[41h*4+2]
' o0 c! \; t. T; @9 S! d in al, 40h0 m* q% @/ ]9 s9 V, E
xor cx,cx
/ _! }0 F* K8 S; n! N7 \ int 41h
; R; C. x9 ^# x9 @ xchg dx, es:[41h*4]
. o9 ?( ?; ~3 r8 |( ?. L xchg bx, es:[41h*4+2]6 ~: A; U& P& t- p/ u# `6 C
cmp cl,al
3 m# x `9 n( T( ^( f6 y jnz SoftICE_detected- J W: ~% f% y
4 D) n/ q e% X( I4 X4 S2 t8 V_________________________________________________________________________
8 E d/ N* I+ b$ ]; e7 T
$ `/ d) F( \: B8 {8 H! IMethod 07
2 I- Q, i; n8 m0 w4 O3 L5 ?' E=========$ b+ b- D" {/ |# j9 ~0 W
9 w: } V7 r$ O; ^
Method of detection of the WinICE handler in the int68h (V86)( `, o( u' u$ q* z& K6 P
/ o- [9 _- E$ G" i0 g( _
mov ah,43h) a+ }2 w8 T/ U' W; f- g
int 68h
& i E/ a( |2 [ cmp ax,0F386h
$ o- \8 N, A. g jz SoftICE_Detected/ ]& G- R0 w; x3 [9 S
; ]% i* ?9 J- C( B9 L
6 E! c" Q5 T: s5 M/ A=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- g" k1 o$ \( d! ^; o
app like this:
' |6 n. F0 G. a! C
! D" F, R/ j/ z( Z BPX exec_int if ax==68
( f% m1 |& o B. O H/ | (function called is located at byte ptr [ebp+1Dh] and client eip is( F4 P; C3 [! `: A5 I
located at [ebp+48h] for 32Bit apps)1 F" f% ?, ^& a$ f' A. \
__________________________________________________________________________8 i: h4 I! ?. i8 L/ Z4 i& H" f
& n3 B* {# }) ~0 f7 c+ |( D. _ g
9 D) u! ]9 G# e/ ?
Method 08+ Y/ }' E# N4 \4 W
=========1 n2 i" h# |- M, F
) I, J' X1 Z% J4 m8 IIt is not a method of detection of SoftICE but a possibility to crash the
& g8 e* [( c& }, F# d! W0 B! w$ a0 k2 Ksystem by intercepting int 01h and int 03h and redirecting them to another) O8 _( o# g. E1 u
routine.
% p8 e! Q2 m# P3 t( a& B" w3 Z/ |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; K; S. j# R7 J: Y" D9 G5 m0 E7 bto the new routine to execute (hangs computer...)
& q6 D! C* Y g. m& v$ r8 W$ ] d4 L
mov ah, 25h
% q$ ` H7 X& @& Z1 k1 | mov al, Int_Number (01h or 03h)3 W0 \ D+ ?" p' p3 C7 B
mov dx, offset New_Int_Routine" J+ j. C7 E' c' G/ ~* T s& A
int 21h
% I8 ^' r- r+ j0 ?2 M7 T5 O4 j; F0 v2 F7 y+ \$ z. B W8 _2 {
__________________________________________________________________________! ^3 M3 S3 i8 C! f0 E# q
/ q p) ]2 f# U8 g! nMethod 09
' D, r. j# _4 d* n( q# G: t1 b& Q=========; B: @$ _7 n. y
# ^5 q, _% l) x: g# DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 E% u; K5 a+ p4 Q2 f( N5 b
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 l- \( @0 ]5 f+ j3 {# f8 vThe Get_DDB service is used to determine whether or not a VxD is installed
$ P4 _, I7 l& f8 R( [for the specified device and returns a Device Description Block (in ecx) for1 G* ~% z" {3 x" Y; U( [0 X$ H3 o
that device if it is installed.
( H% g* J8 Q( F$ A+ k0 Y3 x, H+ _) n* n& b9 k3 o2 a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 R0 Y# l& w4 }
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ S& t1 u% n& y6 a+ k0 e& m1 G VMMCall Get_DDB5 m/ \5 }0 q. v J T
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( A7 d& Z' ]. |. c2 i8 a4 ~
! d; [' p# @8 {3 Y7 G! X
Note as well that you can easily detect this method with SoftICE:
8 }- y; Q7 L: | bpx Get_DDB if ax==0202 || ax==7a5fh
. N i1 R: p# C9 @% P% k
! Z# Z3 Q r9 U0 u" H__________________________________________________________________________
6 T* J! {' q( z/ D# w7 F6 m" B" b% I6 I! `4 Q& l
Method 10
( z* w3 M9 ^; h' f8 j=========
6 A8 u+ R/ Q: w0 g" r: k' s0 r0 J& U; @, K( Y
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 j' B: E- z( w; T0 y+ J0 l( q
SoftICE while the option is enable!!
( T2 L. q: ^1 S, \3 M0 y% G* u3 n+ d, I( ~) K4 I# t
This trick is very efficient:
g4 D( e% g% W4 jby checking the Debug Registers, you can detect if SoftICE is loaded0 V1 r* r# A$ \! Y1 x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" n* }* T' Z" d' H+ E
there are some memory breakpoints set (dr0 to dr3) simply by reading their
- d, J9 G- [( l( E7 J/ L! ?6 Evalue (in ring0 only). Values can be manipulated and or changed as well
$ c) N7 K- r) x4 R, b U(clearing BPMs for instance)% Z. W6 Y1 E* {1 J/ v1 ?4 h+ t
1 t \/ M0 e; m; L
__________________________________________________________________________
" r- f) A! e: c2 g3 I" S7 d1 }8 v3 d7 N* D7 o. q
Method 11
' \+ A: l. y1 i=========2 T- \/ s. u. J: k& I
7 j4 N$ V l0 wThis method is most known as 'MeltICE' because it has been freely distributed
# S/ C0 i$ o: D6 c/ q. G- k4 nvia www.winfiles.com. However it was first used by NuMega people to allow
3 Q5 M4 Z3 U0 L. @Symbol Loader to check if SoftICE was active or not (the code is located
) X% D9 f! p+ Finside nmtrans.dll).- w) w% f3 p5 k. j& r* c( s( G
" @' `+ G3 h3 z4 h2 t( n; ~
The way it works is very simple:
3 n* N+ {0 }1 C( @# b* PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 ]! t; i% _7 m9 j) N; A/ XWinNT) with the CreateFileA API.: }' z9 a. ]: [3 e; H0 F: r- l
( B2 s4 l" _: i2 s/ gHere is a sample (checking for 'SICE'):
2 A* z9 E7 U/ y9 V X( f( n. M; @" B5 e5 [! W6 u& ]7 j+ |
BOOL IsSoftIce95Loaded(). m4 {* v! b1 @# a6 j- q1 G% V
{
: V9 J H2 s+ ^ HANDLE hFile; 8 x/ k+ r" D6 _; W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' s. s" \0 r# n3 M9 ~ o" a" Y' y4 O5 U FILE_SHARE_READ | FILE_SHARE_WRITE,) y$ S3 S% R5 K( |% z+ A
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ M& W0 `: l, }4 o' ^# G; d. X
if( hFile != INVALID_HANDLE_VALUE )
1 A, Z# y4 @: P {
; e2 _, H3 i* [5 u0 Q CloseHandle(hFile);& y6 _% s j' Q# |5 p0 G
return TRUE;
' k) d' k; {, _0 j: t# @; O2 p0 Y }9 d( g- J4 q3 A }" [$ b
return FALSE;
% o% K! e. W; Q$ B/ x$ v3 {}
; F. u. r1 I1 O3 d% q9 R
0 x7 c$ G5 E8 MAlthough this trick calls the CreateFileA function, don't even expect to be
; G K m8 e iable to intercept it by installing a IFS hook: it will not work, no way!
% {: f G( P: r9 uIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 z4 L9 Y/ l }8 d2 p8 {service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# h( M T" r$ s4 T/ v. Y- d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 M. d6 l" w* H- Efield.
! }$ g" `6 \" d! m- {6 p; t9 r3 cIn fact, its purpose is not to load/unload VxDs but only to send a ; r, y* s0 ^4 R: Q1 N0 T
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& D* k' s- R, o9 ~4 P* Ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 l" J' ?; |! b4 M* N! [6 _ Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).# m4 D a( M$ c9 |) x1 f, L9 b
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 }3 ^. i, g* M3 z! Z" x/ M
its handle to be opened and then, will be detected. r2 ~! }, l5 ~% d6 g8 C
You can check that simply by hooking Winice.exe control proc entry point/ _( p o7 U: |, j4 X5 [3 P
while running MeltICE.9 P4 w, T# ~0 o- c$ f8 m
8 R X# e- K- E8 L5 U
5 i9 Z6 X/ O1 x8 g# l* H+ X( l
00401067: push 00402025 ; \\.\SICE& c6 ]/ R4 s4 w" [: m" o4 ~+ S
0040106C: call CreateFileA
& H" J9 W2 \0 Q1 y7 X" b/ k8 v 00401071: cmp eax,-001& z% w, S: G, O6 n' ]/ F! B) z) T0 a
00401074: je 00401091! r" A. _4 c5 v
5 s. I2 C; c& k8 K. _2 \* W) H( o9 `' }4 ?: S
There could be hundreds of BPX you could use to detect this trick., d) p6 f' u" `* `9 o$ C' v; d
-The most classical one is:% X( |* b- X" C
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 u+ J! G1 L# S3 C *(esp->4+4)=='NTIC'$ R9 | p X4 w0 y
3 C7 N9 c2 z& s7 |
-The most exotic ones (could be very slooooow :-(* N. Y c+ b: b
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 M* k# \0 ?/ I @7 a3 D* `) J5 [
;will break 3 times :-(6 @: a; z) Z6 {0 J
) i* ^, B9 J: M$ L* @-or (a bit) faster:
" L* c6 W3 J/ T' I' V BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
M% z7 T' D7 z4 s" e# |
" A! i( @' c9 D BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 G2 X# C9 m( O R" h* ] ;will break 3 times :-(
% M% _ L4 d+ L6 b9 t: y# b) g; k2 l6 R1 x3 Q& W, @7 w
-Much faster:
7 [/ _- g7 `* a6 g/ c/ q! O$ F BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' ?5 F# F8 Y; [5 r) z- k9 o3 v
: K- B. i9 D6 s9 tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen# N! u. @+ O. h& }- J% s7 y
function to do the same job:
* _3 Q- _# B4 L8 `) O% a/ L
2 u$ X {2 P1 e2 z9 w* T; `4 T9 F; t push 00 ; OF_READ
5 O3 a# I: M0 n7 \: w2 c6 X, ^' ~ mov eax,[00656634] ; '\\.\SICE',0! O$ k4 Q1 m7 E' q
push eax
5 f, _6 x7 N1 L1 ~( z R call KERNEL32!_lopen, E/ K2 s$ ^+ r: T7 X
inc eax4 Y6 C0 X+ S; ]$ `# d
jnz 00650589 ; detected/ {) Z# @; V1 {6 e7 H: c" T; j, E5 _1 O
push 00 ; OF_READ: v. k7 x3 P9 y) T9 v5 x4 {
mov eax,[00656638] ; '\\.\SICE'
+ N3 R' R: L$ t, f2 P5 y push eax" h2 [7 _& e0 e" e* }
call KERNEL32!_lopen
/ d$ a2 W; Q, L: l9 _/ ^ inc eax1 ^6 K9 @# X/ i6 e, C4 k
jz 006505ae ; not detected
& k H2 a7 @& P5 L% s7 M7 T9 J& A; y1 j
, w& F9 P1 p6 ?8 Q( _
__________________________________________________________________________
. P8 {6 i: z. Y6 Y' i$ P( A
, ]% x; x8 \& ]0 e W9 W8 `Method 12
1 D& U- d. O) ^) T% ~! y=========
* U. z% g. g, y# o( @+ B9 L @+ ~! O3 ~7 N% a# z0 m6 T8 B0 T2 ?
This trick is similar to int41h/4fh Debugger installation check (code 05! ~' h! z; E! n- L2 }
& 06) but very limited because it's only available for Win95/98 (not NT)
. b, N) M. N {* @: b2 Z. t) ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! K; ^3 r- n2 F4 g
* l! U& E" w% z push 0000004fh ; function 4fh% o% t' |4 B( x; w; m7 p- k, B/ f3 Y
push 002a002ah ; high word specifies which VxD (VWIN32)
; D& i' y: B8 H2 g, T- X3 V9 o! N1 H ; low word specifies which service" g; T/ v- y, |' y
(VWIN32_Int41Dispatch)
3 x. O w- {& B; I call Kernel32!ORD_001 ; VxdCall8 @2 c; G8 v. w N0 [' s2 h/ @0 `0 m5 _
cmp ax, 0f386h ; magic number returned by system debuggers/ h% g9 ~/ {' B1 J' U
jz SoftICE_detected& X( e" R& h/ j0 x0 _* C0 a; j7 C
2 B8 S% \9 o1 X& ~
Here again, several ways to detect it:
6 a) i; O8 Y/ ^3 c: s' [- I% Z Y5 t3 t( B/ R( ~3 M# F0 s& v: ~" F
BPINT 41 if ax==4f" y% X: W5 h+ `! O5 {# x) s
" z0 S+ N# j0 j: l0 ~5 T$ x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; Q# X/ j$ f1 N
- J8 _0 m* e9 t$ B) {. h, e( ~ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 I4 i0 ^" B7 _
- i1 h. I5 v1 |. v7 W# W. \/ X& _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 Y, {1 d& K1 H3 [6 A% [5 _! Q6 [8 N5 j1 n5 M4 G$ _+ b
__________________________________________________________________________
: t) g( D3 M5 ], P) K; S7 w! i$ e+ K3 j# S/ z$ }0 {$ n
Method 13
. U+ @, S& I4 D7 G, z& j$ M=========( J% e1 B6 c$ S4 e
9 D2 u5 I9 B& }4 W6 J
Not a real method of detection, but a good way to know if SoftICE is4 u: Z; y, H0 K
installed on a computer and to locate its installation directory.
8 N8 Y) S- a* }2 U$ ^. [It is used by few softs which access the following registry keys (usually #2) :0 ^/ H( d" p" H6 i
o% s- j+ J5 |+ k, i' k' M4 g-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 d, s& M+ A$ [\Uninstall\SoftICE
0 B/ s: P, H R( v* s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 ] m) g% g) ^) {! h& d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 r0 {- S5 N0 ?- h/ v\App Paths\Loader32.Exe2 L4 Y0 i9 i. V: R: F6 {4 M
* X) {5 ?5 h6 a
; `" B2 L( H- H% INote that some nasty apps could then erase all files from SoftICE directory
6 N( T V+ x. ]; u(I faced that once :-(
* ~) D9 u. E- R! H) h
2 _+ N' Q6 B/ `, LUseful breakpoint to detect it:
: v' i! F" Z! Y: l7 B1 w8 K4 |2 `% K8 @* K* _5 m) A6 z5 N5 [6 N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& h; q8 D* D: W- Q: \) ?# d8 |! g I2 |/ z. O* x
__________________________________________________________________________# {3 E8 ^3 N1 I3 l, S
) N7 E h# s# Y7 O. p5 \
; s8 u7 F) C [7 q9 ?( ^
Method 14 / @+ y! e7 U/ S# ?
========= t/ Q7 X7 {! J+ ?+ u- ^
( T+ \' g( ]6 b8 m7 F! q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: b& H: D& |# s6 sis to determines whether a debugger is running on your system (ring0 only).
2 T; |3 b2 b' f+ U
0 e, e6 {1 H: A% ]1 d u) ?/ ~4 S( F6 i VMMCall Test_Debug_Installed4 h' x; Z P2 O: C% I( n
je not_installed
3 k) d6 O8 X/ Q- J. n1 q1 K+ E# t# c6 `' K- |* c
This service just checks a flag.# t2 U+ h. F. q1 p; o6 t4 d6 F6 Z
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡