<TABLE width=500>! z5 y# R, V1 i- N" K3 e
<TBODY>
- d( J% c1 X4 m; n$ r6 Z) k<TR>
9 G, U& \, E1 [- }2 Y4 c' [; a<TD><PRE>Method 01 5 ~( }. ?% y0 G
=========' i/ t0 ]1 D& g: ]$ {7 Q1 T, [/ M8 K8 n
3 I S( J) b O5 }3 V* Y
This method of detection of SoftICE (as well as the following one) is, Y! ~* ~$ N6 c, f) R/ V9 I! M' [
used by the majority of packers/encryptors found on Internet.% _8 _) g+ K6 m* B7 E$ ^3 E
It seeks the signature of BoundsChecker in SoftICE
4 b4 Z3 h( l' v/ ]6 n0 ~1 H6 W+ d% R4 x' x
mov ebp, 04243484Bh ; 'BCHK'& O4 `8 y) N4 _ c/ f# H& x
mov ax, 04h) X% A7 g$ L3 r# u% ]2 N5 M
int 3
0 \5 p# t4 N( S! E; h cmp al,4
* S* B/ x: h& D9 Q. G jnz SoftICE_Detected# w/ \: N p# j4 r' b P; l
7 X* c2 B% h( D: ?9 ^
___________________________________________________________________________
5 a" T" p* C b3 _/ z
; X( T( U% \% `9 yMethod 022 }; ]1 ]8 C6 e+ [% [ F' r% m
=========
( L. m6 z, w2 H8 {& z! {, H2 V1 v( A' M" E4 N3 i& [. F6 G7 \ H
Still a method very much used (perhaps the most frequent one). It is used9 Z* \& n$ k2 @$ r2 z5 H; Z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) x( S/ L3 ^8 @/ b- O9 W* por execute SoftICE commands...
) Q0 r7 x: n7 Q" ~* [! k/ Z" B) BIt is also used to crash SoftICE and to force it to execute any commands+ ^, L0 V+ K6 C% ~. h
(HBOOT...) :-(( : m/ p' w, A k5 O5 H8 k+ r- _
$ d. W$ ~4 u5 u( H6 ^ SHere is a quick description:( H- }' j) p. d& \4 C, |2 ^& q
-AX = 0910h (Display string in SIce windows). n: i' `5 v. }3 S
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) ]0 ?' b/ Y e' ~2 C7 a
-AX = 0912h (Get breakpoint infos)7 |. o: {2 |$ w1 }* s5 j
-AX = 0913h (Set Sice breakpoints)
% F7 [1 R- @: r+ a! D5 M-AX = 0914h (Remove SIce breakoints)
/ o$ `3 Z2 O. }0 w/ Y4 b. S
" X$ i$ Q1 Z2 q" i2 KEach time you'll meet this trick, you'll see:
; b8 |7 m9 H# v3 d0 t1 M) l" ^-SI = 4647h9 a, [2 C0 Y. C9 U
-DI = 4A4Dh
0 v! o6 V! }* F8 TWhich are the 'magic values' used by SoftIce., g" M" V# z' U- \) R/ [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 r5 M. z4 s/ w8 o
v" _' ^' b) d! m, m9 U; V8 LHere is one example from the file "Haspinst.exe" which is the dongle HASP" b6 m g8 L* M7 Q! _) z! x
Envelope utility use to protect DOS applications:& l3 N8 N! j' G* e3 P/ {$ Y5 W
% n8 B8 S9 Q! E' c! t4 d
/ E5 k P) S' |/ `, y9 f# e4C19:0095 MOV AX,0911 ; execute command.
0 h' [$ R0 R% Z0 X7 d/ G( Q- E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 t) |+ X. S2 i# N1 }4C19:009A MOV SI,4647 ; 1st magic value.
( h0 J; [/ G" E! A* Q4C19:009D MOV DI,4A4D ; 2nd magic value.* _/ X# D& w; S# J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 J+ M5 @* m5 w8 u1 M5 ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, Z7 b3 g) d Y: _3 \' p4C19:00A4 INC CX0 y/ r" @7 {0 ~# H+ u6 _* g! ]! A
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 l8 j$ B# F5 s1 H3 _4 @# s! y$ n% L
4C19:00A8 JB 0095 ; 6 different commands.
6 j: Y7 N9 A* o* z/ a* p( h9 _4C19:00AA JMP 0002 ; Bad_Guy jmp back." T0 |! k' D1 x
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 e; ?$ t: l" r% Q
! L' A8 }5 p5 W* g. ?7 xThe program will execute 6 different SIce commands located at ds:dx, which/ U# ]) l5 K& ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. M& Q( n: e1 G \; O
- p, c! m" V- U& j M/ A! w( f* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 m. O- w4 U/ q/ _
___________________________________________________________________________
) t/ s2 g& a \" a
& b7 M' H8 x+ L* K6 r2 W& [& ~& |& U. N! ^
Method 032 o1 n: h6 g8 N9 C H3 D; N
=========
! b; M' E) n0 S+ Y- Y1 n$ X
0 m1 z& }) q6 D; E1 o/ ^Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 z( p v* R2 k* c( v: y& }2 V(API Get entry point)5 a; h8 k: `8 J0 x) c
4 ^: Z0 m h: @6 M7 u. K
$ q2 B" t! U6 D0 n8 S# f+ i/ P7 q xor di,di
6 u/ Y+ U. t3 A! f; p. O mov es,di
' M8 ?( f5 [ d2 D" W+ y mov ax, 1684h
7 D: O5 @- W- v/ \5 N8 Q mov bx, 0202h ; VxD ID of winice
: l! ~' n* @; m( e int 2Fh: h( r! r& G1 t. z# Q8 Y
mov ax, es ; ES:DI -> VxD API entry point% u% G5 L% n: w$ b; C
add ax, di! i5 p( Z; K4 g; A0 c2 M- @
test ax,ax
8 f1 h$ `4 F5 |; W jnz SoftICE_Detected) L, |0 m- ?. H' h( s8 \. c/ Q
/ P+ c1 Z1 w" _1 F& J5 E
___________________________________________________________________________
: l( w& `# `- L( t& q# U0 \$ m2 t) A! c0 C! p$ `
Method 04/ B; L4 \$ Z0 j
=========8 E% @' ?( @8 B3 `0 \1 W" r
7 w/ I' x3 R& F! N+ e& b9 n# V [Method identical to the preceding one except that it seeks the ID of SoftICE: M* q+ ~3 J6 K* s
GFX VxD.
; m- Z+ Y* k% R6 j
1 k3 Y$ {, U& H% b5 p) R& k7 ] xor di,di
) _- S' G7 p7 L3 ] mov es,di1 Z* D. K" D4 u, i* m' x' R
mov ax, 1684h
0 e+ y5 g. I% \ mov bx, 7a5Fh ; VxD ID of SIWVID/ v" K# @ C; q# ?$ k
int 2fh6 X3 m! ]- g- \/ O
mov ax, es ; ES:DI -> VxD API entry point- z4 N7 I+ I0 t0 Q8 l3 _: c
add ax, di
/ X( |/ y& m6 z# s T test ax,ax. W% R' F7 T8 Z' I3 M
jnz SoftICE_Detected. ^. q% O% z: X, {
$ z4 c0 Q" W( |6 F7 w" ?
__________________________________________________________________________" L. }2 q% e7 j0 E4 I
. Q1 v9 Q0 D' c- a- W/ w) C; \) N' j4 j9 Q9 c* {
Method 05$ C. B9 X1 q' y3 ?5 R7 b
=========
4 ]. G( {; ~# {* R; W' J- q2 ~4 G0 X) s3 @7 M0 N# ~! t
Method seeking the 'magic number' 0F386h returned (in ax) by all system w3 h( D, I' P9 z9 d$ E8 T% X
debugger. It calls the int 41h, function 4Fh. q, P, s3 }5 V9 [
There are several alternatives.
% D1 q& J8 X- ^, i- N j
$ z R1 `% `3 A. h' u6 o$ |0 tThe following one is the simplest:4 A! |* j! `0 s/ q
# A- n- O: m: p9 K4 M% G' w mov ax,4fh
2 X: z U) @% ^. | int 41h
4 w. S& @. j$ Q" ]9 ^ cmp ax, 0F386: j* K: N: r% o, ^
jz SoftICE_detected/ [" o8 {8 M m L' W, G
/ j5 j& W! ]4 ^! d2 \, R+ ^, S( }% d: ~; {0 V, F
Next method as well as the following one are 2 examples from Stone's $ y( G7 N" i$ z4 F
"stn-wid.zip" (www.cracking.net):1 U9 _7 d5 c/ }5 h
G" Y4 r, v; s* ~. Y mov bx, cs5 ^9 } l1 q5 @7 ~/ ]- I: {
lea dx, int41handler25 F7 u0 S7 T# u7 v( F0 ~
xchg dx, es:[41h*4]" k. {- Z- _0 @3 y* z% A
xchg bx, es:[41h*4+2]" z6 X7 a3 j% s0 `% O1 {
mov ax,4fh! g& A1 c6 i% ?: m# b
int 41h
) G ]3 @% m) \. f3 Z xchg dx, es:[41h*4]
. m2 q- g. i: H/ G) F2 x xchg bx, es:[41h*4+2]4 y# d" H/ V6 G8 F4 v
cmp ax, 0f386h/ w N5 w& D! \6 x* H! p
jz SoftICE_detected/ J7 ~# J! u* g1 h, R0 y: ^
: C5 L# s6 x$ Pint41handler2 PROC- p+ x1 Z- _. X4 b. A4 w2 m8 f( R
iret) `% Z6 z: B4 d
int41handler2 ENDP
' N U+ P/ K, k; k4 d
E: t4 d& ^' F: h& t7 K; I5 E | {$ C
_________________________________________________________________________; P' ]* X Z2 _1 b) Y/ y
0 U( v+ E; T# g" A
* h- x& t% C+ L6 N" m, t: `! p8 D
Method 06+ D5 n& n( `+ s: C3 S( D
=========0 W3 y% E1 c* z7 H m9 t+ p
p$ H P& s% r: P/ X
3 R3 `7 p5 T% A2nd method similar to the preceding one but more difficult to detect:
+ u8 B5 u# e* ^: D/ H3 k
" I; a# [/ S! I7 ]+ D/ T1 x: A' M1 H& B! K! q
int41handler PROC$ }6 j) Q6 a1 S$ g% n
mov cl,al6 J2 ~8 v- { W' `
iret
! {* X3 s2 e8 c$ fint41handler ENDP
- I c, i( g( f$ _( M
+ q0 ?7 O* |" D; M. G1 y
. }- d* L! x* ^6 g% l3 t9 ^: K xor ax,ax
9 q4 m/ M& K, N/ w+ }# e; B6 D mov es,ax& D/ Z' t f: r
mov bx, cs
6 G% M- n6 @- V1 e5 [1 ^$ g1 P( R lea dx, int41handler
3 v4 ]& ^' f+ ?8 Z0 Z xchg dx, es:[41h*4]
# ~' ^- w2 @" b/ {5 J% o xchg bx, es:[41h*4+2]) g2 W. _# ]# @' K8 ]" D( T4 {
in al, 40h' c- N0 H. |' ]$ n1 d1 j( }/ x1 E
xor cx,cx9 \& ?1 j: s" q8 y$ h
int 41h
2 L$ M, l3 {" t+ R+ w# `9 h" } xchg dx, es:[41h*4]
6 P# P- @4 p C7 [: Z% F2 R- i xchg bx, es:[41h*4+2]) p: A' J- t- p# Z/ E) U
cmp cl,al
. y |* K6 `6 N+ J( s1 O5 r jnz SoftICE_detected
+ u+ K3 D9 k4 x" _) B4 Z7 j2 ]
1 ^# k0 w x( f8 I_________________________________________________________________________
9 ~1 k4 [+ m& Z/ v1 h/ d
3 N+ Y, P. H% N: a, I3 ZMethod 07
( a2 P; ^! n$ W9 V=========6 N8 y& s; t$ U7 w
0 e9 U/ }! Z- B; ~1 R/ lMethod of detection of the WinICE handler in the int68h (V86)
, R) c1 y# e; M$ Y, V; d
5 v6 j/ B9 r( R C, X5 l5 A mov ah,43h5 w& J* O8 v( F! y: \' i2 d) c
int 68h
# R$ n( `" F- D1 w \ cmp ax,0F386h. [0 i9 s3 f* |$ w$ O, x' |
jz SoftICE_Detected8 j' M" @" U7 E
( b j. {; e, U# c2 d
) X. A& }& k6 p3 U
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" ~- B! ?- o: K# k! v app like this:$ v& r5 l" h1 a7 V, p
E7 X# a. g4 B: }* v1 D BPX exec_int if ax==68
* Z% Z0 t( p! Z+ O5 G) D2 E (function called is located at byte ptr [ebp+1Dh] and client eip is0 D, v4 N& z* L7 ^6 v B
located at [ebp+48h] for 32Bit apps); K5 c' s$ `3 g& E2 c
__________________________________________________________________________ A/ X0 _' {) u
) x5 v" U9 _! {. O" N- B
/ J' W: k- u- Q6 }Method 08
$ l2 E1 L7 F* g" s=========% H# n8 { ]3 ]% N8 M) {' }
1 J( @! S; r; Q7 k# j0 D0 E8 EIt is not a method of detection of SoftICE but a possibility to crash the
9 M* j' J# ]0 m8 Q9 Y: O& Ksystem by intercepting int 01h and int 03h and redirecting them to another
& T* h4 r' F$ Eroutine.5 J3 y$ _) C# o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 D& y5 d% P) ito the new routine to execute (hangs computer...). r( k9 p" h% q% d6 w/ A
8 L! ` B+ N% X/ A4 f$ v mov ah, 25h
R# ?/ k/ |8 @& l, D' F6 |% B+ \ mov al, Int_Number (01h or 03h)
2 z( b/ y; ~% r0 l/ P mov dx, offset New_Int_Routine. W3 F9 P8 `6 h$ S9 {! I- D
int 21h+ V+ p7 N J3 K% W/ k7 R: ]
7 g# o# q3 M! Y* ^5 Y__________________________________________________________________________1 R8 e& V7 h3 y
1 L7 X" J4 i1 Z6 kMethod 09
% P5 \* I3 P, H' S" L2 L=========1 c S6 v- D* D4 X' n V
0 P9 W+ g/ j! |* AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 z/ k& x. B3 M Y6 ]5 Kperformed in ring0 (VxD or a ring3 app using the VxdCall).
! |3 {* ]* Z6 D" Z, cThe Get_DDB service is used to determine whether or not a VxD is installed
0 p4 b/ O) e! N) N8 G, Zfor the specified device and returns a Device Description Block (in ecx) for4 o9 J- v1 S* [- U2 A9 P
that device if it is installed./ j4 ]* g! e$ T0 I. J* b* y- N
4 [0 d0 w3 d2 f, ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 }$ J) P# h! [- y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) d' m9 j; j& h
VMMCall Get_DDB, F* |* X S6 I, L# k3 d* k
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ o, ]# C( C$ w- E0 j7 c" l6 O; v
* N% @ L' j/ C# J# jNote as well that you can easily detect this method with SoftICE:
) h& N9 c: i7 O5 ]0 S bpx Get_DDB if ax==0202 || ax==7a5fh
/ V1 l9 F4 e' k5 S9 p; O7 G4 y! O" P) ^$ [. ?1 v0 B" H
__________________________________________________________________________0 w6 m5 ]6 d, U) J0 `
$ j3 X% i9 S) J( ~, I) m; PMethod 10
7 n3 z, X: N! U9 D) F8 P0 p=========
2 ]# n6 r) l: T+ W! U' k3 i# x0 } R/ A3 d" g# K* C) f& O
=>Disable or clear breakpoints before using this feature. DO NOT trace with1 }+ G! S, O: d" I- o
SoftICE while the option is enable!!3 T$ U8 g5 r# G/ `6 W7 Q
7 \2 w8 P) q. i& a9 d _
This trick is very efficient:8 J. I: o+ ]* [+ \. q# X# u
by checking the Debug Registers, you can detect if SoftICE is loaded
- u; x# r! q) b- {+ k H6 H7 O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 f2 |' j* |& ?0 Fthere are some memory breakpoints set (dr0 to dr3) simply by reading their2 F0 @% T: o$ F0 U7 @
value (in ring0 only). Values can be manipulated and or changed as well
3 o3 R8 l" ~2 T6 E8 Q(clearing BPMs for instance)
7 o( M, U% T/ o( G S8 K* R, `
4 L0 c! i* l: B% ]__________________________________________________________________________
4 i8 w6 w- G1 p- p l
, W& D& r" f- B, kMethod 11
4 [7 S! a% ?7 t; z=========
' ] B) M3 @, O! k
) X8 r3 O8 C2 h8 B% oThis method is most known as 'MeltICE' because it has been freely distributed" l- C0 T2 y% t( q' |; z& ] h6 h
via www.winfiles.com. However it was first used by NuMega people to allow
, W$ T& x% n2 J- b3 e ?Symbol Loader to check if SoftICE was active or not (the code is located" r+ h; @: u3 ~/ S- q' g) H
inside nmtrans.dll).2 `6 Y3 V+ g0 [/ p
0 v7 H3 _1 I$ ^. |8 @6 BThe way it works is very simple:5 g7 ]) y: S& l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 ^7 s* V4 `7 m; K; e( M5 ?
WinNT) with the CreateFileA API.* _& _. i$ P5 R
3 F# Q, A( G |- v9 m
Here is a sample (checking for 'SICE'):
" p9 C9 ?8 P% S0 f! a
% [7 y7 N+ R9 X, UBOOL IsSoftIce95Loaded()2 k$ s5 B A5 W6 [ A2 G2 I# d( M
{
" C) E5 n# Z( t9 R. [ HANDLE hFile;
$ T* n7 C% n6 S3 c! X, j" e( M hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 o2 N7 n% v# w: f4 d5 p FILE_SHARE_READ | FILE_SHARE_WRITE,
1 c5 e4 `' t8 y0 ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' d7 ?; Y; u* X1 _ U. ] if( hFile != INVALID_HANDLE_VALUE )
& R7 i6 }+ Z, i& G/ G. M5 b {- b8 |! b. i' a
CloseHandle(hFile);, @/ i* k0 p) \/ z0 q+ s8 n; C
return TRUE;4 s- F- e. x' J2 j; I/ W7 L p6 [4 {
}
9 F2 h2 q5 C/ Z, \1 [$ R return FALSE;
6 R4 _" b4 Z2 ]& ^* D8 ]}
" t' [# {5 F8 Z) `! s% P2 E
: N: K* _4 q- Y* y* cAlthough this trick calls the CreateFileA function, don't even expect to be
! | r2 [1 x$ t9 Yable to intercept it by installing a IFS hook: it will not work, no way!
4 p; K5 h: ~9 N) J7 b2 JIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) J" e9 a( ~ yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: j" x- R+ Q: @ R/ n$ C) hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& ?0 N* c5 }) f9 {& E. U. e! Tfield.: n2 }0 h2 m$ o1 E3 \
In fact, its purpose is not to load/unload VxDs but only to send a & S" u% k g. c6 j. B1 o$ J7 M/ X6 {5 Z; D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& T8 q% S2 ~$ ]. D) l1 y$ zto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ H: `, h% ~# R6 u1 _$ w* R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 Y# d2 N# y6 ?) t
If the VxD is loaded, it will always clear eax and the Carry flag to allow) N, ~$ ?& \. K. i5 ?- F3 Q( d
its handle to be opened and then, will be detected.9 t) g/ K8 H. I8 m& o: ]. ~9 |
You can check that simply by hooking Winice.exe control proc entry point0 y( q1 g1 u* D9 y
while running MeltICE.6 o" _) q: T/ f- ~5 {0 F2 o6 I2 K
- [1 b+ H9 G6 C6 _6 B$ D6 i8 |
1 x9 B( h+ [/ ]* e* {) I) }; e6 h
00401067: push 00402025 ; \\.\SICE
6 M/ v8 }: g& L% y' u0 ] 0040106C: call CreateFileA
, p- O, W+ d9 }0 x9 e 00401071: cmp eax,-001
) w% G/ t. i0 o& ]) w 00401074: je 00401091
# P7 T4 ^# s/ U
6 H8 D" x- w, E% H+ M
& P8 ]- N! v, M. a4 q* fThere could be hundreds of BPX you could use to detect this trick.. V6 I& O$ M" Z5 e5 r
-The most classical one is:
1 P' B) R$ }3 w& v3 n0 d$ y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 \+ h) ~. ~; i2 G *(esp->4+4)=='NTIC'# [5 h" t% i- s5 _
' }- u; y x9 @( v1 o& f# | C
-The most exotic ones (could be very slooooow :-( L2 g: e5 R3 |! Q9 K( \ N
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: e- y6 S I) b ;will break 3 times :-(
$ S6 n2 |: U, n4 ~4 [* ?
* i, ?; t6 r4 a5 `- C0 w-or (a bit) faster: ; f+ F/ {, M1 p& s( l9 L
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! B4 I0 n0 ?5 X$ g1 X1 q/ L+ O/ F- c5 v0 ^1 D4 A
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ U6 e- H6 ^. N) ? ;will break 3 times :-(, Z. `0 ^9 B: [! m' f
6 ]( ~+ L. F: ^# P" L
-Much faster:6 t3 H; p6 G' F) E/ b7 [5 H
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' M" n! l& k$ _$ }1 {- ^
' G' Z- s- T# R1 oNote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 E, c" y: V% A/ g+ {+ U2 U, c
function to do the same job:, S f$ r9 \3 e% f \, t
7 [8 l4 S6 a9 V" V# D0 ` m
push 00 ; OF_READ
9 M6 _) s) p! @" V( c } mov eax,[00656634] ; '\\.\SICE',0. O2 ?" q' B+ X/ `! N0 V$ Q
push eax
; v9 ^2 j3 s& B; v1 e. k; n1 a call KERNEL32!_lopen( T+ M' N- u9 u% K
inc eax: a S T7 K2 i1 f
jnz 00650589 ; detected
7 F9 l+ R+ k) C& K; d. v' I push 00 ; OF_READ- s4 K6 z, ~2 k, I! _
mov eax,[00656638] ; '\\.\SICE'5 `+ J& X7 x. t; q9 u
push eax ~5 W& y* j/ K. X. f' s/ {
call KERNEL32!_lopen
) R; u! T; x1 S' R inc eax" U; x8 d) {( \5 _1 |4 V5 H H
jz 006505ae ; not detected
) C9 m& {( O2 I- ^, i
/ `4 z" T0 v' C- ?" D' m/ u5 }4 ]8 W
__________________________________________________________________________2 \) v: b: D0 h l L! V. m( U
- C' C# S: a' w$ BMethod 12& R3 C" f3 |. c" r+ }
=========+ G( @7 C3 `, L) \. |$ n+ V6 }
- I0 W* F" k0 C0 |8 k; O: N* a9 pThis trick is similar to int41h/4fh Debugger installation check (code 05
5 y5 a7 E8 z9 h/ { Y& 06) but very limited because it's only available for Win95/98 (not NT)- I0 [, O1 J6 K2 Z+ P* T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* u; a. w; ?; U/ N# j/ n( X. l' w
7 O& n) S, W5 d3 a' X# g! z% l+ H# n push 0000004fh ; function 4fh. A! G, w: {0 j% z/ }
push 002a002ah ; high word specifies which VxD (VWIN32)
* v1 R1 z5 {- d* t ; low word specifies which service" U5 l' r0 I+ I9 Z5 X- ~# h& P
(VWIN32_Int41Dispatch)* L5 `2 T: k+ n4 |4 _
call Kernel32!ORD_001 ; VxdCall/ a+ z) |1 U# K$ Z9 ~( q- e
cmp ax, 0f386h ; magic number returned by system debuggers$ y! |( O6 c. e. V. O- \8 N9 f- [9 J; n) R
jz SoftICE_detected
( H9 }/ l; c' u
, l8 F# X$ F0 H5 k+ \0 IHere again, several ways to detect it:
( c2 i! t) D" O; w& x) P7 v
6 X2 n" }( B+ b& Y8 a BPINT 41 if ax==4f
' L; h* q1 A" `- ?- ?0 }
1 C4 C/ h/ b; ~ ]9 |2 R* G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' r# W; n' ]+ C# H! L! C! F. T( @$ _' G& o
! l- Z1 F7 J; d. M" {. @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' Y5 L& l6 A9 J k3 y
O% l/ n( q* y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- A2 z9 c9 C3 m9 u' B- S' `% e
^4 M; y8 j, r9 _( o4 o) `__________________________________________________________________________
6 u3 V7 o' g7 T" a
A4 V+ `; P! T6 t m6 ?" |" ~Method 13
5 H0 q, T6 p7 F2 n) q" K+ a=========1 T% L6 P6 y; t4 y
0 |" [+ ]6 `8 N ~0 p. w
Not a real method of detection, but a good way to know if SoftICE is
9 l U7 }- A( ] G9 hinstalled on a computer and to locate its installation directory.( Z: ]. A* N+ N7 \$ n J
It is used by few softs which access the following registry keys (usually #2) :
: z% l- h* d/ g% d; t
' i1 x; R% Y! A# n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; W1 o: B2 a x* f: c
\Uninstall\SoftICE; ~& q! _5 O) c* z! M/ D
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# R6 R, ^ o! [9 a* {% \
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ F" V/ B+ [5 J9 B, b* O7 S7 [
\App Paths\Loader32.Exe
6 G: K0 `% V* V( I# F
) d8 ]- S# o* q. o0 A3 O# i3 j# O# z& _3 A1 m h
Note that some nasty apps could then erase all files from SoftICE directory
% D; r3 j9 _, Y9 L+ t5 X(I faced that once :-(; }1 ?% \, V1 ^! o" T7 Y) W: o
/ W0 _. K9 H( q. m. {* t! s0 m: ]8 G# @Useful breakpoint to detect it:. t0 h* v$ [+ T/ C6 ?0 W4 T/ d& j
3 {+ f0 I7 P0 z/ ?5 m6 d3 d BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 Y$ q# _$ G" D% S- U6 U1 W: s8 d
__________________________________________________________________________
: x5 Z8 N& Y) v5 N' U$ i8 N* L# _" \5 E' s( Z
) j9 R4 w$ t6 p' DMethod 14
8 ] S+ Q) P' z% ?* r w) `! W2 P=========
/ J9 ]( m. e. L" r$ j& o4 b: M% {& t6 A: ]9 h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 s, v [1 {# L, O; a9 pis to determines whether a debugger is running on your system (ring0 only).5 I. C" u* H7 I* i* r
& p) j& ~) l& ^8 e. V: a# W/ P, t+ s VMMCall Test_Debug_Installed
/ o+ ]3 d I7 t je not_installed7 b$ u9 s' a8 |& [$ ?$ h8 {4 e* f0 U. \
! O# \* d7 C. B; fThis service just checks a flag.1 v$ x* [" v G; o* z8 O, h l
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡