<TABLE width=500>5 u2 R- h4 T7 b
<TBODY>% J7 W' Y E& |; ?7 `8 |& l
<TR>+ p2 j( [, G: S f6 Z
<TD><PRE>Method 01
# D z1 |/ Y) C( O6 E& o=========. {1 u9 Y; M5 y
8 i0 J- t, z% W! tThis method of detection of SoftICE (as well as the following one) is
! t s$ f6 C9 p; f2 p& |used by the majority of packers/encryptors found on Internet.) r2 ~. r" u4 l5 K4 `1 M% I9 Z, c0 z
It seeks the signature of BoundsChecker in SoftICE
) `* f6 o# {# N1 t1 i$ D% F0 j/ o6 {# t- p
mov ebp, 04243484Bh ; 'BCHK'
# |1 J7 I+ V* z/ I! X. ^2 s6 G mov ax, 04h
: u/ S, ~* r, f( X- S& b int 3 . K! G& ^+ @# w, s
cmp al,4
. O' Y5 @% l) G jnz SoftICE_Detected
( `/ U3 d" F! c, ~$ W( I
3 o" c% G5 Z$ g7 {" b) ?# w___________________________________________________________________________5 l! K# _( E( S% E8 T
* ^$ T* l; Z' w) L4 u
Method 02
7 H4 N0 q2 k! T=========
! B1 O2 n {4 g
% ~+ R' Z# O- n6 Q' C: n% Y) pStill a method very much used (perhaps the most frequent one). It is used+ z# W1 M7 @9 Y3 t" O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 P6 w; c0 c; r' F# lor execute SoftICE commands...
& M0 P4 C' x; l/ oIt is also used to crash SoftICE and to force it to execute any commands0 D' d2 m$ _9 V6 s& n0 a; M
(HBOOT...) :-(( % b' l4 R& ` W A+ r, A
9 m3 Z. D" [7 _$ M& bHere is a quick description:
, i" {# y2 N a0 ]' S-AX = 0910h (Display string in SIce windows)! O& U4 a0 _6 D- ^2 v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% f6 n0 f, f" r d) x
-AX = 0912h (Get breakpoint infos)
1 r/ Q' w1 ]6 f9 }" j+ `* _( B1 p3 K-AX = 0913h (Set Sice breakpoints)% }0 ~$ f/ A; R5 S+ c
-AX = 0914h (Remove SIce breakoints)
! y% n: Y5 m# w3 v A9 A) @
4 U: ~8 H ]/ iEach time you'll meet this trick, you'll see:# {+ j e6 m+ ^2 O: o& E0 C$ Q
-SI = 4647h
" o+ a' x2 U, T+ M* `-DI = 4A4Dh$ e V$ n! _' h, M( r8 E* B
Which are the 'magic values' used by SoftIce.8 }) l5 e" H$ f0 d6 I2 |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ a* n6 F8 A9 ?1 ~) b9 W, d7 ~
$ T5 ]( t, \/ F8 K8 WHere is one example from the file "Haspinst.exe" which is the dongle HASP
' O6 T' I6 h1 N! z- MEnvelope utility use to protect DOS applications:
; F9 j& Q+ R' A0 u |! x
2 ~0 m2 C% l0 D# ^8 O; Q8 |" i0 Y* E2 k4 x6 |6 o, o
4C19:0095 MOV AX,0911 ; execute command.
0 h" ~" E+ q3 g4 D0 w8 J6 u4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." L7 @% L: p% c1 z$ p
4C19:009A MOV SI,4647 ; 1st magic value.# G0 Z0 O* H$ I- g, b
4C19:009D MOV DI,4A4D ; 2nd magic value.
?: { m- }! _. W `+ B0 y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 Y" a$ x8 |: d0 _8 z+ R
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ o* w- K6 V0 \. T5 x3 o: a6 j% F
4C19:00A4 INC CX
' s- G* A/ D( G( s4 }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ D% _4 Q5 W, x& y/ t6 o" N5 k* U4 k4C19:00A8 JB 0095 ; 6 different commands.
' W# i$ ?1 Z0 T: v; j4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 [6 X, C9 z J2 V0 j
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 X. L. B* l! T/ J7 Y6 o2 Q
# n2 l1 o: C& j& n s; a2 gThe program will execute 6 different SIce commands located at ds:dx, which8 x8 M% M: ^2 m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 D8 ?3 N+ J8 w: r2 h6 C+ _4 ?# y- Q
' H7 ?& }- h6 ^% _9 ]9 l5 F* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# X! t1 V* A6 c! R. S3 }& ?___________________________________________________________________________
- h3 W0 [" e- M. |+ ]0 w$ }# N2 l1 G# [9 r
' V* Q9 Z2 X% s1 X" qMethod 03
- T% n* o: q( Z) y8 g6 l8 S( R=========/ G- n! Y+ |8 Z0 F. Y9 M
; v7 \ l! L1 q* O: m8 Q. NLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* P$ o% y h/ H$ M$ E(API Get entry point)
! b: Z2 f& x# x6 w
# h8 M+ {7 [* R3 K8 j
$ M( |( c( O. s$ \ xor di,di4 q8 J4 w( L( R
mov es,di
" L' Z! a, b9 N: Q+ C- [- D mov ax, 1684h . ]* h3 e" I3 K" k
mov bx, 0202h ; VxD ID of winice. v% ? i, J6 A* {1 A3 B0 M
int 2Fh `3 v8 K) ?' I& @
mov ax, es ; ES:DI -> VxD API entry point( H$ N5 i8 M9 g( G0 a$ T* n
add ax, di
" _3 X2 h& J( s. C' N test ax,ax- V3 i2 K* i& L% S6 N
jnz SoftICE_Detected
5 t p& @. c. u+ `/ A9 h- i, ?" n- R6 r3 e9 |+ ?( s
___________________________________________________________________________: L F9 i4 T: u
" X3 a$ [0 C% HMethod 04
2 o+ O6 W5 p; G5 W% o4 G- W5 f=========, Y; H% F1 ]1 d4 `; {" N( x
. r3 x' w4 z$ J' [! W) |Method identical to the preceding one except that it seeks the ID of SoftICE+ a- ^7 J( \1 Y7 I) K( X( T8 ?" N* w/ H" x
GFX VxD.- A& C5 ^+ I2 B$ f$ E. W, u
. w4 c3 I# c. |+ I+ w5 u% l
xor di,di
6 G$ }: e* T" A' q6 f- k8 |2 |5 k mov es,di
; Y8 T+ N, ~$ e2 H. } k( X/ a mov ax, 1684h : n) x9 E1 K% U9 \
mov bx, 7a5Fh ; VxD ID of SIWVID
6 O) ]' l' w" e' I1 H8 R int 2fh. n$ e# U0 ]" y |7 |. P2 Y
mov ax, es ; ES:DI -> VxD API entry point
; v6 q' c4 J4 ^. R add ax, di- s' A% Q' ]# X7 ]- U3 B
test ax,ax1 x! j P( f/ P1 b' J1 l. ]
jnz SoftICE_Detected
/ ^) x) E" M: m$ c- U5 a6 H, w' }$ Y
3 s9 U4 D5 V: G% k4 \__________________________________________________________________________
9 z7 t; @4 u) f6 v
; n0 D A3 @- a
3 Y% p) c* y& u( U8 W+ O% b% }7 |2 lMethod 05: Q% g5 b0 Z0 c' o; j9 L1 I
=========
& I1 E) U4 m2 ^7 f( Q9 Q# S b0 w0 I. Y+ ]* D* E2 W/ o
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) e+ D. i8 W) U7 k9 O) ddebugger. It calls the int 41h, function 4Fh.
5 P5 T* N j' M, l- E: N4 h( F* \7 @There are several alternatives. & }* S% I: S5 w9 ]! X
) E' Q( i7 X+ ?' AThe following one is the simplest:) G+ V8 Z- F5 K& h
) f6 f; R3 z+ p* r- ]# y mov ax,4fh
4 e, h- q; L7 s% U3 G5 ^. J1 q" a int 41h2 Q" y% g5 V9 g
cmp ax, 0F3868 W8 t- {6 D8 O7 E9 Z( M
jz SoftICE_detected
' n* {# `/ v$ m+ _* j" ?, H4 {+ \; N" m* M
" c; a, N3 B# F) _6 n$ v% g& QNext method as well as the following one are 2 examples from Stone's
+ C2 p5 ]1 T0 m& U"stn-wid.zip" (www.cracking.net):
$ T# V4 x0 Q G8 j
1 l- [! C; u8 D7 ~3 O J- } mov bx, cs
7 I2 n# G- d+ C1 [; b5 g" z lea dx, int41handler21 {0 `% h8 a" U* ^2 W- V4 ^% y" R
xchg dx, es:[41h*4]. p% }: R/ J- O9 ?
xchg bx, es:[41h*4+2]* q J; E* M% G) t
mov ax,4fh8 e! ~+ O7 V* X$ i7 y
int 41h( \+ m% d8 N4 @, z" S
xchg dx, es:[41h*4]/ n, A& \, g; C& R' L, O: P2 J
xchg bx, es:[41h*4+2]$ A- m+ Y+ z' F3 O) |4 K
cmp ax, 0f386h3 @5 b! q4 O6 H: y9 u1 ]9 I
jz SoftICE_detected
w4 Z( t& S; }9 |! j
3 O% e0 I) H/ A: O4 ~) Lint41handler2 PROC0 _: @( c1 ~' k3 z
iret- j3 l1 `4 j0 I, v; H
int41handler2 ENDP7 u% j( _7 R5 G* R, o0 `6 j/ L9 W
8 ~$ V1 Y5 J0 m: g1 z! u2 {+ j! _1 }. @, ?2 J! T2 t& h7 E; S& m2 X
_________________________________________________________________________
4 E' `9 Z9 J, ~% u- i, V; A
! H! x+ l# _* W: U* P6 X6 a
: J3 i# q9 Z. Q; L! F, {Method 06
7 N* k+ t1 G% ?=========6 E& N& C. l* _; J8 F: A
- t, f/ a8 j7 U% g7 w2 n$ _. Z. V1 C7 r$ C
2nd method similar to the preceding one but more difficult to detect:: j! w" N4 ]1 n
) [' d; M) d$ z
; S9 k- S7 o6 }$ H
int41handler PROC
" _1 G7 N a5 N3 n, E mov cl,al$ i" z) k2 \/ W" g
iret7 @; ?% D7 Z, { T x5 m% @& ?
int41handler ENDP
4 a8 D" i5 Q. ~/ Z9 a+ g
+ u' f4 K' o0 R0 ~2 E( w! J* |% B! i, m* {( @4 _
xor ax,ax
0 l) u! K! G9 ^* H0 U mov es,ax/ V& C: I6 w* {9 m8 x& |: H
mov bx, cs
. s; M* m3 t) W+ J- k2 i7 C/ F8 ] lea dx, int41handler
9 Y6 I5 {; A8 o) j" p xchg dx, es:[41h*4]
0 i6 U3 |/ u- d, |& U2 J+ a xchg bx, es:[41h*4+2] v( @/ S) `1 Y, `! ~
in al, 40h
" X, Q4 K7 ]8 N xor cx,cx2 S% n& U# Y) ]4 k5 h4 X% \2 B- g
int 41h; K" e& ~4 G% ]
xchg dx, es:[41h*4]
# ~1 p8 S8 L& p- N, v+ k xchg bx, es:[41h*4+2]+ p: l/ E" \ c- ~8 d3 E
cmp cl,al7 B% j5 U2 v! E) S& ~1 I, ?
jnz SoftICE_detected2 ]/ S* N; F- I* \8 k+ w
1 N! z) S& W# R. y' Z4 Y% J) w! [_________________________________________________________________________) @( m6 L4 ?7 A8 }* M( r. V
1 Y f5 U/ s. q" z% k XMethod 07
! p* ^) V: i0 C% z=========5 W% a m& h7 o1 s: Q
1 R3 G5 |: r! J1 z* lMethod of detection of the WinICE handler in the int68h (V86)8 w8 z, M% Z! K& u, F
! }6 G9 e! A2 U4 ^
mov ah,43h
+ E, f1 |8 a, c. K int 68h2 o9 ?' H" L* Q0 B
cmp ax,0F386h1 }1 N4 a- i, w& g' R
jz SoftICE_Detected. A& V3 L8 z7 k/ Y, l
# @, |# P- S) ~4 r/ `1 K% d8 v
/ _4 O. D J! c4 P# P=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& Y9 v# i7 [! z) {5 }8 z app like this:6 e3 A5 q/ X; [# I, }; u, T
* Y8 ?' z9 k; Q6 z
BPX exec_int if ax==68
2 o+ W- d, D; L3 z" u& [ (function called is located at byte ptr [ebp+1Dh] and client eip is
% }; e" @* p% G/ X located at [ebp+48h] for 32Bit apps)2 R+ x2 H/ j5 S \# N
__________________________________________________________________________
8 b, b; N0 x* Q, F0 O# Q! X4 ~( c" Y4 ?! _9 Y/ K- \/ L
# }% R0 c4 }, [. t* ?6 D$ WMethod 088 w7 m6 C( }. m( t
=========) ~' g. B- i, R* l1 D' _' R5 p5 V3 p
' {. K; o7 W' U6 |! I
It is not a method of detection of SoftICE but a possibility to crash the
1 a3 n/ d: d' V, f- w* Bsystem by intercepting int 01h and int 03h and redirecting them to another
* N+ D6 i2 c+ K+ q$ v% Sroutine.: S8 w8 u+ c* G I; S. }5 V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* o" p; g# w3 x, B6 @0 [to the new routine to execute (hangs computer...)
- J& ]" k2 U" T u4 Y, _
+ F3 }5 o3 s9 ? L! U0 i% x2 V mov ah, 25h
" x/ N, d# b, R: M2 J mov al, Int_Number (01h or 03h)( K5 n% m' |& k; m
mov dx, offset New_Int_Routine
- E6 t. H% H* g5 w int 21h
/ N. Y$ d9 [! R% y6 ^7 Y; P9 F' [, L. Z% R. M
__________________________________________________________________________$ T6 `9 e. |. `$ @/ G
, f: n- l8 N1 I
Method 09
% h1 E3 R+ j0 i) m$ U) ~=========
( a, d* l% d6 o* @( V" z) p) a3 i
, O1 w! T) H1 w; Y* lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, s$ T0 X0 i4 G+ H( Uperformed in ring0 (VxD or a ring3 app using the VxdCall).
" k d) I% k1 M' V4 k' o e& YThe Get_DDB service is used to determine whether or not a VxD is installed9 L( P4 M y9 j5 y1 }0 m& ? p/ j6 h- U
for the specified device and returns a Device Description Block (in ecx) for( K2 q/ g! b% e+ N' `
that device if it is installed.
9 I A4 l/ B3 ]) [# L8 B
8 G8 I k. ?5 j" U. ] mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 Y7 F% D! D4 @* _; p5 j; U% M! D1 S, d
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 u; X9 r; Z4 x0 y: W- l# @
VMMCall Get_DDB
; N8 P! T8 ]/ F" X' N W# @; ? mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 t; g& p7 q9 W. Z9 e8 [
' `( f: W9 A; h+ c3 X
Note as well that you can easily detect this method with SoftICE:! g% a1 B3 A) ?9 D& A
bpx Get_DDB if ax==0202 || ax==7a5fh
/ T- i8 |. S! x; ?
# l3 J! r7 i" Y! }! r# U__________________________________________________________________________9 X" v7 Z! S" u9 R B8 [9 ]5 q
# c5 R4 S+ }" C: Y, u* ~, xMethod 10 v3 M# P7 W4 ?
=========% M# X" c+ N4 c* y' u3 n
8 O6 ?- w, c' B=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 z5 w$ K7 a. e# Y# f SoftICE while the option is enable!!
, ]4 h: H% G6 _( K4 F" _% D B8 e% l2 L7 y2 b; ]+ @+ S
This trick is very efficient:$ u8 j" D5 J2 H/ V3 v7 A
by checking the Debug Registers, you can detect if SoftICE is loaded
& C4 o2 P4 n7 S. `# J(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. z+ V" i1 ?( p& K1 ~3 X/ Q* y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( k# s( ^( |( ]3 z/ hvalue (in ring0 only). Values can be manipulated and or changed as well# V; g5 B9 M3 K0 M; C! R
(clearing BPMs for instance)* S$ G' T7 t& }. b
4 @. D! z5 R4 ` S__________________________________________________________________________
9 x- P7 P* s, K; I1 J. q" X1 I$ `' h' w: A6 }1 H Z
Method 11* z' B; V+ q# ?$ q( Z' B
=========
" z6 T' F4 w( i8 }) E
8 e# T/ z `5 sThis method is most known as 'MeltICE' because it has been freely distributed
5 E" ?' ^: p( h' v( O; p5 [via www.winfiles.com. However it was first used by NuMega people to allow
. H g7 X. [- a5 q- |; B8 Z4 ]+ ]Symbol Loader to check if SoftICE was active or not (the code is located3 X+ C( y) h2 Y6 u
inside nmtrans.dll).
, ^ l5 j) L( ?- G! c: r4 R" c* J5 J; o! S3 j* J. A: Q: S
The way it works is very simple:2 V* e7 b+ U; ^7 t! y" r0 M5 j1 J% p4 [
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, I* x4 B4 ~8 c# XWinNT) with the CreateFileA API.
0 Y2 G4 |4 t, Y* ~" o
0 ^$ ^8 ~% U5 g. l: {. [Here is a sample (checking for 'SICE'):
. f5 a- I- u( }+ c9 `8 M4 B, W* n; E) d- S4 S6 Y C
BOOL IsSoftIce95Loaded()
8 P8 b: |% I- x0 F2 m{
& j9 N- C3 e9 ~- ~( |3 A. M8 b HANDLE hFile;
+ w" }. |& `& a" A9 w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& K: i0 P/ d" ?% x, n FILE_SHARE_READ | FILE_SHARE_WRITE,- h0 T, i5 _7 \7 r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) r+ ^7 `+ ^( q* \' s
if( hFile != INVALID_HANDLE_VALUE )
# h" m$ J+ ~# ~3 }$ F {
7 i7 h& A3 E' s4 N* q6 g5 E CloseHandle(hFile);4 ^1 N+ W5 u5 o; F/ H8 k
return TRUE;
) V, Q7 Z+ B- r9 e8 b }, T# u! V* s. k: g4 V$ V
return FALSE;
3 A$ s+ h$ Y0 E4 J: F3 m}
; f0 ?( n& H+ X: n% z: Q& p
8 U3 ?- E# Y3 P. W- GAlthough this trick calls the CreateFileA function, don't even expect to be
! s, F6 C7 f4 f: _0 e- q" R* ]able to intercept it by installing a IFS hook: it will not work, no way!8 y. N2 Q5 f6 } x4 |2 s- V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 {: e# }4 r- \; y, `* C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. u" t& o6 |" A# J7 i/ d; Sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
% L& Z k3 K g; Ffield.8 k4 t5 r0 I5 ]- p0 I ]
In fact, its purpose is not to load/unload VxDs but only to send a 1 j" V; I6 k- ~% k: y2 |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 `' y0 n8 t% z# _! F* z6 f) o- |1 P: pto the VxD Control_Dispatch proc (how the hell a shareware soft could try/ Z T% _" G. ?0 U, U. C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 j" N3 n8 i* |- i% w: QIf the VxD is loaded, it will always clear eax and the Carry flag to allow
' o, {; t. Q; b2 `$ Iits handle to be opened and then, will be detected.7 a) W5 K/ K2 M; q
You can check that simply by hooking Winice.exe control proc entry point
) G; O4 B7 F3 L) \$ ?9 gwhile running MeltICE.
) t' @; L9 t* \% P+ N
+ s2 U7 y5 ~- l7 @' J3 y" y. P
8 W+ l0 J$ K2 c7 Z$ _5 t 00401067: push 00402025 ; \\.\SICE4 B/ s2 V/ L, U4 i
0040106C: call CreateFileA6 M; ~3 d8 _' M" Y2 U" O0 Z
00401071: cmp eax,-001/ t0 T' i: u6 v" ?
00401074: je 00401091
* k% X! I* P8 u8 f- C4 e( K" g& j! y1 E6 \ o- z3 G# |& v2 R
0 S( N' v) M, x8 D
There could be hundreds of BPX you could use to detect this trick.
' R7 x# W! A! K-The most classical one is:* x9 X9 f6 K3 |0 W8 h* s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ N4 Y4 B% ~' L- K+ g7 |- P. y *(esp->4+4)=='NTIC'
& j0 c" ~0 ]' @3 T" i. _) B& _+ I1 o) `) E0 Y# Q3 Y
-The most exotic ones (could be very slooooow :-(! T2 }* ]% C3 Z0 s+ ~
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 d+ l' t9 H0 C, [' z2 L6 W- @
;will break 3 times :-(4 S1 B! P% ]' F( H: q
0 u# C3 }& ?4 ^ i
-or (a bit) faster: " l/ g9 M5 Q3 v
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): @$ H" D2 N: z
) p- W4 {; Q5 [& n [$ c5 O BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' V( h, C9 H9 T& i
;will break 3 times :-(
2 w% E( p/ S5 L' s4 j) g
' R( H) T& V( `) [-Much faster:
; U9 s: D: [ u" F BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! H1 ~! m8 ^; M
1 Y" B* U8 e. I$ }( c+ z3 v4 A8 W% cNote also that some programs (like AZPR3.00) use de old 16-bit _lopen- b) S0 C; C& {& R
function to do the same job:
+ |6 ?' p6 {8 W5 K
7 g1 X4 L7 x5 t- y8 o push 00 ; OF_READ
6 r& N; v' q# Z5 S+ {& X mov eax,[00656634] ; '\\.\SICE',0, s( S k! x+ F ^1 w7 w
push eax' Q' V* l- m2 c( H( U& U3 i
call KERNEL32!_lopen9 e% u& A' W5 Q0 n' S' g6 j$ K( ?/ }3 M
inc eax1 v3 K. R5 q- W& @
jnz 00650589 ; detected
8 `: k8 r) k( p# J7 ` push 00 ; OF_READ: p; F8 `+ f+ d- K+ U% R
mov eax,[00656638] ; '\\.\SICE'9 [1 ?& o. N& U+ j2 L
push eax
. ^1 v2 t. T8 q call KERNEL32!_lopen, E% }8 H. R2 ]4 D9 J+ i5 e
inc eax6 o5 [! q; Q' o* e$ ^5 b
jz 006505ae ; not detected# }* o8 U' O0 t/ f
4 e O0 P# t2 O4 H u6 M) U
Z# I7 R$ n/ y" X! r/ { h3 \
__________________________________________________________________________7 c0 ^4 S8 i7 n5 y
( C. ], [% R& A! X4 cMethod 12
! t" J; [+ j: `0 s* k=========
! x2 h5 `" H5 P- @1 }
, p4 S2 f3 B2 F. G" }This trick is similar to int41h/4fh Debugger installation check (code 054 f* w' M' B/ s1 R- O+ X5 Q! u2 Q3 j
& 06) but very limited because it's only available for Win95/98 (not NT)
* S# g# V2 [' k2 H8 y3 pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' y5 b. K6 }6 c! B
: V& Y9 w( p9 k9 v# N* e6 ]8 w push 0000004fh ; function 4fh- W+ b# t8 I9 \. H
push 002a002ah ; high word specifies which VxD (VWIN32)
" k* B6 ]/ v2 o: R! R1 B( `+ l& m7 o ; low word specifies which service# N( N$ P. q# V/ h9 j3 o7 \% M
(VWIN32_Int41Dispatch)
" K3 h' R1 w& C i call Kernel32!ORD_001 ; VxdCall
3 O8 R+ c2 V6 s6 b: D& b cmp ax, 0f386h ; magic number returned by system debuggers# {$ F0 j6 t# N
jz SoftICE_detected
5 u+ I; w3 K( K# V" t `1 @ q6 v; K; \0 n( B! t* a1 m
Here again, several ways to detect it:3 R+ K _7 {- x0 E3 E* w3 @
2 l( x* X# r/ O BPINT 41 if ax==4f
6 u) @ \" C$ I* x; J
) ], f0 d x, E' `& N& F( {" O0 e4 ] BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 B2 j$ k6 M( n3 i6 B* g/ x+ I
. e- v- C9 k5 T# s L& ~
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 W* F3 i8 C* s0 w
' b' D/ O7 ?1 b* I1 y$ a
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 ^2 ~' b7 P! A! b& x! }1 r
% V1 g2 B* l9 L* e& t* Y1 V" O__________________________________________________________________________& U9 |1 b) M) @' Y5 o' a' _
3 A9 k, c9 n8 Q" W ]5 }: v
Method 13
- h, o/ ], w' L" L* z=========
+ C$ ~7 N0 i/ h. O0 E, a) e4 P; @' e4 P* W/ Q
Not a real method of detection, but a good way to know if SoftICE is/ b( T" n- I( ^9 c
installed on a computer and to locate its installation directory.
3 s6 h" C# \, m( e7 ~It is used by few softs which access the following registry keys (usually #2) :" e+ h' S9 t5 J* G( A$ h
1 ^' J. i* d" q8 _-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& n1 b/ ?0 J, O) l# d7 y; R0 k\Uninstall\SoftICE- @' u. K: c: E& {+ o, I8 y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: A- Y2 U0 Y- p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 I" s8 `, M! U
\App Paths\Loader32.Exe
4 ?- N; b* G& v% F1 q
# m9 @ a1 d: m# l8 {# l1 p/ v9 f
8 @! y) X5 A: f4 T: L1 NNote that some nasty apps could then erase all files from SoftICE directory
6 A+ q% F: W9 m. w(I faced that once :-(
2 X; Y9 a- g h( O8 u4 W) S+ E/ X M
Useful breakpoint to detect it:
' `( S2 s- b5 h: C2 Z+ B+ d% }( a0 q4 `8 k+ k9 h
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 t+ I# y! s B6 l5 o8 o
' H+ z( A+ |% J v9 u$ j0 S* `__________________________________________________________________________6 i/ v1 H/ A- k6 r$ [
) _/ K. d" e: n2 W0 C3 ~; q* R! r3 Q7 @: Q* p
Method 14 5 q) u( s6 o* d
=========
4 a9 R0 s: [' _1 p/ q$ r" r" z: q. t3 x- Y q0 y& u: j! `2 |& N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 i x2 Y1 d. p8 _. H+ Iis to determines whether a debugger is running on your system (ring0 only).
! n6 |% V. k! i, M- z- o c' L. T! K1 h
VMMCall Test_Debug_Installed
$ t; u: \: s' X je not_installed G& U3 |* w& y1 O
2 q3 q/ F2 g6 m/ S& u; d! {* W9 Z4 tThis service just checks a flag.
0 N/ d4 _4 C7 J4 g; a, r</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡