<TABLE width=500>
7 Z# n2 L7 L+ M% Y<TBODY>
^+ `! M$ O: A u. z<TR>0 D. ]" ^" h; j: i* i! G9 F
<TD><PRE>Method 01
' i0 r" ^) S% \" B: p2 f/ D' V=========
& n1 S" ~. A* X3 F1 k1 T' w j! i3 P9 R) F7 s; ^$ c! [
This method of detection of SoftICE (as well as the following one) is
7 ?3 I! H) o0 Lused by the majority of packers/encryptors found on Internet.
. k. I9 Q6 b0 H0 }# a) |It seeks the signature of BoundsChecker in SoftICE/ ~( @" C/ G, u, H$ _2 D% Z6 g% J
- I5 _) \7 ?. C9 Q
mov ebp, 04243484Bh ; 'BCHK'
: N! `, M! ?/ j, W/ c; ]+ n3 q mov ax, 04h0 `7 C- z# n% B6 ^! L7 Y
int 3 ! P; G+ X6 Y* F: F7 [1 V
cmp al,40 @4 X9 p- n- Q7 A v6 L# c
jnz SoftICE_Detected
* \. S, R% ^6 J2 l( E' B# |) K- q4 [% G5 {* I) H! o# K
___________________________________________________________________________% J4 V- ^6 X* x" `# D
" `( S9 ^0 ^7 s6 n/ h1 e, ^7 o4 wMethod 02) i) O3 M K" V* ]( q' h$ \
=========
/ P! e4 k. F8 w; [: D6 E% [# x: |" ]: Y. J
Still a method very much used (perhaps the most frequent one). It is used4 D" G% \& K( Z+ S3 D C: m. p+ {( v
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 T, z9 l- n/ s( m% P. G
or execute SoftICE commands...
4 P: W1 V; z4 E. sIt is also used to crash SoftICE and to force it to execute any commands$ [! _7 V; ?# \+ m+ ?0 t
(HBOOT...) :-((
; U7 W" C+ W8 E$ k" C# \4 Y1 Q" T1 G7 y- S% @* `/ L3 ?
Here is a quick description: o" O- D6 Z2 [
-AX = 0910h (Display string in SIce windows)
+ r, C5 D! a# S7 E: {$ ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 @; ]$ n2 C: }/ r, b( k, R: k+ T4 m
-AX = 0912h (Get breakpoint infos)
4 ~ P' n$ U' k. e-AX = 0913h (Set Sice breakpoints)
& e J# e$ ?( I0 {( Q6 E-AX = 0914h (Remove SIce breakoints)* e2 g. `/ K( `" v% r0 d
" O- ^$ W& l$ D; {: {, ~Each time you'll meet this trick, you'll see:
: w+ \0 ?7 b8 Z-SI = 4647h4 Y7 I4 {( F* c5 i6 d' Z
-DI = 4A4Dh, w! V0 R$ L1 K2 W; P4 P; ]
Which are the 'magic values' used by SoftIce.- ]/ l) c7 P0 g5 l1 q7 t0 z" p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 Q& S3 H ^9 @- t* K' T' j# w9 w4 j, \5 p& O" Q4 ^/ _
Here is one example from the file "Haspinst.exe" which is the dongle HASP; G' p6 ^$ p( Z1 r) s
Envelope utility use to protect DOS applications:8 t! w/ g# }0 } h8 M
- l( \& r6 v# s5 o! \
/ c: N4 b, H" H' c1 Y4C19:0095 MOV AX,0911 ; execute command.. u" F* i) D, E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
0 a4 U' n3 ~! j# T- a4C19:009A MOV SI,4647 ; 1st magic value.8 ~% x; @0 |& X
4C19:009D MOV DI,4A4D ; 2nd magic value." y9 j# r: B8 w, }
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); _/ L4 w c# |- J7 s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 w i, ~/ E; A) _) H I( U2 \
4C19:00A4 INC CX
4 K1 e% K$ g# E- ~6 f4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ K6 [) @3 Y+ H! A; D4C19:00A8 JB 0095 ; 6 different commands./ B( U' Y$ v5 o$ E6 ?+ }6 A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 m. T8 k( F% `( P4 s/ a- @6 w' b1 p
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 Y2 {$ U6 |- j; ^" U7 Q R; F5 B1 |, r' u. R' s: W4 f9 T
The program will execute 6 different SIce commands located at ds:dx, which% z' n8 f) t) r3 L% ]- Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ I- v4 W+ P1 g- z+ ~
6 m; p! P0 m+ [1 [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! q) ~" e" f! D- o+ ~___________________________________________________________________________
* d2 l' t( ]1 H2 H: V9 q
4 H' W; \7 }! P5 V
+ ~- r0 j; B- B$ D- aMethod 03 \: h* B& i! i* g$ A
=========* N4 r9 E: R+ @5 x9 r
7 \( R% F& ?* d% k
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 D2 r: B% d" B(API Get entry point)
: A5 W4 R) f2 q2 `" D
! ~5 N- r2 \- ]& e& a/ Q- O3 q2 G3 M! m$ d
xor di,di2 z! Y* E: N4 W% j0 u2 B3 G
mov es,di
' M. m1 O7 h3 _, v6 p mov ax, 1684h : O+ S6 U. m4 o- T7 @
mov bx, 0202h ; VxD ID of winice
3 i- x2 S p% K int 2Fh, J8 C; E" {8 d
mov ax, es ; ES:DI -> VxD API entry point
8 u) _6 w1 N8 ^' `1 s. d, g add ax, di
1 y! b4 J* `: E! n# N test ax,ax
5 v& ?8 H) a" I. v% A+ } jnz SoftICE_Detected6 f8 k8 P: T$ N- I6 j- r, Y
3 d4 O5 F7 K( y) r0 `2 n" s___________________________________________________________________________
: N6 z8 y1 W. @3 y$ [0 |6 }2 V7 W! O% x) ]: [6 ]" k. M; v
Method 04
9 F( I1 Q7 }+ s! Q" N- G) z- u=========
8 @* d9 m k$ `8 }% G; H. r- Z. \* g& i0 O, w! a
Method identical to the preceding one except that it seeks the ID of SoftICE7 x. B$ R8 O! A+ b5 v8 N- r2 h' Q
GFX VxD.
: p& G0 s/ i6 Y+ k* U* z) c; ]8 x- x
( r4 }& J3 w8 t4 ~8 i& Y xor di,di
$ @) u$ f+ I& U* n# Q mov es,di7 D; @% D" s5 E- U% m1 z
mov ax, 1684h 8 Q# H8 _; ~ n8 R8 K
mov bx, 7a5Fh ; VxD ID of SIWVID' S7 a9 d) e" v7 ?
int 2fh
, J5 Q" q( v9 s: S mov ax, es ; ES:DI -> VxD API entry point
$ [5 M: _1 v; l5 r: Z add ax, di+ M! ~. h/ V9 T! l
test ax,ax
! y; D& b7 p4 D- ` R1 ^0 x# t: N jnz SoftICE_Detected
( m; L- h) |5 q4 o% z4 P9 {/ Q
: T# v r, l2 A' R6 T8 Z8 a7 q& t+ G__________________________________________________________________________3 O- u$ s7 L# m$ Y5 `0 Q) L
$ Z. D, H3 `* X4 |$ R; e F
' ?( ]+ p% e" ^& i( c; Y
Method 056 c- t& Z% ~' ` X' y' x6 k
=========
* y& Q- R) F5 X, | R
. a, ^5 [) b! A. G- z$ u. GMethod seeking the 'magic number' 0F386h returned (in ax) by all system, [ {8 q8 H x, @' t4 F y
debugger. It calls the int 41h, function 4Fh.) z$ u- a3 q6 a/ C
There are several alternatives.
1 N4 x! z L2 R7 J" g" |% f+ X5 f; h$ H$ p$ \# [
The following one is the simplest:
Q( U4 P- l. h/ J* E
5 E% t1 g" C# W mov ax,4fh N3 N4 @5 `! c3 ?9 ^7 B
int 41h
* G2 l, \+ g+ f/ g cmp ax, 0F386( d, k) V: o: u8 Q. g! p5 v) z
jz SoftICE_detected% d/ e& S( V" s0 [) @
4 V* k: j# |5 s" M- N5 D. R; _# M. d, g6 G0 }" M
Next method as well as the following one are 2 examples from Stone's # M p, e& p0 x# y
"stn-wid.zip" (www.cracking.net):
' }4 P% X; N0 h* F6 r' }' i. n4 b5 k, C% H" @5 W
mov bx, cs
7 f* m9 y5 {& S- W+ f lea dx, int41handler2
+ O( I6 B0 z& G+ W" H# y: k xchg dx, es:[41h*4]
* I# w$ N/ R3 A: B9 Z+ T* v xchg bx, es:[41h*4+2]: p! h( m% F5 z6 _& q" f
mov ax,4fh
# k6 |) `1 j- L ], p int 41h' H5 f0 N9 R$ u, ~
xchg dx, es:[41h*4]% Z, g( E! a. l6 e& `9 S) M
xchg bx, es:[41h*4+2]; n! o' @; D6 ~3 t6 M
cmp ax, 0f386h
5 d M/ m9 L0 ]7 l M# F1 b jz SoftICE_detected: q% h4 B, T/ e
/ r! i5 y6 v9 k; pint41handler2 PROC/ G; C# q. W5 ^& x: p2 `7 V, b. {0 e! z
iret$ J. l u! g9 l! P
int41handler2 ENDP
7 p+ k" v6 n5 {( r: P4 }4 Q
, B$ u" K0 x! _: L# h1 Y6 `* |+ [* T6 @! x/ Z/ p/ K% s
_________________________________________________________________________
1 i, d; h' W* T7 U- C; p% w
* D; [, {0 f) f* ^8 c) f/ o2 f' W5 ^ W: Z' e
Method 06
. u* b" i9 p# t. d, b=========& G; h% ?* U6 K) l0 E
/ x% S u1 Q9 t1 \( w* I) b) U
2 G% i2 L5 e D8 G, R1 |8 U! E; b& D) O2nd method similar to the preceding one but more difficult to detect:
* N7 ^% \) p( b$ Y1 T
$ h7 P. H0 c N# E) _) v
& \6 B. V# c& j; c0 D' kint41handler PROC7 A, Q0 Z$ v& s( Q
mov cl,al
' o0 j- b, w% E8 @! |6 Y iret0 k0 ]! V% L' l! H+ N
int41handler ENDP' K4 b* `. _ K B' |$ G M: D
: O; _$ Z4 w+ f- S ^& O
3 ]* i9 P4 k- I2 y xor ax,ax$ l% N6 A7 ~# F w0 u7 u0 @& z
mov es,ax h$ u" } Q0 s1 O0 t; l1 v
mov bx, cs
& K, f% V5 }& I0 t- B) p lea dx, int41handler$ r" ]% B: p( O1 u1 C8 N
xchg dx, es:[41h*4]' O4 e+ ]) |4 f1 G" c( J1 M
xchg bx, es:[41h*4+2]$ {/ e/ F+ \4 T2 v- ^
in al, 40h4 `' A# s$ v1 k+ w2 B, ~' P6 W
xor cx,cx( A# O. C5 x( C6 q; t7 ^/ h6 z4 t
int 41h" z6 K6 M/ T8 r
xchg dx, es:[41h*4]% W7 q; M4 Y$ \+ ]+ d
xchg bx, es:[41h*4+2]
" k& Z& R5 W) Z. |9 O cmp cl,al. u+ ?8 V" f8 n1 q6 P
jnz SoftICE_detected
5 N! L* z. T' n- |/ D' x, \" T0 X8 q O9 O2 \
_________________________________________________________________________. f) D0 s+ ?$ { ]' U% y
7 U1 A" j* m- L2 K0 d' L
Method 07$ i% h# Q$ i& U6 l9 A0 z% h+ Q
=========
/ I* a! A1 Q( ?" b* i( P5 E
& }/ S4 @# _! S( Q( jMethod of detection of the WinICE handler in the int68h (V86)
* L8 w. S$ P+ G7 w/ h8 ~0 f
5 ]& Y2 h# b0 O" W mov ah,43h! P1 J+ |( p9 \& t) D) W4 Q9 p
int 68h/ @2 z7 W" |2 n' Y5 k1 [
cmp ax,0F386h
8 q5 U a8 r R" { jz SoftICE_Detected' o# z; `7 e) K- r
9 x/ n- J: _$ A
4 z$ Y, {7 Z$ R=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" b# s; h, S" } T- Z o4 L- ^
app like this:
- R1 `+ g# n5 N7 ^6 U [9 f( r# F8 D5 u _
BPX exec_int if ax==68
T: u. b; Y: F (function called is located at byte ptr [ebp+1Dh] and client eip is( j9 o# ~1 o" D1 Y( j+ `; t
located at [ebp+48h] for 32Bit apps)4 `. H* O) V( L6 ?6 y
__________________________________________________________________________
2 s0 G- o9 g6 @% u! Q, `# A) e7 c. U% g& ]* F9 S# h1 `! ?
2 {% e7 A1 c. I! ^3 }8 \
Method 08! ~+ R" H# [* j. z
=========
9 A$ k- A- }! d% t+ I; C7 e; r6 P U; A w
It is not a method of detection of SoftICE but a possibility to crash the& V" a( n" D% A% c# j
system by intercepting int 01h and int 03h and redirecting them to another+ Q( u$ `& U. s O! A1 O
routine.2 d+ ^; t9 N, w/ O) K5 L' n2 y% v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& ]5 Q: }6 w! d5 pto the new routine to execute (hangs computer...)
5 ` }! n% D9 Q; k: S; S/ J) R9 H7 T3 k5 K. B+ G
mov ah, 25h- J$ {* N% `" q+ S1 |3 M7 m
mov al, Int_Number (01h or 03h)
/ `3 X: E _, _+ d2 s: l3 d mov dx, offset New_Int_Routine1 }3 Y2 T- V+ k. z3 M2 x2 @
int 21h2 \, a6 ]1 Q6 R/ U( G/ e
G5 X! f; V6 ]/ d" R B__________________________________________________________________________
+ R- Z7 O+ b* y% M4 Y7 v' j, R. ^- e2 I" O* d- X. _* P$ ^
Method 099 Q& h- G/ R2 N& Z" c1 }
=========
8 K$ @& j( F% V1 ]0 n& v* G4 L6 @, V( ], G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 m+ m! V6 z$ C, J$ O) M; ^$ wperformed in ring0 (VxD or a ring3 app using the VxdCall).; w" D2 w) i: l
The Get_DDB service is used to determine whether or not a VxD is installed) c5 F, U: P8 k% D4 \+ w9 E
for the specified device and returns a Device Description Block (in ecx) for$ O n8 ?- Q5 Z, _ k! x7 P
that device if it is installed.
' `+ F7 u! I% M1 C x6 _. E( _; z* t8 s2 `2 v9 o
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, U# f" Q4 }1 l4 d; y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 p+ @9 P7 x7 `5 W4 S* ?
VMMCall Get_DDB
6 @% A; ^- x9 W mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# [3 y) t2 x: I+ P0 I: E
+ k, c3 c0 K/ m6 d! D& _8 a \Note as well that you can easily detect this method with SoftICE:; Q2 B7 D/ c7 H* T
bpx Get_DDB if ax==0202 || ax==7a5fh5 x4 E+ ^% P3 x. x
2 O1 u* H; U% d- \6 {* I
__________________________________________________________________________
" i. g) v, F1 D! R) L. [3 d& a* Z' @4 v; W4 ?0 R+ [0 u; \: k$ U
Method 10
~. g5 _" Z. E7 |: y/ m* v) M& h9 k* i=========
: @7 g/ Y8 N+ {5 v5 }: n2 q2 k$ y* _
" E/ X! g4 ~! N" g2 }- b8 b=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 o& j( a& D, M SoftICE while the option is enable!!
, _9 h/ M: y6 h: t
3 g$ m# M" S! l4 g9 KThis trick is very efficient:
2 z" h$ c4 G; s3 Y2 O5 n) jby checking the Debug Registers, you can detect if SoftICE is loaded3 l1 }- x; d. _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' f: {# S% D( C! cthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 o" a2 P. l+ \9 q! y) D: c0 |
value (in ring0 only). Values can be manipulated and or changed as well
0 r- ~% s. A9 p" @(clearing BPMs for instance)3 Q0 z8 R0 l/ E' d2 S1 @
9 L0 G3 l' ~$ |* Z& A) {0 s# w
__________________________________________________________________________
) t+ \' Y+ b# K: S, r
: @3 Z$ ` Q& r; d7 c/ Z& _# {Method 11
, `8 O9 Z0 ^* v* K/ i0 }=========# }4 t! I+ h1 V
% Z0 D2 S: k* W4 e5 r& X
This method is most known as 'MeltICE' because it has been freely distributed
' ?. V8 `1 w1 H9 i. s& [via www.winfiles.com. However it was first used by NuMega people to allow. ^- S6 c/ v* ^
Symbol Loader to check if SoftICE was active or not (the code is located. L& p1 M3 L% f0 M
inside nmtrans.dll).* ] e8 a9 W" r$ R9 B9 u# M
/ {7 R% i8 U/ R6 B' V: G
The way it works is very simple:
- ]! q; `) M" [' I8 {/ DIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 @) T/ e9 m, r2 x1 Q) f- E+ I+ ^WinNT) with the CreateFileA API.
# f5 u- K q5 }; W' L, L7 j k8 L" z' ^$ a' B; D7 r
Here is a sample (checking for 'SICE'):
4 |: g+ L! {5 k" L# X
5 Y. p% ]- f5 d- n3 V6 \$ s( ]BOOL IsSoftIce95Loaded()
( ~3 U! y# L) ]/ ~* O F{% f* `8 D% z8 E. c
HANDLE hFile;
# B; W& k2 Q4 l( }/ ~* h hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' `* W6 M' {; |# U; q
FILE_SHARE_READ | FILE_SHARE_WRITE,6 T( p/ ^' l, S& _3 q5 A5 V
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 S) C3 m1 K. F4 W9 D, i' g if( hFile != INVALID_HANDLE_VALUE )/ y# M# s8 G# N$ f
{5 {) m" y3 e2 L2 J- R8 C5 Y5 Q( E
CloseHandle(hFile);
' z& B* Q2 _5 D+ [1 S0 m4 Z% N return TRUE;, h G5 U' L( o$ ~) Q
}+ O' D" M. H+ _: V) D
return FALSE;8 T% R9 a- _' u/ [5 g- V3 Q; Q
}9 ]& |' k. x& Y8 ?0 o P2 N
+ _. N8 q5 t3 E, L" j
Although this trick calls the CreateFileA function, don't even expect to be" g1 m! \: R$ ^/ a; [
able to intercept it by installing a IFS hook: it will not work, no way!4 P4 e$ g8 }% W7 p3 }/ c/ }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 k' G" H0 R3 B, d G3 {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); ^4 d- r5 l4 O1 M: p- ^
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ G! m, X0 U( }" S( E, a# L7 ]
field.
" L2 R, M0 ^8 ^9 B9 M& bIn fact, its purpose is not to load/unload VxDs but only to send a
, O# t: E* \" O* u: G" eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ I1 |; y& P# v; p" q, y3 O3 a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( S" j! i# t @0 d# }; Tto load/unload a non-dynamically loadable driver such as SoftICE ;-)./ E) Q% m+ s. {: }# z% p
If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ e+ i9 [) t# O% V# D$ e( Aits handle to be opened and then, will be detected.
* @. y9 ~# {0 J( aYou can check that simply by hooking Winice.exe control proc entry point
5 T; t1 o7 L1 x& Q) t& H `while running MeltICE.3 W2 o, V; q) y- O2 f
2 W) [' v7 s+ e6 F0 N$ M0 k0 _5 o5 a# L3 S
00401067: push 00402025 ; \\.\SICE9 j0 L% E& C0 V6 O, M4 O. I$ Z: ~
0040106C: call CreateFileA7 U& e) S. m& T" u- M7 ^; x% S5 O
00401071: cmp eax,-001+ U" }; ]; ]3 r( l& ]( S2 v
00401074: je 00401091+ q8 I2 g4 K! h' p3 R1 a
' M$ u4 K3 R0 s5 w# F! z7 f6 {
5 I: V! ^! o/ V/ [* Q
There could be hundreds of BPX you could use to detect this trick.; l6 t( f* o/ O
-The most classical one is:
. Y) w% V, }9 r/ n3 |5 q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& e+ K1 x" ]6 F0 Y *(esp->4+4)=='NTIC'
- Y7 d4 z6 N/ G% U4 `
4 n; k/ s2 f% \- d7 @5 S-The most exotic ones (could be very slooooow :-(
( Q) O# I5 L! I$ I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& C6 N8 q, k9 f& a- ^/ O, y ;will break 3 times :-(: [& r/ C1 s/ f+ S& n& c
; Y9 m$ n- j i-or (a bit) faster: - N9 ~, q. v1 Y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; h7 c2 K2 r5 D/ e w# P% Q' Q, |3 N0 S4 _. i; }
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & W% T' U. @; @& W" i! ], Z
;will break 3 times :-(! E3 l) |% f' U- m. [* s
* V3 j* V/ ]9 F$ s0 p6 t4 j' C3 a
-Much faster:
8 C/ U- t' C9 D) Y- ^5 q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ H5 `+ ]$ N; ~- u# f0 S. h0 ^0 ~+ Y/ i& {1 d. W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 Z2 [7 ?# ?% S" g% N' ^
function to do the same job:
3 B5 K: |5 D2 _: u5 @: @
# I0 t7 t7 g& C* b9 v push 00 ; OF_READ
+ c- k1 p, m/ ~/ g5 @ mov eax,[00656634] ; '\\.\SICE',0+ [9 D/ k- M9 B6 j% H
push eax
! {9 u# l+ t8 K3 \) E+ } call KERNEL32!_lopen% e0 `( {/ Q# a) s
inc eax
% X( ?0 _2 [8 C5 v. ^ jnz 00650589 ; detected
' Z/ I8 o) [8 B7 r push 00 ; OF_READ) U7 i( D! m, C8 O0 K
mov eax,[00656638] ; '\\.\SICE'
( i4 c9 q: h# n- y5 e push eax
$ g+ W7 k& I/ A1 J2 T call KERNEL32!_lopen4 P' a# s7 l) b
inc eax" q5 U( C( c& [& L" z
jz 006505ae ; not detected
; C& O2 \8 U2 f5 O+ z5 t, B% |' T- N5 r- H( [' D) d$ d
; X! t$ H& b9 i3 T
__________________________________________________________________________
/ I% h0 ]! t) V0 k* _9 q. U9 d% M5 k* j
Method 123 k! f! H6 f) S1 P: z
=========6 e4 w$ M# g$ z; I
4 d& K7 U( J" _7 _% h
This trick is similar to int41h/4fh Debugger installation check (code 05
* I0 c4 w0 y- t3 ?; x$ W/ b8 ^& 06) but very limited because it's only available for Win95/98 (not NT)8 Z0 \" t) h9 ]- r7 t) B. E- V1 O, E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 A/ q3 p2 D( _1 n" a3 |2 @1 A K' i1 p8 E7 O& j7 Q
push 0000004fh ; function 4fh: h1 T) i- E0 n8 S b, z
push 002a002ah ; high word specifies which VxD (VWIN32)
) A9 F' `- Z/ r$ ] ; low word specifies which service
! N5 j: \5 k0 r v (VWIN32_Int41Dispatch)
% J. j" l' @+ _" x8 V8 C& U call Kernel32!ORD_001 ; VxdCall% ?/ B4 A: g8 _' \# W
cmp ax, 0f386h ; magic number returned by system debuggers" [2 t& U G, R/ M3 f9 g
jz SoftICE_detected
( a# j+ E& x8 k* A- K. }: U2 U# z! z
Here again, several ways to detect it:
" k9 e+ ^, f0 \
5 m9 n! M) w' w BPINT 41 if ax==4f9 y' N) c! a& o8 a% N; L
" V# B, Y1 M! e) s6 F: q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% ?9 ^* M5 B' y( |7 v& K8 P/ d$ D( i; r+ L. [
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 Y# [, y% Q- j5 p
6 Y/ {+ v8 y; ]" _: S& C BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! S2 u: m# }# X9 `& q
S$ k, V. z9 H0 Q6 [ q' I/ E
__________________________________________________________________________7 l' Y' ?% D- W3 d0 [8 {
7 C7 s2 B( X) i& p o: j* e3 t
Method 13
; B1 Z8 i4 E. w r" U=========0 C5 x9 R: i1 r9 x1 ?- y# [. H5 w
7 ?+ I& o$ r! Y Y' ]8 p6 D
Not a real method of detection, but a good way to know if SoftICE is) v0 T2 i* J3 ?: W8 K
installed on a computer and to locate its installation directory." Q" v# M$ ]: S: M7 o
It is used by few softs which access the following registry keys (usually #2) :* s2 e k2 Y$ y) k
" y; \/ u) B7 e( B, D7 k2 P0 v+ m
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ Z8 T- P+ q$ v4 l7 z! \\Uninstall\SoftICE
; ?: Y9 d* i7 \' f D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ p7 t2 n9 g. t/ z, p- A7 X-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ i- Z+ }" U- }/ l. k1 h! k6 I
\App Paths\Loader32.Exe) Y7 e" ~3 Z9 c Q5 q
3 p- x% l O( \. f2 ?; Q1 m
& w4 {0 d+ A; ?* g3 M
Note that some nasty apps could then erase all files from SoftICE directory
9 U8 B. n: n. v4 ^ {3 V% L(I faced that once :-(. w" E- b0 Q7 |- H3 G# Y
% P A/ _* X% G8 w, i4 R
Useful breakpoint to detect it:) ]0 s, k2 p1 s3 {3 R
; u7 S9 v& f3 u: t' o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 O* Y5 F2 x& {, p7 E/ ^! s; o9 b
- W" ~" V+ ?) [+ D5 c6 B3 `__________________________________________________________________________ e% B9 E) J0 z3 P# F
5 l! }! j, e1 P! X* e' E o8 g5 h! q7 ?2 _
Method 14
4 t" H& {" t8 b4 `+ c# u=========
z5 A3 U2 n& E) W
3 W3 p# Z/ K( X0 b8 b. y% |3 mA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 \# M/ Q) j+ F+ V; `( Pis to determines whether a debugger is running on your system (ring0 only).
. Y1 @' t3 Y5 [
+ T! v+ u5 ]: P, U4 B' n VMMCall Test_Debug_Installed8 a( u. F; s" g0 ~5 g' J2 X
je not_installed. n! u* C& n7 E5 Z* Q6 Y! Z0 ^ x
& K9 C# @4 i9 {2 K/ |' q
This service just checks a flag.
" V; h- r/ Y3 d1 e# s</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡